Like the year before it, 2022 brought with it many noteworthy developments in data privacy that created significant compliance complexities and challenges for companies that leverage personal data in their day-to-day operations. Looking ahead, businesses should anticipate even more changes to the privacy legal landscape in 2023, especially in the absence of any progress by Washington, D.C. lawmakers in enacting a comprehensive, federal privacy regulatory regime that would apply uniformly across all fifty states.
Moreover, as the scope of legal risk and liability exposure associated with the growing patchwork of privacy laws continues to expand at a rapid pace, Ohio businesses that utilize personal data—even those not subject to any privacy-related legal obligations at this time—should ensure they have the appropriate policies, practices, and protocols in place to mitigate the growing risks stemming from today’s ever-expanding web of privacy legislation and regulation, which is sure to broaden even further over the course of 2023.
2022 was marked by the enactment of two additional comprehensive consumer privacy statutes—the Connecticut Privacy Act (“CTPA”) and Utah Consumer Privacy Act (“UCPA”)—bringing the total number of states with comprehensive consumer privacy regulatory regimes that will take effect over the course of 2023 to five.
Another major highlight of 2022 was the enactment of California’s Age-Appropriate Design Code Act (“AADCA”)—new, first-of-its-kind legislation in children’s privacy. Modeled after the U.K.’s Age Appropriate Design Code, the AADCA requires online companies that are “likely to be accessed by children” to satisfy a range of heightened privacy obligations, including (among other things) data protection impact assessments (“DPIA”) and the application of age-appropriate restrictions on children’s use of online products, services, and features. Of note, unlike the federal Children’s Online Privacy Protection Act (“COPPA”)—which imposes privacy obligations on companies in connection with children under 13—the AADCA’s compliance requirements apply to all minors under the age of 18. Effective in July 2024, the AADCA allows for civil penalties on a “per effected child” basis of up to $2,500 for negligent violations of the law and $7,500 for intentional violations.
In addition, in 2022 legislators and regulators at the state and federal levels increased their focus on policing “dark patterns”—website design features used to deceive or manipulate users into behavior that is profitable for online services, but also harmful to users or contrary to their intent. Leading the way on policing dark patterns was the Federal Trade Commission (“FTC”), which issued a formal report analyzing how dark patterns “can obscure, subvert, or impair consumer choice and decision making and may violate the law.” The FTC, along with the Consumer Financial Protection Bureau (“CFPB”), also pursued several enforcement actions against companies for improper dark pattern practices under the theory that those practices constituted unfair or deceptive acts or practices in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”) and the Consumer Financial Protection Act (“CFPA”). At the state level, new consumer privacy statutes enacted by California, Colorado, and Connecticut all contain provisions prohibiting the use of dark patterns, especially in the context of obtaining consumer consent.
Finally—as has been the trend for years now—federal lawmakers attempted, but were ultimately unsuccessful, in enacting a comprehensive federal consumer privacy regulatory framework that would apply uniformly across all 50 states.
Companies should expect a few additional wrinkles to the privacy legal landscape in 2023, along with several key areas of enforcement focus by state and federal regulators.
First, a strong likelihood that additional state consumer privacy laws will likely be enacted over the course of 2023. As of the end of January 2023, a total of 10 states—Indiana, Iowa, Kentucky, Massachusetts, Mississippi, New Jersey, New York, Oklahoma, Oregon, and Tennessee—have already introduced consumer privacy bills modeled after the CPRA and similar statutes. If successful, these legislative proposals will add even greater complexity to the growing patchwork of legal obligations— which has already expanded tremendously over the last two years—that businesses will be required to satisfy when collecting and using personal data.
While Ohio introduced its own consumer privacy bill in 2021, the Ohio Personal Privacy Act (“OPPA”), Buckeye State lawmakers have not been active in pursuing any additional privacy legislation since that time. With that said, given the significantly increased concerns shared by the general public and lawmakers alike regarding the privacy and security of consumer personal data vis-à-vis 2021, it is reasonable to posit that new privacy legislation may be introduced in Ohio this year.
Second, companies are likely to face sizeable compliance challenges with respect to the five consumer privacy statutes set to go into effect during 2023. While these laws all share common privacy principles—including consumer rights relating to access, correction, deletion, and opt-outs—each also contains their own unique nuances, which poses significant burdens for broad, comprehensive compliance. Moreover, regulations designed to assist in the implementation of the California Privacy Rights Act (“CPRA”), Colorado Privacy Act (“CPA”), and CTPA are set to be finalized this year, which will create additional compliance hurdles for companies that spent much of 2022 making modifications to their privacy compliance programs in preparation for these laws to go into effect during 2023.
Third, lawmakers will pursue legislation that extends beyond general consumer privacy, particularly in children’s online privacy. Of note, the success seen by California in its enactment of the AADCA in 2022 will likely influence state legislatures in other parts of the country to try their hand in pursuing their own children’s privacy bills modeled after the AACDA. In fact, three states—Connecticut, New Jersey, and Oregon—have already followed suit with the introduction of AACDA copycat bills in January 2023 alone. Of note, if enacted, these AACDA copycat laws would require many businesses that have not had to consider compliance with children’s privacy laws to build out comprehensive privacy compliance programs. This is necessarysatisfy the unique requirements and limitations imposed by this new type of privacy regulation, due to the broad applicability of AADCA-type laws to many general-audience internet websites and online/mobile applications. Additionally, at the federal level, the FTC is likely to continue its enhanced efforts at policing improper online children’s privacy practices that run afoul of COPPA.
Finally, a reasonable likelihood exists that additional biometric privacy statues modeled after the draconian Illinois Biometric Information Privacy Act (“BIPA”) may be enacted in 2023 as well. This is especially so given the sustained negative news coverage throughout 2022 which highlighted improper and controversial uses of facial recognition technology.
Importantly, the negative publicity garnered by facial biometrics served to significantly raise the level of awareness—and degree of concern—regarding the improper collection and use of all types of biometric data by consumers, privacy advocates, and lawmakers alike.
As of the end of January 2023, Maryland, Mississippi, and New York have all introduced legislation focused exclusively on the use of biometrics, with more states likely to follow suit throughout the course of this year. Of note, all three 2023 bills utilize a private right of action as their sole enforcement mechanism, presenting the risk that, if enacted, these laws could bring the tsunami of class litigation generated by BIPA to other parts of the country. Moreover, the bills introduced by Maryland and Mississippi also contain unique provisions normally confined to broader consumer privacy statutes, which would necessitate wholesale changes to the compliance programs of entities that utilize biometrics in those jurisdictions if enacted.
Importantly, Ohio businesses—especially those organizations that maintain operations both within and outside the borders of the Buckeye State—should not wait for new privacy laws to be passed, but instead should take proactive steps to formalize and build out their privacy compliance programs at this time. This can be achieved by implementing the overarching privacy principles that are common threads in today’s privacy regulation, including privacy policies, notices, consents, procedures for satisfying consumer rights requests, and “reasonable” data security measures.
Ultimately, for all organizations that currently utilize personal data—or are considering doing so in the future—the best course of action is to speak with experienced counsel to determine the necessary policies, procedures, and practices that need to be in place to satisfy the full range of current and anticipated privacy compliance obligations and properly manage potential risk.
Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. He is also the chair of the CBA’s Cybersecurity & Data Privacy Practice Group.