Key things to know about 2023's new privacy landscape

This year, new privacy laws will become effective in 5 states, defining the US privacy landscape in the absence of a federal privacy law. So businesses must ensure that their mobile apps and websites have the appropriate compliance mechanisms providing easy access to opt-outs or request forms and have a process for responding to consumer requests.

New State Privacy Laws in 2023

New laws going into effect this year include the following:

• California Privacy Rights Act (CPRA): Entered into effect on January 1, 2023

• Virginia Consumer Data Protection Act (VCDPA): Entered into effect on January 1, 2023

• Colorado Privacy Act (CPA): Entered into effect on January 1, 2023

• Utah Consumer Privacy Act (UCPA): It will enter into effect on December 31, 2023

• Connecticut Data Privacy Act (CTDPA): It will enter into effect on July 1, 2023

Who is regulated by the new privacy laws?

If your answer is yes to ANY of the bullets below, your business is regulated by the new privacy laws:

• Gross annual revenue exceeded $25 million in 2022, and it stores personal information on consumers or households residents of these states (revenue threshold only applies for CA)

• Your company buys, sells, or shares the personal information of at least 100,000 consumers who are residents of these states

• 50% or more of your annual revenue derives from selling or sharing user data

• The CCPA imposes separate obligations on service providers who process personal information on a business’s behalf (which could be CRM tools, data platforms, business analytics platforms, loyalty, etc.)

Key Requirements

Each state law has different requirements that must be considered to avoid potential penalties for non-compliance, although some of the key requirements are asking businesses to provide consumers with the ability to opt out from the following actions (including for individuals that have already opted in):

• Processing, selling, renting, sharing (orally, in writing, or by electronic means) consumers' personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged. Personal information could include the consumer's name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences made about the consumer’s preferences and characteristics

• Targeted advertising: Displaying ads to a consumer, leveraging personal data obtained from consumer’s activities across other nonaffiliated websites or mobile apps to predict their preferences or interests

• Profiling: Any form of automated processing of personal information to evaluate, analyze, or predict personal aspects related to a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements - where the profiling activity can have legal or similarly significant effects on an individual (e.g., targeting a person known to be experiencing financial difficulties with offers for high-interest loans)

• Additionally, businesses must identify and communicate retention periods for each type of personal data and build a deletion process that works in accordance with their retention policies

In summary, without users' consent, companies cannot:

• Sell or share user data with a third party to be used for behavioral advertising

• Use third-party data for targeted advertising

• Leverage user data for automated decision-making processes

Although Google delayed the deprecation of third-party cookies to 2024, marketers relying on third-party data and programmatic advertising to drive their campaigns must adapt their strategies now and find new ways to reach and engage with their target audience.

How to navigate the new privacy environment?

Here are a few ways businesses can ensure compliance with the new laws:

1. Introduce a 2-step opt-in process where the consumer first requests to opt-in and then second, separately confirm their choice to opt-in. The opt-in form should be easily accessible and have a permanent presence on your site or apps to allow consumers who have opted out initially to opt back in, in case they initiate a transaction or attempt to use a product or service that requires an exchange of their personal information

2. Include in the opt-out form a link to a web consent page that includes a description of consumers' rights presenting several out-out options: “Do Not Sell or Share My Personal Information,” “Limit the Use of My Sensitive Personal Information,” and "Opt Out from Profiling"

3. Incentivize consumers by offering financial incentives, promotions, or discounts in exchange for collecting, keeping, selling, or retaining personal information - if the financial incentive provided is reasonably related to the value of the consumer’s data. Making it clear that consumers who choose to opt out will not be able to continue participating in the special deals offered in exchange for personal information.

4. Ask consumers to opt in to financial incentive programs (loyalty, referral, etc.).