Additional anticipated changes to Privacy Legal Landscape
in 2023
Like the year before it, 2022 brought with it many noteworthy developments in data privacy that created significant compliance complexities and challenges for companies that leverage personal data in their day-to-day operations. Looking ahead, businesses should anticipate even more changes to the privacy legal landscape in 2023, especially in the absence of any progress by Washington, D.C. lawmakers in enacting a compre- hensive, federal privacy regulatory regime that would apply uniformly across all fifty states.
Moreover, as the scope of legal risk and liability exposure associated with the growing patchwork of privacy laws continues to expand at a rapid pace, Ohio businesses that utilize personal data—even those not subject to any privacy-related legal obli- gations at this time—should ensure they have the appropriate policies, practices, and protocols in place to mitigate the growing risks stemming from today’s ever-expanding web of privacy legis- lation and regulation, which is sure to broaden even further over the course of 2023.
2022 in Review
2022 was marked by the enactment of two additional compre- hensive consumer privacy statutes—the Connecticut Privacy Act (“CTPA”) and Utah Consumer Privacy Act (“UCPA”)—bringing the total number of states with comprehensive consumer privacy regulatory regimes that will take effect over the course of 2023 to five.
Another major highlight of 2022 was the enactment of Cali- fornia’s Age-Appropriate Design Code Act (“AADCA”)—new, first-of-its-kind legislation in children’s privacy. Modeled after the
U.K.’s Age Appropriate Design Code, the AADCA requires online companies that are “likely to be accessed by children” to satisfy a range of heightened privacy obligations, including (among other things) data protection impact assessments (“DPIA”) and the application of age-appropriate restrictions on children’s use of online products, services, and features. Of note, unlike the federal Children’s Online Privacy Protection Act (“COPPA”)— which imposes privacy obligations on companies in connection with children under 13—the AADCA’s compliance requirements apply to all minors under the age of 18. Effective in July 2024, the AADCA allows for civil penalties on a “per effected child” basis of up to $2,500 for negligent violations of the law and $7,500 for intentional violations.
In addition, in 2022 legislators and regulators at the state and federal levels increased their focus on policing “dark patterns”— website design features used to deceive or manipulate users into behavior that is profitable for online services, but also harmful to users or contrary to their intent. Leading the way on policing dark patterns was the Federal Trade Commission (“FTC”), which issued a formal report analyzing how dark patterns “can obscure, subvert, or impair consumer choice and decision making and may violate the law.” The FTC, along with the Consumer Financial Protection Bureau (“CFPB”), also pursued several enforcement actions against companies for improper dark pattern prac- tices under the theory that those practices constituted unfair or deceptive acts or practices in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”) and the Consumer Finan- cial Protection Act (“CFPA”). At the state level, new consumer privacy statutes enacted by California, Colorado, and Connecticut
  8
THE REPORT | March/April 2023 | CincyBar.org
By David J. Oberly