A Quick and Easy Guide to the New Privacy Laws and How to Stay On Top of Them
If there’s one characteristic that defines the realm of data privacy, it’s changing. With digital technologies expanding in their scope and capabilities worldwide, the laws needed to help protect customer data are continually evolving in a bid to keep up.
Data privacy laws may have started out as a way to help secure high-risk activities such as banking and healthcare, but they now cover everything from day-to-day shopping to streaming services. While that’s undoubtedly a positive thing for customers, when it comes to the businesses serving these customers, staying data-compliant can get very tricky, very quickly.
Complicating things further is the fact that data privacy laws differ depending on the territory you’re operating in. With failure to apply the correct privacy laws leading to possible fines, lawsuits, and even the closure of websites in certain territories, it’s crucial that businesses stay on top of their data privacy requirements.
To help keep you ahead of the curve, we’re going to take a look at some of the more important privacy changes that are coming into effect in 2023.
Overall Changes to Data Privacy
Before we look at specific changes by territory, let’s take a look at how the general data privacy climate is changing.
Over the short- to medium-term, data privacy isn’t going to get any simpler or more uniform. With new laws and structural changes continuing to complicate the landscape, businesses will need to adopt an increasingly dynamic and forward-thinking approach in order to remain compliant. While privacy laws will ultimately evolve into a more consistent and predictable framework, you’d be best advised not to hold your breath for that.
Increased Customer Awareness
Data privacy issues have firmly entered the mainstream consumer consciousness and will only become more embedded as a concern. With data breaches making news headlines on a regular basis, companies that wish to compete effectively will need to prioritize establishing and maintaining customer trust.
Bearing in mind these overarching trends, let’s take a look at some of the more important details that lie within them.
Changes to US Data Privacy Laws
To date, the US federal government has been largely unsuccessful in legislating nationwide privacy laws. Needless to say, US states – and the businesses that operate within them – would much prefer to adhere to a single set of federal privacy laws. However, in the absence of these laws, states are introducing their own individual privacy protections, even if that proves to be a procedural nightmare.
A few of the more critical state-centric protection laws coming into effect in 2023 include:
California Privacy Rights Act (CPRA)
Among the most comprehensive of state data privacy laws, the CPRA came into effect on January 1st, 2023. An important piece of cross-sector legislation, the CPRA introduces a number of legal obligations that businesses must adhere to, including…
…informing customers how their data is being collected and…
…how they can opt out.
…stricter guidelines on how businesses can share any collected data with third parties.
Although these requirements are set out by the California Privacy Protection Agency (CPPA), the CPRA includes a customer’s right to rectify inaccurate personal data and to limit the use of this data. It also enhances definitions of what qualifies as sensitive information and the special protections that must be applied as a result.
Further to this, the CPRA imposes significantly larger fines for any breaches of children’s data and greater breach liability for unencrypted data. It additionally limits the amount of time a business can hold onto customer data, and requires that any third party that a business shares its collected data with operates at the same level of protection.
Perhaps most importantly for businesses, however, is that the CPRA acts as a privacy regulator in its own right, which can impose fines and hold hearings without involving the state’s attorney general.
Colorado and Virginia Consumer Data Protection Acts (CDPA)
Similar to Europe’s General Data Protection Regulation (GDPR), the CDPAs of both Virginia and Colorado require businesses that collect customer data to provide a universal opt-out option.
While exact privacy guidelines will be released in 2023, the laws will apply to any organization conducting business in Virginia or Colorado that a) processes the personal data of more than 100,000 individuals, or b) processes the personal data of over 25,000 individuals while earning revenue from the sale of this data.
Similar privacy laws are also being enforced in Utah and Connecticut. Although these five states are currently the only ones in the US with data privacy laws, many others are striving to create their own, so it’s advisable to stay tuned to avoid any potential privacy oversights.
Enhanced Privacy Laws In China
Although China’s Personal Information Protection Law (PIPL) is similar to Europe’s GDPR in many respects, it requires that any data collected on Chinese subjects be stored within China itself. Any processing of this data outside of China will require the approval of China’s national security agency.
With China’s vast influence on its regional neighbors, it’s a fair assumption that its data privacy laws will become the standard for many other countries in the region – so companies looking to do business in China or Asia as a whole may soon need to tread carefully when it comes to data processing.
The Demise of Third-Party Cookies
Third-party cookies will no longer be usable by the end of 2023. This will come as welcome relief to customers concerned about the data that advertisers use to generate personalized ads. In its place, first-party data will no doubt emerge as the dominant collection process, with customers able to willingly exchange their data as a tradeable commodity.
As a result of this shift, businesses will need to offer something in return for this exchange, be it discounts or special offers. Either way, the days of collecting free data from customers are drawing to a close.
More Stringent Guidelines for International Data Transfers
The European Data Protection Board (EDPB) has set out new guidelines on how businesses can conduct cross-border data transfers. Since different countries have separate data laws, there’s been some confusion as to whether the laws governing businesses that receive cross-border data supersede those of the country where the data originated.
With new European guidelines, businesses that handle cross-border data will need to adjust processes accordingly by the end of 2023.
While we’re on the subject of the EU, its intended Artificial Intelligence Act is currently making headway. If and when it’s approved, the act will list AI-driven apps into three categories of risk – ‘unacceptable’, ‘high’ and ‘other’. The ‘unacceptable risk’ category will involve such activities as social scoring, with activities in this category being banned. ‘High-risk’ activities such as automated job applicant assessment will be permitted but tightly regulated. While the ‘other’ category is as yet undefined, it’s clear that any business that operates AI-driven applications will need to proceed with caution once the act is passed as EU law.
Navigating Data Privacy with CookieHub
In short, data privacy laws are only going to get more complicated and troublesome for companies during 2023. With different sets of new laws being implemented by different countries and states, staying compliant is likely to become an increasingly time-consuming process for businesses. This is why using a consent management platform like CookieHub can make a real difference to your bottom line.
CookieHub is a simple and cost-effective way for businesses to maintain compliance and avoid any potential trouble. It removes the stress of having to stay up-to-date with the continually shifting data privacy landscape. Once you’ve added our widget to your website, CookieHub’s scanner automatically analyzes which cookies your site is using and categorizes them. It then creates a comprehensive cookie declaration that lists and explains what each individual cookie does.
Most importantly, CookieHub automatically displays the correct cookie consent agreement for the user’s country. The platform gives your users all the data and options they need so they can accept or reject cookies as they wish, and remembers their choices for any future visits.
The Easy Solution
Not only does CookieHub gain clear consent from every one of your website users and keep you in line with global regulations – it does so affordably. The platform is free to use for any website with up to 5000 sessions a month. If your site has more than that, our paid plans start at just €8/month.