The State of Data Privacy Regulation in 2023: What You Need to Know
Despite numerous proposals over the years, there is no comprehensive federal law that governs data privacy in the United States. For the most part, businesses and institutions have had wide latitude to collect and disseminate personal information. Now, in the digital economy the generation, collection and insights derived from consumer data has become central to how businesses operate.
But with so much personal information outside of its owner’s control, data privacy and security have come to the forefront of consumer consciousness. In 2022, 84 percent of Americans surveyed said they were at least somewhat concerned about the safety and privacy of the personal data they provide on the internet.
2023 is shaping up to be the year the data privacy landscape changes. Rather than wait on federal legislation, many states are taking inspiration from the EU, which passed the toughest privacy and security law in the world in 2018, known as the General Data Protection Regulation, or GDPR.
For data-oriented businesses and marketers, here’s a high-level look at what is happening.
New state-level privacy acts in 2023
In 2018, California was the first state to pass a privacy act, which gave consumers more control over the personal information businesses collect about them. The California Consumer Privacy Act, or CCPA, took strong cues from the GDPR. In 2023, four other states – Colorado, Connecticut, Utah, and Virginia – are following suit with their own privacy protections.
States are filling the void left by the federal government. Nearly 75% of Americans polled said they want national data privacy standards, and to-date, the U.S. has passed only sector-specific legislation regulating how data can be used for financial, medical and educational sectors, including additional legislation on how data from children is protected.
The current federal privacy laws are more focused on preventing harms by regulating certain uses, whereas state-level privacy acts are giving shape to the idea that individuals have rights when it comes to ownership of their personal data. These new laws allow people to exercise more control over who uses their personal information, and how.
This is only the beginning. Michigan, New Jersey, Ohio and Pennsylvania are actively pursuing their own legislation and more states are sure to follow.
Federal law on the horizon
As states push to develop new patchwork of legislation, Congress is considering the American Data Privacy and Protection Act (ADPPA), which has significant bipartisan support. In the long absence of a national data security and digital privacy framework, ADPPA represents a swell of public awareness about data privacy that will affect the nation.
The ADPPA aims to better unify U.S. privacy protections and bring national requirements into alignment with international privacy laws. The key tenets of the act are data minimization, individual ownership and private right of action. Broken down, the three tenets are:
- Data collectors would need to minimize the amount of data they collect.
- Individuals would have the right to know how their personal data will be used and which third parties receive it.
- Injured individuals, or classes of individuals, would be able to sue covered entities for damages.
If the act passes, businesses could have to follow both national and state legislation to ensure they are compliant in processing personal data.
Key marketing takeaways
As the data privacy landscape changes, it’s important to consider the business and marketing implications now. To evolve in sync with the regulatory landscape and consumer preferences, organizations must be more open and transparent about their data privacy practices and more stringent about secure data handling and storage.
New laws will make it easier for individuals to act against companies that don’t take data privacy seriously. Data privacy must be at the forefront of business and marketing practices now, so it will be easier to implement sound practices that comply with future regulations. Start by ensuring your organization is using multi-factor authentication and secure document and email-sending. Then, you can consider more advanced processes, such as data encryption. It’s also a good time to review your organizational privacy policy – or to put one in place.
It is possible to provide personalized marketing experiences while still maintaining customer trust and privacy – and the two practices are more connected than ever. How a business treats the privacy and security of consumer data will put its brand reputation on the line. 2023 will be the year of striking the right balance, and now is the perfect time for businesses and marketers to begin taking action. At SA, we stay on top of legislation relevant to our clients because we treat your business like it’s our own. To learn more about how we make our clients feel at home, check out some of our past projects.
Ryan Weaverling is director of technology and Calan Smidt is a data systems strategist at Strategic America (SA). SA is a full-service marketing agency providing secure data-driven marketing services to the health, wealth, home, travel, and retail sectors throughout North America. Learn more here.