Predicting the Future of Privacy Law into 2023
Privacy Plus+
Privacy, Technology and Perspective
Predicting the Future of Privacy Law into 2023. This week, let’s look ahead toward the State of Privacy in 2023. With the New Year little more than 100 days away, what should we expect?
Where things stand now:
Regulators feel more experienced and bolder. The EU’s GDPR has now been in force for four and a half years, California’s CCPA for nearly three, and its CPRA will become fully operational on January 1st for personal information gathered in 2022 and thereafter. European and Californian regulators have had time to gain experience and to begin enforcement in earnest.
States vary in their privacy “reach.” Four other states have enacted general privacy laws which have some – but decidedly incomplete – overlap in their definitions, jurisdictional grasp, requirements, and remedies. For more on the laws in Colorado, Connecticut, Ohio and Utah, you can read these previous posts:
-“Colorado Privacy Act”: https://www.hoschmorris.com/privacy-plus-news/colorado-privacy-act
- “Virginia Consumer Data Protection Act”: https://www.hoschmorris.com/privacy-plus-news/virginia-consumer-data-protection-act
- “Utah Joins California, Colorado, and Virginia in Enacting A Comprehensive Privacy Law with Connecticut Set to Follow”: https://www.hoschmorris.com/privacy-plus-news/utah-joins-california-colorado-and-virginia-in-enacting-comprehensive-privacy-law-with-connecticut-set-to-follow
- “Connecticut’s New ‘Privacy Breach’ and ‘Cybersecurity Standards’ Acts Following Ohio And Utah: https://www.hoschmorris.com/privacy-plus-news/connecticut-ohio-utah-cybersecurity-standards
US national legislation is stalled. The proposed American Data Privacy Protection Act has stalled over state preemption and other issues. There is no working, national consensus over what we expect from privacy law yet. For more on this issue, you can read our previous post, “Ain’t Gonna Cut It: The (current) American Data Privacy Protection Act,” by clicking on the followng link: https://www.hoschmorris.com/privacy-plus-news/aint-gonna-cut-it-adppa
The FTC is trying to develop a general rule governing privacy practice, but prospects for a working, general rule are uncertain. Under its existing authority to regulate “unfair and deceptive acts and practices” in interstate commerce, the FTC already expects businesses to provide privacy notices which accurately reflect what those businesses do, and it is working on a draft Privacy Rule which would apply specifically and more generally (perhaps like its Rule on Franchising, which sets a floor but allows states to set additional requirements). The comment period will end about a month from now, on October 21st.
Abroad, many friendly countries have adopted variations of Europe’s GDPR. On the other extreme, authoritarian regimes increasingly view personal data as valuable national assets. Western unity over Russia’s invasion of Ukraine and the valuable role of US intelligence in Ukraine’s defense seem to have muted (somewhat) the “security versus privacy” struggle which underlies Europe’s privacy frustration with the US, but hasn’t fully resolved it.
Directions and Trends:
More enforcement: Enough? Too much? It’s not hard to predict more and stricter enforcement under the GDPR, CCPA/CPRA, and other authorities in 2023. The hard question is whether the increased enforcement will be enough to get the attention of the largest consumer-facing enterprises with the most personal information splashing in their systems, and cause them to adjust their business models. (Four hundred million dollars would be a huge fine to most businesses but doesn’t come close to the four percent-of-global-revenue cap the GDPR authorizes for PI-heavy giants.) Conversely, when the impact of regulatory zeal (in California, perhaps?) would crest the tipping point at which businesses conclude it’s uneconomical to do business there, may be a question to which we have already begun to hear the answer. See the California Attorney General’s recent announcement of a $1.2 million settlement with Sephora, resolving allegations that the company violated the CCPA:
Less agreement, not more. For a while in 2021 and 2022, there seemed to be substantial agreement that a kaleidoscope of varying regulations was in no one’s interests and that consumer privacy might be the rare issue on which politicians of both parties could show that yes, Virginia, bipartisan agreement can be reached. But that moment seems to have passed, at least for the time being.
The fights will turn to the courts. We anticipate more and fiercer litigation over the enforcement of existing statutes, and over the propriety of whatever rules the FTC ends up promulgating.
Struggles to be the “standard.” California claims CCPA/CPRA will apply to all businesses with $25 million or more in revenue which do business with Californians, whether that revenue is earned in California or not. If sustained, this will effectively make CCPA/CPRA a national standard for all but relatively small businesses which aren’t national in scope. The FTC will want its Privacy Rule to be a baseline, perhaps like its Rule on Franchising. GDPR claims it sets a baseline for all Europeans wherever they go. It is impractical to set up different compliance regimes for these different laws, meaning that the most economically powerful state or stringent legal regime – the one which national or international businesses cannot afford to ignore – will effectively set the standard for everyone.
Russia’s invasion of Ukraine will likely move companies further to reevaluate doing business in authoritarian regimes, and push Europe to appreciate the US security umbrella more – but only to a degree, and only for a while. We expect Western companies will continue their trend away from business investments inside authoritarian countries, except maybe companies who mistakenly believe Hungary’s current government is one to admire, or others who feel they are too deeply invested there already. We also hope that European hostility toward the US government’s insistence on monitoring foreign calls may abate to a degree, in view of how helpful US intelligence seems to have been to Ukraine (and Europe) this year. May this yield fruit in US/EU negotiations over cross-border data transfers? We hope so, but we won’t lean too heavily on either of these. Profit opportunities in authoritarian regimes may yet prove irresistible, and the importance of security may start to fade as the crisis starts to pass. After all, the leading proponent of the anti-US intelligence bloc (Max Schrems) is a citizen of Austria, and Austria has never been a member of NATO anyway.
For now, we recommend that businesses compare various authorities’ jurisdictional claims to their own business plans, and do whatever is necessary to match their own business operations to the present and coming requirements of the strictest jurisdiction(s) to which they may reasonably expect to be subject.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.