Reality Check: Data Security and Privacy in 2023
2023 could be a reality check for US companies on data security and privacy practices: Regulators and policymakers are set to make changes with consequence. Between momentum in Congress, a litany of state legislative updates and a continuing surge in cybersecurity attacks, industry’s feet will be held to the fire on how they handle user data and prove they’re taking both data security and privacy seriously.
Data privacy reform is a key area with bi-partisan support in 2023. With so many changes at varying levels of government, it is paramount that organizations arm themselves with information to gear up for compliance – or understand what actions they can take to influence the regulatory landscape before it’s too late.
Here are a few key dynamics industry should be on the lookout for this year – and how to take appropriate action today:
Federal Data Privacy
The American Data Privacy and Protection Act (ADPPA) is the latest attempt at an overarching federal data privacy plan. Pulling from foundational state laws like Illinois’ Biometric Privacy Act of 2018 and California’s Consumer Privacy Act of 2020, the ADPPA is a call to action for companies to reassess potential risks and to establish more stringent data privacy and security practices.[1] Given the current Congress has identified data privacy as a top priority, with expected support from multiple committees, this could be the year we see a federal data privacy law finally enacted in the United States.[2]
There are two ongoing discussions that could stall this progress in 2023: state law preemption and enforcement. If passed, the ADPPA would create a different, possibly less exacting standard than states with existing data privacy laws, viewing the Act as a floor instead of a ceiling – an approach that supporters of the California state law reject.[3] Critics are also skeptical of the Act’s creation of a Bureau of Privacy at the FTC and its ability to enforce provisions. [4]
State-Level Data Privacy
While Congress works to pass a federal data privacy plan, companies are currently relying on a patchwork of state-level laws that vary in coverage and consequences. Five states –Colorado, Connecticut, Utah, Virginia, and then an update in California – have seen data privacy and security laws come into effect in 2023.[5] While California, Colorado, Connecticut, and Virginia laws focus on individual rights and recourse against data misuse, Utah laws focus more on data protection agreements between businesses.[6] Similarities exist between each state’s new approach to data privacy, but there are some key differences for companies to note and plan around.
Individual rights over personal data are a core tenant of these new laws, letting people access, delete, and correct the data collected on themselves, similar to the General Data Protection Regulation’s (GDPR) ‘right to be forgotten’.[7] Each state also offers some version of an opt-out model for third party sales.[8] Perhaps most contentious is California’s private right of action, allowing individuals to sue companies for data collection violations.[9]
This fragmented framework means companies that store user data need even more diligence around data governance practices to ensure compliance with each state’s rules and regulations. Further, several new state laws now bring increased penalties for non-compliance.[10]
Agency-Level Data Privacy
In addition to cyber regulation, there is a larger data privacy and security conversation happening across federal agencies. The FTC has a renewed interest in the data privacy conversation. In 2022, the FTC posted an advanced notice of proposed rulemaking (ANPR) that asked for comments on implementing new rules for how companies collect, store, share, or otherwise profit from data in deceptive ways.[11] While recognizing the importance of data privacy, industry leaders questioned the efficiency and constitutionality of the proposed one-size-fits-all rulemaking. However, the Supreme Court’s decision in West Virginia vs. EPA to limit agencies’ power to regulate politically or economically significant matters (termed ‘major questions’) could be used to block the FTC’s ANPR as it focuses on the ‘major question’ of data privacy.[12]
Regardless, this proposed rulemaking is the closest thing to standardized data privacy practices in the U.S. without the passage of a federal law. Companies will potentially have to grapple with the FTC’s authority, meaning the time to prepare is now.
Take Action Today
Industry leaders know privacy compliance and communications preparedness is the key to success in this evolving privacy and data protection landscape. Companies with a stake in the game should plan their strategy accordingly. With a detailed and research driven communications plan, organizations gain an opportunity to position themselves as adaptive and informed data stewards. Without proper guidance, companies run the risk of a reputational crisis.
Here are a few key strategies for companies to prepare:
Convene the Right Parties: Data privacy should be an ongoing cross-functional conversation. Establish consistent connectivity between all teams when discussing data privacy – legal, privacy, marketing, communications, technology, security, and HR. This way compliance programs are informed by a well-rounded perspective – and organizations aren’t caught scrambling when regulations change.
