Most organizations collect personal data as part of their ordinary business operations. But, new laws in the US and abroad impact what those organizations can do with the data. Here’s a summary of some major privacy law changes for 2023, focusing on a few key issues to consider. Please contact our attorneys who practice in this area for more information.
As you review this summary, please bear in mind that even if your organization is not directly impacted by these laws, they still may have significant impact on you if your customers or partners are subject to these laws.
California – The CPRA Effective January 1, 2023
In 2018, in response to a threat by the wealthy businessman Alastair Mactaggart to force a public vote on a proposed privacy law through California’s “proposition” process, the California legislature passed the California Consumer Privacy Act (CCPA), which became effective in 2020. Mactaggart, however, was not satisfied with the CCPA and pushed an amendment known as the California Privacy Rights Act (CPRA) through another proposition process in 2020. That amendment, the CPRA, becomes effective on January 1, 2023. And, at the same time, certain provisions of the original CCPA expire. The major changes taking effect then include:
- Information about employees and job applicants will be fully subject to the CCPA (previously it had been partially exempt)
- Business contact information—things like names and email addresses of contacts at other companies—is also now fully subject to the CCPA
- New rules regarding “Sensitive Personal Information,” such as social security numbers, health information, and religious beliefs
- New auditing and risk assessment requirements
The CCPA (as amended by the CPRA) does not directly apply to smaller companies which neither have information about a large number of California residents nor sell personal data as part of their business. However, the law requires any companies subject to it to contractually require anybody with whom they share data to comply with portions of CCPA. So, if you provide services to any larger companies with a presence in California, you will likely need to sign a data processing agreement and take appropriate steps to remain in compliance with these requirements.
New Comprehensive Privacy Laws in Colorado, Connecticut, Virginia, and Utah
The above states all have new comprehensive data privacy laws coming into effect in 2023. Virginia is first on January 1, followed by Colorado and Connecticut on July 1, and finally Utah on December 31.
Although the specifics of these laws vary a bit, they are similar in scope. They all only apply to companies with data of 100,000 or more consumers in the state, with a lower 25,000 threshold if they sell personal data. Unlike California’s law, employee information and business contact information is not covered.
Similar to the CCPA in California, organizations subject to these states’ laws are required to have privacy notices with specific information and to have data processing agreements with companies
they use to process personal information.
If you receive personal information from Europe, chances are that you’ve heard of the General Data Protection Regulation, commonly referred to as the GDPR. Among other things, it restricts transfers of personal data to countries, including the United States, which the EU believes do not provide “adequate protection” for personal data. To make these transfers legal and easy, the EU and US adopted “Safe Harbor Principles” in 2000 (under the former EU Privacy Directive) to allow those transfers to occur. But, in 2015, the Safe Harbor Principles were struck down by the European courts by a decision known as Schrems I, named after Max Schrems, an Austrian privacy activist who originally filed the case. So, in 2016, the EU and US adopted a new method, the “Privacy Shield,” as a replacement for the Safe Harbor Principles, but this was also struck down in 2020 by the European courts in another case brought by Mr. Schrems, Schrems II.
Fast forward to March of 2022, when the US and European Commission presidents agreed to a new political agreement to protect European personal data, and then to October 2022, when President Biden issued an executive order to put a new “Privacy Shield 2.0” into effect. The mechanics will be rolled out in 2023. Will there be a Schrems III? Max Schrems has already threatened another lawsuit.
In the meantime, though, US companies can frequently use a very specific set of standard contract clauses dictated by the European Commission to allow those transfers to take place. But, be warned, the EU adopted new Standard Contractual Clauses in 2021, and the old ones will not be valid on December 27, 2022. If any of your organization’s current agreements reference the old clauses, you should be sure to update them to refer to the new ones.
Remember Brexit? That happened after the GDPR was adopted in the EU, so the British decided to maintain GDPR to protect data of UK residents. However, the UK is evidently planning to replace GDPR with a new “British Data Protection System.” We will know a lot more about this proposed new system in 2023, but it probably won’t roll out until 2024 at the earliest.
US Federal Law
While the rest of the world seems to be interested in limiting the use of personal information, and there remains no comprehensive federal US data privacy law (despite several efforts in Congress) the US Department of Treasury appears to be going in the opposite direction. To comply with the new Corporate Transparency Act, beginning in January 1, 2024, companies will be required to provide information about their significant owners and people in control to the Financial Crimes Enforcement Network, part of Treasury. The information to be reported? Name, birthday, address, passport or driver’s license number, and Social Security Number, among other things. The data is supposed to be nonpublic and may only be used for national security and law enforcement purposes.
Also at the federal level, look for resurrections of the American Data Privacy and Protection Act, the Children and Teen’s Online Privacy Protection Act, and the Kids Online Safety Act in 2023. These bills all had bipartisan support in 2022 but were not passed in the closing days of the 117th Congress.