Everyone loves cookies, right? Well, at least of the snackable variety. On the other hand, digital cookies, especially the third-party variety, are coming on hard times in 2023.
Changes to cookie practices aren't the only thing businesses need to remember this year. There are a rising number of state privacy laws that will challenge organizations and advertisers alike.
And if you don't think the new and upcoming privacy legislation could affect your organization, look at what Sephora went through last year: The beauty retailer was fined $1.2 million for allegedly violating California's privacy laws and sharing people's data with third-party analytic tools without informing them.
The consequences of privacy missteps are real—but so are the opportunities to avoid them. Let's look at a timeline of changes organizations will face in 2023, critical details, and steps they can take to stay ahead of the privacy curve.
Data Privacy Dates to Watch for in 2023
January 1, 2023
After the ball dropped on December 31, 2022, organizations that conduct business in either California or Virginia had to quickly finish sweeping up the confetti. When the new year kicked off, they had to ensure they met new regulatory requirements imposed through the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act, and the Virginia Consumer Data Protection Act (VCDPA).
Now that those acts are effective, it's vital for organizations that meet applicability thresholds to understand the nuances of the regulations.
Although organizations conducting business in California are already required to comply with the California Consumer Privacy Act (CCPA), the CPRA amends or expands on numerous aspects of current requirements, such as special categories of information, data belonging to minors, limits on data collection and storage, enforcement mechanisms, and more.
Like CCPA, CPRA applies to businesses that operate in California and/or collect information from California residents and earn more than $25 million in annual revenue OR derive 50% of annual revenue from selling personal information.
CPRA action item: Include employee rights in your privacy strategy.
If you're a business operating in California, you can't just consider consumer privacy rights anymore. CPRA means businesses that collect employee data are now subject to the same rigorous privacy regulations as those that collect consumer personal information.
That means—among other things—that employees of an organization must be provided notice of their rights under the CPRA and ways they can exercise those rights. Employers also have limited time to respond to a request and must properly document all responses, much like they are required to do for consumers.
July 1, 2023
By the middle of the year, two states will be joining California and Virginia as trailblazers in the journey toward better privacy governance—namely, Colorado and Connecticut.
The Colorado Privacy Act (CPA) doesn't add or expand on notable new requirements that aren't addressed in other state privacy laws. The CPA will apply to for-profit and nonprofit entities that conduct business in Colorado or deliver commercial products or services targeted to Colorado residents.
To be covered by CPA, the organization must also surpass either of the following thresholds:
- Process the personal data of more than 100,000 consumers within any calendar year and/or gain revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more consumers
- Service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of those companies
The Connecticut Data Privacy Act (CTDPA) is similar to Colorado's law, but it also contains elements from California and Virginia privacy laws.
The CTDPA applies to entities that conduct business in OR control or process the personal data of consumers in Connecticut that...
- Process or control the data of at least 100,000 consumers, excluding data used solely for completing a payment transaction
- Process or control the data of at least 25,000 consumers and derive at least 25% of their gross revenue from the sale of personal data
CPA and CTDPA action item: Pay attention to cure periods.
Both CPA and CTDPA mandate a 60-day cure period for alleged violations, although that provision expires on January 1, 2025. During the cure period, the Attorney General must give notice and an opportunity to cure any violation before taking enforcement action. But keep in mind that he or she may act without such notice from January 1, 2025 onward.
December 31, 2023
As the days get shorter once again and the countdown to the new year starts over, one last effective date will sneak in: the enforcement date for the Utah Consumer Privacy Act (UCPA).
UCPA takes a looser, more business-friendly approach with its legislation. Unlike other states, Utah has included a minimum revenue threshold and additional thresholds that must apply for an organization to be covered by UCPA. Moreover, UCPA applies to for-profit entities that conduct business in Utah or target products and services to Utah residents, have annual revenues of at least $25 million, and meet additional threshold requirements.
Data Privacy Steps to Take
Individual rights and thresholds are often the focus of privacy blogs and think pieces, but they're just the starting point. You need to know that information, yes, but you also need a plan to integrate regulatory requirements into your privacy program. Here's where you should start.
1. Confirm which privacy regulations apply to your organization
It is important to understand whether any new or updated privacy laws may now apply to your organization.
Each of the US state privacy laws noted in this timeline has certain thresholds that must be triggered before a business is subject to the law. It is important to keep up with those thresholds that could apply to your organization, but it's equally important that you have visibility in your organization on operational practices that may trigger compliance requirements with applicable laws.
2. Update your privacy policy and privacy notice
Your privacy policy and privacy notice provide essential communication, internally and externally, as to what information you'll collect, how your business will handle personal information, how individual rights will be handled, and more.
If one of the upcoming privacy regulations makes its way onto your to-do list, be proactive. Identify where your privacy policy and notice need to be updated, particularly if you've had to adjust processes or workflows.
3. Pay attention to cookies
The use of third-party cookies and similar technologies, particularly for online behavioral advertising or similar types of consumer tracking and profiling, is creating considerable confusion right now. Many organizations are also struggling with technical solutions to address EU opt-in requirements under GDPR.
You can reduce obstacles by understanding what you have on your websites and your mobile applications. Understanding what you have in place will make it easier to determine how to provide users with the required control (such as a universal opt-out, an opt-in to certain or all nonessential cookies, or limiting the use of cookies).
* * *
As the calendar flips toward compliance deadlines, don't get overwhelmed. Your compliance program is always a work in progress. Data privacy will continue to evolve, and experts are available to provide the support you need to make sure your company's future looks bright.
More Resources on Data Privacy Laws
Customer Analytics and Data Privacy Laws: On a Collision Course?
Heads Up, B2B Marketers: Data Rights Aren't Just a Consumer Issue
The Secret Six-Ingredient Recipe for Perfectly Compliant Cookie Banners
