Every year our editorial staff looks back on the past year and makes predictions for the one ahead. We try to get them right but our real goal is to spark conversations. This year we are going to do something a little different by also adding in some privacy resolutions. Join us as we gaze into the crystal ball of privacy and data protection.
Prediction 1: More consumers will use GPC
Prediction: Consumers will continue to opt-out of the data sales regardless of residence, increasingly through automated means like GPC.
The Global Privacy Control (GPC) was created in October 2020 to allow individuals to easily signal their privacy preferences. In January 2022, GPC was adopted by several major publishers, consent management platforms, and privacy-focused browsers. In April of 2022, the tech standard was endorsed by the California Attorney General and referenced in the CCPA Regulations and compliance FAQs. However, it has only recently gained attention from privacy and compliance professionals following the CA AG’s $1.2 million settlement with global retailer Sephora.
Recommendation: Watch other states besides California.
Colorado and Connecticut adopted provisions for universal opt-out mechanisms such as GPC into their respective consumer privacy laws. (Commencing July 1, 2023) More endorsements from policymakers and the tech community will mean more consumer awareness. And in turn greater adoption by consumers and businesses.
New Year’s Resolution: Make it easy for consumers to opt-out of data sales and targeted ads. Provide appropriate notices and make opt-out preference signals a part of your rights response toolkit.
Prediction 2: The ADPPA will not come to the rescue
Prediction: With the California Coalition and Senator Cantwell (Chair of the Commerce Committee) opposing the American Data Protection and Privacy Act (ADPPA), the beleaguered bill will remain on ice. Rather, the new Congress will turn to less controversial topics of children’s privacy and targeted advertising, and one or two more states will pass their own privacy laws.
Recommendation: Hope for the best, prepare for more fragmentation.
It will take more state laws flipping on and more business leaders pressuring Congress to resurrect the ADPPA or another version of it. New York, Kentucky, Tennessee and Oklahoma are the latest bills to gain attention, and 2023 has only just begun. Don’t be too surprised to also see federal privacy reforms on the lips and platforms of presidential hopefuls looking at 2024.
New Year’s Resolution: Make interoperability your privacy operational goal for the year. Focus on the common fundamentals of data mapping (and minimization), clear privacy policies (and true privacy practices), easy rights submission (and timely fulfillment), genuine risk assessment (and meaningful mitigation). There will always be jurisdictional and definitional details to fret over, but knowing yourself and your data, and doing right by your customers is universal.
Prediction 3: Virginia becomes the model of choice for other States
Prediction: With Colorado’s CPA, Connecticut’s DPA and Utah’s CPA sharing more in common with Virginia’s CDPA than with California’s CPRA, the trend favors Virginia as a leading, generally more business friendly state ‘template’.
Recommendation: Keep an eye on state legislative developments and watch for unique features. A common template does not equal carbon copy.
California’s CPRA amendments locked in a widely-impactful and uniquely Californian definition of date “sale” to include data disclosed to providers of targeted advertising and related analytics services. Virginia’s CDPA is the first U.S. state law to require opt-in consent to process sensitive personal information. And while California, Virginia, Colorado and Connecticut explicitly require GDPR-style DPIAs (by-any-other-name), Utah oddly does not.
An effective privacy management program minds the gaps while focusing on the overall mission of the program. This depends on understanding which laws, rules and standards apply to your business. As the old Saturday morning cartoon used to shout over cereal ads, “Knowing is half the battle!”
New Year’s Resolution: Set time aside to dig into the details. Legislative proposals and draft regulations offer both requirements and exemptions, for rumination and reconciliation. Your friendly neighborhood Privacy Community can lend a helping ear, hand… and magnifying glass.
From start-stop delays in critical California regulations to landmark regulatory actions in the EU to dashed hopes for a U.S. federal privacy law, 2022 was a nailbiter for privacy professionals. As we look at 2023, we hope it brings you clarity, focus and success in your privacy practice.