2023 will usher in widespread changes to the data protection landscape as the European Union and the United States are expected to enact new laws and regulations covering the use of personal information.
Let’s explore some of the most significant data protection changes in 2023.
The EU’s flagship data privacy law, the General Data Protection Regulation (GDPR), has become a global standard for privacy and data protection. Since the passage of GDPR, the bloc has adopted new laws that give EU residents more rights and protections regarding the collection and handling of their data.
Digital Services Act
The Digital Services Act (DSA) is an EU law that updates the Electronic Commerce Directive 2000 regarding illegal content, transparent advertising, and disinformation. It was published in the Official Journal of the European Union on 27 October 2022 and became enforceable in November of that year.
The Digital Services Act aims to “create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses.”
Businesses that operate in the EU will have to begin compliance in 2023.
Digital Markets Act
Created alongside the DSA, the Digital Markets Act (DMA) is the other half of a new set of rules governing privacy and data protection in the digital space.
While the DSA is concerned with harmful and illegal goods and services, the DMA is a competition and antitrust law that aims to “promote a level playing field for business.” The law specifically targets “gatekeepers,” or businesses that operate services such as search engines, app stores, and social media platforms.
The DMA will become enforceable on 2 May 2023.
Data Governance Act
The Data Governance Act (DGA) is designed to improve data sharing within the EU so businesses and organizations can easily access public, non-personal data to build new goods and services. The law aims to “increase trust in data sharing, strengthen mechanisms to increase data availability, and overcome technical obstacles to the reuse of data.”
The DGA became law on 23 June 2022 and will become enforceable from September 2023.
While the United States still hasn’t passed a federal comprehensive data protection law similar to the General Data Protection Regulation (GDPR), several states will begin to enforce GDPR-inspired laws in 2023. State laws are only applicable to that specific state, but this new wave of data protection laws is a clear sign that consumers in the U.S. want more robust data protections in place.
The California Privacy Rights Act (CPRA) became law on 1 January 2023 and will become fully enforceable on 1 July 2023. CPRA is a state privacy legislation that grants California residents more control over their personal data.
CPRA builds on California’s previous privacy statute, the California Consumer Privacy Act of 2018 (CCPA). The new law, sometimes referred to as “CCPA 2.0”, establishes stricter requirements for companies that gather personal data from users in California.
One notable addition to CPRA is the introduction of a new category of protected data called sensitive personal information (SPI). CPRA imposes limits on businesses that collect and process SPI. For instance, a website must allow visitors to limit SPI processing by clicking on a link.
The Virginia Consumer Data Protection Force (VCDPA) came into force on 1 January 2023, alongside California’s CPRA. With the passage of the VCDPA, Virginia became the second state in the United States to pass a robust data protection law.
Similar to other privacy statutes, VCDPA covers all businesses that do business in Virginia or provide services to users in Virginia. This means that a company that is headquartered in a different state or country, but otherwise accessible within Virginia, is affected by the new privacy statute.
VCDPA grants Virginia users new protections regarding data collection and processing and requires businesses to follow minimum data security standards when processing data collected from Virginia users.
The Colorado Privacy Act (CPA), signed into law on 8 July 2021, will become enforceable in July 2023. Colorado is the third state after California and Virginia to pass a GDPR-style privacy law.
The CPA provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling. Controllers will also need to honor user-selected universal opt-outs for targeted advertising and sales.
The Utah Consumer Privacy Act (UCPA) will come into force on the last day of the year, on 31 December 2023. The law protects Utah’s residents’ privacy rights and establishes data privacy responsibilities for companies doing business in the state.