2023 started much the same as the year before, with state legislatures producing an impressive list of privacy-related bills in the U.S. Twenty-three states introduced comprehensive privacy legislation, with many more targeted privacy bills being considered as well. Iowa's governor signed the sixth comprehensive privacy law to close out the quarter. Internationally, things started rather slowly — that is, after the Irish Data Protection Commission delivered its €390 million fine against Meta.
Privacy in the U.S.
There's a new trend afoot in 2023. States are introducing an abundance of targeted privacy bills directed at health data, children's data, biometric privacy, and more. In addition to the several states progressing comprehensive privacy this year through the legislature, Washington introduced the My Health My Data Act which is demanding attention with its inclusion of the private right of action. Eleven states introduced copycat legislation for the Illinois Biometric Privacy Act, one of the most heavily litigated privacy laws in the country, and 20 are considering legislation to regulate children's privacy. Looking at the legislative push of Q1, privacy is in for another wild year.
Regarding comprehensive privacy laws, Iowa's SF 262 is likely to be joined by others this year as multiple states progressed bills through at least one chamber by the end of Q1. That said, Iowa's law won't increase the compliance burden for companies as its obligations meet the bar other states have set and in some cases, are lesser. SF 262 takes effect Jan. 1, 2025, and includes a 90-day cure period with no sunset clause.
Utah also made news this quarter as it signed two laws into effect that will significantly alter how social media platforms will operate for children under 18. Combined, the laws place restrictions on how minors can access social media platforms, grant parents access to their children's account activity, and introduce default settings that only a parent or guardian will be able to modify.
While privacy is moving in state legislatures, at the federal level comprehensive privacy stalled again as congress failed to revisit the American Data Privacy Protection Act. Instead, lawmakers seemed narrowly focused on banning Chinese-owned video app TikTok due to national security concerns.
Finally, the Federal Trade Commission (FTC) faced upheaval this quarter as the last remaining Republican commissioner resigned in an op-ed in the Wall Street Journal over disagreements with Chair Lina Khan. Losing its revered bipartisanship, how the FTC recovers and moves forward with its rulemaking process will be something to watch in the coming months.
International Privacy Updates
Kicking off 2023, Ireland's Data Protection Commission (DPC) issued a €390 million fine against Meta, for breaching transparency obligations under the General Data Protection Regulation. The DPC found that Meta did not clearly explain to users the purpose and legal basis for processing their personal data. This concluded a complaint filed in 2018, opening the door to criticism of delayed enforcement.
The European Commission launched a new initiative, hoping to further specify procedural aspects for national data protection authorities dealing with cross-border investigations. The Commission wrote that the next steps planned for Q2 "will harmonize some aspects of the administrative procedure" in cross-border cases and "support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms."
The U.K. signaled renewed interest in reshaping its privacy regime this quarter, first by creating a dedicated Department for Science, Innovation and Technology (removing digital and data policy from its former position in the Department for Culture, Media and Sport) and then by introducing the second iteration of proposed reforms to the U.K. GDPR, the Data Protection and Digital Information (No. 2) Bill.
The big news of the quarter came on Feb. 28, when the European Data Protection Board (EDPB) released its nonbinding opinion on the draft adequacy decision based on the EU-U.S. Data Privacy Framework. While recognizing substantial improvements over the previous trans-Atlantic data flow mechanism, Privacy Shield, the EDPB called out aspects that need more work and noted a "number of Principles remain essentially the same as under the Privacy Shield." Though the opinion is not legally binding, it will carry influence as the next steps play out.
Two enforcement actions out of Illinois via enforcement of the Illinois Biometric Information Privacy Act (BIPA) may have a long-lasting impact on future BIPA litigation. First, derived from the case of Cothron v. White Castle Systems, Inc., the Illinois Supreme Court held that a separate claim accrues under BIPA every time a company fails to comply with the law's notice and consent requirements for the same biometric data. This is a divergence from the previous expectation that violations occurred only upon initial collection. Secondly, Whole Foods was ordered to pay $296,000 as part of a preliminary order for a class-action settlement in what is possibly the first voiceprint settlement under BIPA.
Q1 of 2023 set the stage for another active year ahead in privacy. Here's a list of what we're watching:
- We expect a slew of state privacy bills to cross the finish line this year — and not just comprehensive privacy. BIPA copycats, health data, children's data, and data brokers are all on the table.
- Will Congress resume comprehensive privacy talks in the context of this layered patchwork of state privacy, and what will that mean for preemption?
- How will the FTC pursue rulemaking now that it's down to three commissioners?
- How reforms in U.K. and Australia will unfold.
- Next steps on the EU Artificial Intelligence Act and rules aimed at streamlining GDPR enforcement.
About the Authors:
Emily Leach is the privacy director at Blueprint Technologies, overseeing privacy operations, creating content for the company’s privacy program management technology and consulting for businesses from Fortune 500 to SMBs. Emily has been working in data privacy for 15 years and holds CIPP/US and CIPP/E certifications from the IAPP.
Molly Hulefeld is a privacy analyst at Blueprint Technologies, supporting consultants and clients by tracking and reporting on changes in the privacy landscape globally. Molly creates content for the company's privacy program management technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.