You’ve heard the rumblings, accepted the cookie banners and been warned by that one friend who swears by Duck, Duck, Go that privacy laws were coming…but is now finally the time? Over the past year state legislatures have introduced an array of comprehensive data privacy bills, successfully passed by both Connecticut and Utah. As of 2023 these two states will join California, Virginia and Nevada as the five privacy protectorates with enforceable data privacy regulations in effect as soon as January 1st. As 2022 winds down to a close, many businesses are scrambling to assess whether these laws apply to them, and if so how to comply by this year’s ticking clock deadlines. Bluetext is no stranger to data privacy, as we are well versed in the variety of cookies and tracking techniques used across websites and relied upon by the digital-aged marketers. So let’s break down what this legislation means, who it applies to and more importantly how you can comply.
First, let’s dispel some legal myths and legends. You have all probably heard of GDPR (General Data Protection Regulation), which is the EU’s extensive data privacy protection program, which defines a set of laws enforced universally across all European Union nations. So who do these laws apply to? How does it impact American companies? The impact is much more significant than one would think, because GDPR applies to both companies within the EU and any company offering services or tracking behaviors of individuals within the EU. So if your company is already complying with GDPR guidelines, you’ve got a great head start to 2023 updates.
So does the United States have equivalent laws?
Short answer: no, long answer: yes. Here’s why: European and American philosophy around privacy and individual’s rights are very different. While the European legislature honors an individual’s right to privacy as a basic human right, the American Constitution leaves these topics purposely vague and open to state wide interpretation. But as digital behaviors are becoming more visible and accessible than ever before, many states are taking the cue from the EU to establish privacy laws of their own. Most recently Connecticut and Utah joined California, Colorado, and Virginia, to create a complex patchwork of state privacy laws, with fast approving compliance deadlines of January 1st, 2023.
What’s new in 2023?
Here are the recently enacted laws & upcoming deadlines:
Effective January 1st, 2023:
Effective July 1st, 2023:
Effective December 31st, 2023
California Privacy Rights Act (CPRA) – Effective Jan 1, 2023
The new CPRA amends the previous California privacy law to expand beyond the right to privacy notice, deletion of data and opt out of selling data. The new provisions include rights to:
- Correct their data
- Opt out of sharing their data for targeted advertising
- Port their data
- Limit the use and disclosure of sensitive personal information
The most significant impact to the digital marketing industry is expanded opt-out provisions. California consumers could already opt out of the sale of their data. But starting in 2023, consumers will now be able to opt out of the sharing of their data. This significantly clamps down on marketers ability to serve up cross behavioral advertising, or targeted advertising, as this hinges on the aggregation of user’s behavioral data across multiple platforms and contexts to serve a targeted ad. Businesses will need to post links on their website so consumers can opt out of both the selling and sharing of their data.
The new law also includes some other critical changes that businesses must comply with:
- Equivalent rights to employees and business contacts the same rights as any other California resident
- Expanded look-back period for businesses responding to data requests in California beyond the previous twelve months (which was the look-back period under the CCPA) (for any personal information processed on or after January 1, 2022)
- Regularly submitted Data Protection Assessments, known as “risk assessments,” which will need to weigh the benefits and risks to various audiences with the goal of restricting processing if the risks to the consumer outweigh the benefits to all stakeholders
These updates will be applicable to any companies (regardless of HQ state) which:
- Process the data of 100,000+ California residents OR
- 50% of their business revenue is derived from the sale/sharing of California residents’ personal data OR
- Have $25 million+ worldwide revenue
Virginia Consumer Data Protection Act (VCDPA) – Effective Jan 1, 2023
Compliance with Virginia’s privacy law is generally broad and a bit simpler for businesses than the CCPA; however, it is stricter on a few key issues. Like the CCPR, the law protects six main tenants of data privacy: the right to access, opt-out, correct, delete appeal and portability. But some key differences include exemption of all organizations subject to HIPAA or Gramm–Leach–Bliley laws, as well as non-profits and higher education institutes (while exempt from VCDPA, strict requirements do apply). Virginia’s law also excludes protection of employee personal data businesses collect and process under the law’s applicability. The sale of personal information is more tightly defined as “the exchange of personal data for monetary consideration by the controller to a third party.” Monetary consideration is the key phrase which the California equivalent CPRA lacks.
Virginia’s privacy law applies to any business which:
- Control or process the personal data of 100,000 or more Virginia residents in a calendar year
- Control or process the personal data of 25,000 or more Virginians and derive over 50% of gross revenue from the sale of personal data
Starting on Jan, 1 2023 fines for violation can be up to $7,500 per violation (plus attorney fees). There is a 30-day cure period for businesses to fix any violations.
How Should Digital Marketers Prepare?
With the new year quickly approaching, many businesses are scrambling to determine if these new laws apply to them, and if so how they can comply. For businesses nationwide, compliance means increasing the transparency of their data collection process, not necessarily the complete elimination of these practices. Online web users need to be presented with cookies and tracking notices at the very start of their digital interactions, and given a clear opportunity to opt-out if they desire. Bluetext can help you implement all of the right tracking technology, collection settings and front-end user notices to make your business compliant with the changing privacy landscape. And even if you’re not yet applicable to the CPRA or VCDPA, regulations are only expected to rise. Over time more and more states are expected to get on board with recent data privacy protections with the goal of setting a universal expectation of ethical data collection practices within the United States. Bluetext’s recommendation? Regardless of whether 2023 privacy laws are applicable for your business, you may want to get ahead of the curve and implement smart, ethical and compliant practices across your website. Contact us today to learn how we can help.