Communicate with Care: Much of today’s regulation represents changing consumer sentiment: users are increasingly thoughtful about how their data is being used. Privacy policies, security mission statements and data-sharing notices should concisely answer the question both users and regulators are asking: why are you storing this data? Messaging should come from a trusted source and reflect each stakeholder’s unique data concerns before, during, and after a data privacy incident. This is the opportunity to convey how your organization truly cares about privacy and data protection.
Treat Data Privacy Differently Than Cybersecurity: Administering an employee phishing test does not check the box for data privacy preparedness. Ensure your employees know the unique ways data privacy regulations impact their work through tailored internal communications and preparedness exercises[13] that specifically address privacy considerations appropriate for each jurisdiction.
Regardless of how regulation develops in 2023, all organizations that store personal data should have a narrative ready to defend their practices and showcase their commitment to better security. Those without a plan will be left behind.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
[1] Jonathan M. Gaffney, Eric N. Holmes, Chris D. Linebaugh, “Overview of the American Data Privacy and Protection Act, H.R. 8152,” Congressional Research Service (August 31, 2022), https://crsreports.congress.gov/product/pdf/LSB/LSB10776
[2] Nichole T. Lee and Darrell M. West, “What to expect form a GOP House majority on big tech, broadband, China, and 5G,” Brookings (January 23, 2023), https://www.brookings.edu/blog/techtank/2023/01/23/what-to-expect-from-a-gop-house-majority-on-big-tech-broadband-china-and-5g/
[3] Joseph Duball, “Pelosi opposes proposed American Data Privacy and Protection Act, seeks new preemption compromise,” International Association of Privacy Professionals (September 6, 2022) https://iapp.org/news/a/pelosi-rejects-proposed-american-data-privacy-and-protection-act-seeks-new-compromise/
[4] Daniel Castro, “A Review: The American Data Privacy and Protection Act,” Government Technology (June 13, 2022), https://www.govtech.com/policy/a-review-the-american-data-privacy-and-protection-act
[5] Sam Sabin, “States’ long-awaited data privacy laws are going into effect,” Axios (January 3, 2023) https://www.axios.com/2023/01/03/states-data-privacy-laws-2023
[6] Theodore P. Augustinos and Alexander R. Cox, “ U.S. State Privacy Laws in 2023: California, Colorado, Connecticut, Utah and Virginia,” Locke Lord (December 2022) https://www.lockelord.com/newsandevents/publications/2022/12/us-state-privacy-laws-2023
[7] Paul Lanois, “New data privacy laws in various US states: are you ready?,”Financier Worldwide (January 2023) https://www.financierworldwide.com/new-data-privacy-laws-in-various-us-states-are-you-ready
[8] Bart Huffman, Wendell Bartnick, Haylie Treas, “USA: Practical considerations for meeting opt-out requirements under US state privacy laws – Part one,” OneTrust DataGuidance (December 2022) https://www.dataguidance.com/opinion/usa-practical-considerations-meeting-opt-out
[9] “The Rise of Privacy Litigation in California,” Baker Botts (June 6, 2022) https://www.bakerbotts.com/thought-leadership/publications/2022/june/the-rise-of-privacy-litigation-in-california
[10] “Global Data Privacy & Security Handbook,” Baker McKenzie (December 31, 2022) https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/north-america/united-states/topics/penalties-for-non-compliance
[11] “FTC Launches Commercial Surveillance and Data Security Rulemaking, Holds a Public Forum, and Seeks Public Input,” Gibson Dunn (September 27, 2022) https://www.gibsondunn.com/ftc-launches-commercial-surveillance-and-data-security-rulemaking-holds-a-public-forum-and-seeks-public-input/
[12] “The FTC’s privacy rulemaking: Risks and opportunities,” International Association of Privacy Professionals (August 17, 2022) https://iapp.org/news/a/the-ftcs-privacy-rulemaking-risks-and-opportunities/
[13] Jena Valdetero, Rebecca Letourneaux, and Andrew Shaxted, “Strengthening Business Resiliency in a Time of Crisis; Data Privacy Strategy and IT Infrastructure Alignment,” FTI Consulting, Inc. (last accessed June 2023), https://www.ftitechnology.com/resources/videos/strengthening-business-resiliency-in-a-time-of-crisis-data-privacy-strategy-and-it.
