In light of this significant development, we have updated our coverage to reflect the latest information. To stay up-to-date on the new EU-US Data Privacy Framework agreement and its implications, we invite you to read our latest article on the topic.
🔍 Discover the latest: EU to USA Personal Data Transfers Now Approved
Thank you for your continued support and trust in our coverage of important global issues!
2023 will bring many changes to the privacy and data protection landscape: new privacy laws will be enforced, there will be changes to old directives and new guidelines, new data privacy trends.
In this post, we’ll go over the main changes and trends to watch out for in 2023!
Even though an all-encompassing federal law about privacy and data protection is still far away, the US privacy landscape will significantly change this year, with many new state laws coming into force.
On January 1st, 2023, the California Privacy Rights Act (CPRA) has officially become law and will be fully enforceable on July 1st, 2023.
The CPRA builds on the CCPA’s existing provisions, establishes new consumer rights, and adds new requirements for companies that gather personal data from California users.
The CPRA introduces also a different category of protected data: sensitive personal information (SPI). This poses new requirements for businesses. For example, a business that processes SPI must have a clear and visible link on its website labelled “Limit the Use of My Sensitive Personal Information”, that allows customers to limit this processing.
Alongside California’s CPRA, on January 1st, the Virginia Consumer Data Protection Act (VCDPA) has also come into force. Virginia has thus become the second state in the United States to enact a comprehensive data privacy law after California.
The VCDPA affects organizations that do business in Virginia or provide products/services to people in Virginia. In other words, your organization does not need to be located in Virginia to be affected by the VCDPA.
Virginia’s VCDPA grants users new rights regarding the collection and processing of their data and requires businesses to complete data security assessments when processing personal data for targeted advertising and sales, among others.
The Colorado Privacy Act (CPA) will come into force in July 2023. It will apply to legal entities that do business in Colorado or produce products or services that intentionally target Colorado residents.
Under the CPA, consumers will have enhanced rights in regard to their personal data. Some of the proposed rights include the right to opt out of:
The Act also specifies the obligations that controllers must meet in relation to sensitive data.
The Utah Consumer Privacy Act (UCPA) will be enforced at the end of the year, on December 31, 2023. The law will apply to controllers or processors who conduct business in Utah or produce a product or service that is targeted to residents of Utah.
If compared with the previous laws, the UCPA takes a lighter, more business-friendly approach to consumer privacy, but it also gives consumers enhanced rights in regard to their personal data.
Bookmark our US privacy legislation overview: a comprehensive overview of privacy in the US!
These new laws introduce new requirements for organizations doing business in the US.
Complying doesn’t have to be a hassle!
If you’re using iubenda, all you have to do is:
In 2023, many new Acts that are now being discussed will be enforced in Europe. Let’s have a closer look at each one of them.
Effective August 25, 2023, the EU’s Digital Services Act (DSA) now governs “very large online platforms” and “very large online search engines” that have more than 45 million active users in the EU. Under this new regulation, such companies must partake in yearly audits and actively combat disinformation. Non-compliance risks penalties, including fines that can reach up to 6% of a company’s worldwide revenue or even result in a ban. The full Act will be applicable to smaller websites starting early 2024. Big Tech is now under enhanced legal scrutiny, with obligations related to content safety, user targeting, and data sharing. In line with DSA obligations, Google has declared that it will provide targeted ad data to authorized researchers. There remains ongoing debate on whether these tech giants have sufficiently met EU regulatory standards.
The Digital Services Act (DSA) was published in the Official Journal of the European Union on October 27, 2022, and has gone into effect in mid-November. However, since many of its requirements will be fully enforced starting by 2024, during this year businesses will have to start complying.
The aim of the DSA is to set new rules to create a safer and more open digital space in the EU. For example, it enhances transparency online, restricts targeted advertising, bans dark patterns and much more.
Alongside the Digital Services Act, the European Commission also issued the Digital Markets Act (DMA), which will start to apply as of 2 May 2023.
The DMA aims at regulating the activity of the so-called “gatekeepers”, i.e. organizations that operate as “core platform services” (app stores, search engines, social media platforms) and that have a great impact on their internal market.
The European Union’s Data Act, following its adoption by the European Parliament on November 9, 2023, is set to transform the digital landscape. Initially proposed by the European Commission in February 2022, this landmark legislation is poised to enhance fairness in the digital environment, stimulate competition in the data market, and make data more accessible for all, including businesses and individuals.
The Data Act will officially enter into force following its formal adoption by the Council. Most provisions will become applicable 20 months after this occurs.
Currently, the Act is open for public comment for six weeks, allowing stakeholders to provide their input.
This year will most likely bring a new EU-US privacy agreement, which will make data flow between these countries easier.
In 2020, the Privacy Shield was invalidated after the Schrems II ruling. After almost two years of thorough negotiations, the European Commission and the United States have agreed on a new Trans-Atlantic Data Privacy Framework. The deal ensures that data transferred to the US is adequately protected, addressing the concerns of the Schrems II ruling.
President Joe Biden has already signed an Executive Order to move the discussion further. Now the European Commission will have to issue an adequacy decision, which will finally legitimize data transfers between the EU and the US. The decision-making process could take up to six months.
On January 1st 2023, the new Federal Data Protection Act (FADP) has come into force.
Switzerland has a law governing data privacy known as the Federal Act on Data Protection, which dates back to 1992 and was partially updated in 2019. The Swiss Parliament has now adopted a fully revised version of the law to be more in line with the GDPR. The intention is that it will match the privacy and security standards of the rest of the EU, even though it will maintain the original concepts and vary slightly in some areas.
This law applies to the processing of personal data concerning individuals by private individuals and federal agencies.
It does not apply to the processing of personal data by individuals for exclusively personal use.
The current privacy law in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA). However, a new bill is being discussed in the House of Commons: Bill C-27, the Consumer Privacy Protection Act (CPPA). It will replace Part I of PIPEDA, which governs how the private sector handles users’ data.
CPPA will apply to any business that collects, uses, or discloses personal data in Canada or internationally.
The aim of the CPPA is to align Canada’s privacy legislation to international privacy standards, to ensure that the privacy of Canadians is protected and that businesses can benefit from clear rules as technology continues to evolve.
While the Bill is still a draft, we can likely expect that a definitive text will be ready by the end of 2023.
After the LGPD officially became enforceable in 2020, in 2022 the ANPD published new guidance on cookies and their use.
In 2023, we can then expect that the Brazilian Data Protection Authority (ANPD) will continue to align Brazil’s privacy framework to international standards.
Australian data protection laws date back more than 30 years ago, with the Australian Privacy Act of 1988.
However, since in the past few months, there’s been a spike in data breaches, the government decided to implement some new rules and introduce the Privacy Legislation Amendment Bill 2022.
The Amendment Bill increases the penalties for repeated violations of the Privacy Act of 1988 and it also gives greater powers to the Australian Information Commissioner in the event of a privacy breach.
That’s why it’s important to be up-to-date with the latest news and data privacy trends.
Every week, our team collects the most interesting news about privacy and data protection and the latest data privacy trends and sends them directly to your inbox. It’s our DPO Newsletter, thousands of people have already signed up.
Don’t miss any updates: sign up now!
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
