Things rarely happen like you think they will. By mid-2022, many commenters’ privacy hopes were riding high. It looked like we might finally get a bipartisan federal bill that would put U.S. citizens’ privacy on par with Europeans. Meanwhile, businesses were counting on a single law that would at least promise to make legislation easier to comply with.
Neither happened. Instead, we now live in a nation where the degree to which your privacy is protected by law depends, to a large extent, on where you live.
By the end of 2023, I expect the landscape to change further in the same direction, but with some caveats. Here are four key privacy legislation trends to watch out for over the next 12 months.
Federal Data Privacy Legislation will Remain Over the Horizon
2022 looked set to be a watershed year for privacy. The American Data Privacy Protection Act (ADPPA) was introduced in Congress — with significant bipartisan support, no less. If enacted, the bill promises to:
Advertisement
- Prohibit companies from collecting any more data than they need to provide their services.
- Apply to any entity (including sole proprietors, nonprofits, and common carriers) collecting, processing, or transferring “covered data” (i.e. any data that identifies a person or could be linked or reasonably linked to them).
- Give Americans rights over how their personal data is used and allow them to access, port, correct and delete their data.
If it became law, a bill like ADPPA would profoundly change the U.S. privacy landscape. But it is unlikely to pass next year.
With some minor exceptions, the bill’s preemption provision would largely override state laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). California’s representatives and leaders are determined not to let this happen.
Worried that the ADPPA would water down existing regulations, California representative and former Speaker of the House Nancy Pelosi said in a statement released in September that the ADPPA still requires some work. In its current state, it “does not guarantee the same essential consumer protections as California’s existing privacy laws.”
Ideally, California Democrats argue that the ADPPA should be “the floor,” not “the ceiling,” with individual states able to increase privacy protections as needed.
Some privacy experts have argued that the ADPPA is stronger than the CCPA in most respects, but California legislators are unlikely to change their minds. This will almost certainly lead to the death of the ADPPA as Republicans won’t support it unless it preempts state laws.
State-Level Legislation will Continue to Confuse Businesses
Political maneuvering might make federal privacy a more distant ideal next year, but strong public support for privacy still means that legislation is coming. However, it will happen at the state level rather than the federal.
In the absence of comprehensive federal legislation, states will continue to pass new privacy laws. In 2022, 29 states and the District of Columbia either carried over data privacy bills from 2021 or introduced new ones — an “overwhelming” amount of activity.
In 2023, we will see five state laws take effect:
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act (CPA);
- Utah Consumer Privacy Act (UCPA or the Act);
- Connecticut Data Privacy Act (CTDPA); and
- CPRA.
The fact that some states only have draft regulations at the moment will make compliance more challenging for affected businesses. There will undoubtedly be a difficult period of adjustment where organizations will need to invest substantial resources to understand what parts of these laws impact them.
We will also see the emergence of another layer of narrower state laws governing biometrics (like the Illinois Biometric Information Privacy Act, or BIPA, and the Texas Capture or Use of Biometric Identifier, or CUBI). and other specific forms of data like health, location and kids’ personal data (such as the California Age-Appropriate Design Code Act).
FTC will Set Precedent for Federal Law
Congress might not be in any rush to pass a federal data privacy law. However, the Federal Trade Commission (FTC) and the Federal Communications Commission (FTC) are determined to protect consumers from harmful data collection practices — with or without support from Congress.
New FTC and FCC regulations will likely create a precedent for federal law, with pressure from regulators eventually pushing Congress to codify data privacy rules.
Big Tech will Push for a More Coherent Law
A checkerboard of different laws and varying levels of legal risk is not good for business — especially for enterprises that use a variety of data types across state boundaries.
In 2023, we will likely see tech companies double down on their efforts to lobby Congress for a more coherent privacy rulebook. Of course, their biggest push will be for business-friendly privacy laws that incorporate existing best practices.
We are already seeing this lobbying push gather steam. In their marketing campaign released in 2022 and titled “United for Privacy,” a consortium of technology and corporate trade groups, including the U.S. Chamber of Commerce and the Consumer Technology Association, came together. Their message is that the current privacy legal landscape is a “conflicting patchwork of privacy laws” and will cost the U.S. economy over $1 trillion during the next decade.
The watering down of ADPPA (targeted advertising stayed in despite criticism) after extensive corporate lobbying shows the influence of tech giants and other business groups on the creation of privacy rules.
Final Thoughts
In 2023, data privacy is going to be no less important than it was in 2022. However, the protections consumers and businesses expected might not materialize — yet.
We may not get a federal data privacy law, but states will continue to enact their own rules, and both the FTC and the FCC are set to ramp up tech privacy action. Meanwhile, businesses will continue to lobby for a federal law that is lenient to their way of operating.
Whatever happens, one thing is clear: data privacy will stay top of mind for everyone.
Rob Shavell is CEO of DeleteMe, the Online Privacy Company. He has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC and Fox. Shavell is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).
