all contain provisions prohibiting the use of dark patterns, especially in the context of obtaining consumer consent.
Finally—as has been the trend for years now—federal lawmakers attempted, but were ultimately unsuccessful, in enacting a comprehensive federal consumer privacy regulatory framework that would apply uniformly across all 50 states.
What to Expect in 2023
Companies should expect a few additional wrinkles to the privacy legal landscape in 2023, along with several key areas of enforcement focus by state and federal regulators.
First, a strong likelihood that addi- tional state consumer privacy laws will likely be enacted over the course of 2023. As of the end of January 2023, a total of 10 states—Indiana, Iowa, Kentucky, Massachusetts, Mississippi, New Jersey, New York, Oklahoma, Oregon, and Tennessee—have already introduced consumer privacy bills modeled after the CPRA and similar statutes. If successful, these legislative proposals will add even greater complexity to the growing patch- work of legal obligations— which has already expanded tremendously over the last two years—that businesses will be required to satisfy when collecting and using personal data.
While Ohio introduced its own consumer privacy bill in 2021, the Ohio Personal Privacy Act (“OPPA”), Buckeye State lawmakers have not been active in pursuing any additional privacy legislation since that time. With that said, given the significantly increased concerns shared by the general public and lawmakers alike regarding the privacy and security of consumer personal data vis-à-vis 2021, it is reasonable to posit that new privacy legislation may be introduced in Ohio this year.
Second, companies are likely to face sizeable compliance challenges with respect to the five consumer privacy stat- utes set to go into effect during 2023. While these laws all share common privacy principles—including consumer rights relating to access, correction, dele- tion, and opt-outs—each also contains their own unique nuances, which poses
significant burdens for broad, comprehen- sive compliance. Moreover, regulations designed to assist in the implementa- tion of the California Privacy Rights Act (“CPRA”), Colorado Privacy Act (“CPA”), and CTPA are set to be finalized this year, which will create additional compliance hurdles for companies that spent much of 2022 making modifications to their privacy compliance programs in prepara- tion for these laws to go into effect during 2023.
Third, lawmakers will pursue legis- lation that extends beyond general consumer privacy, particularly in chil- dren’s online privacy. Of note, the success seen by California in its enact- ment of the AADCA in 2022 will likely inf luence state legislatures in other parts of the country to try their hand in pursuing their own children’s privacy bills modeled after the AACDA. In fact, three states—Connecticut, New Jersey, and Oregon—have already followed suit with the introduction of AACDA copycat bills in January 2023 alone. Of note, if enacted, these AACDA copycat laws would require many businesses that have not had to consider compliance with children’s privacy laws to build out comprehensive privacy compliance programs. This is necessarysatisfy the unique requirements and limitations imposed by this new type of privacy regulation, due to the broad applicability of AADCA-type laws to many general-audience internet websites and online/mobile applications. Addition- ally, at the federal level, the FTC is likely to continue its enhanced efforts at policing improper online children’s privacy prac- tices that run afoul of COPPA.
Finally, a reasonable likelihood exists that additional biometric privacy statues modeled after the draconian Illi- nois Biometric Information Privacy Act (“BIPA”) may be enacted in 2023 as well. This is especially so given the sustained negative news coverage throughout 2022 which highlighted improper and controversial uses of facial recognition technology.
Importantly, the negative publicity garnered by facial biometrics served to significantly raise the level of awareness— and degree of concern—regarding the
improper collection and use of all types of biometric data by consumers, privacy advocates, and lawmakers alike.
As of the end of January 2023, Mary- land, Mississippi, and New York have all introduced legislation focused exclusively on the use of biometrics, with more states likely to follow suit throughout the course of this year. Of note, all three 2023 bills utilize a private right of action as their sole enforcement mechanism, presenting the risk that, if enacted, these laws could bring the tsunami of class litigation generated by BIPA to other parts of the country. More- over, the bills introduced by Maryland and Mississippi also contain unique provisions normally confined to broader consumer privacy statutes, which would necessi- tate wholesale changes to the compliance programs of entities that utilize biometrics in those jurisdictions if enacted.
Practical Compliance Advice: What to Do Now
Importantly, Ohio businesses—espe- cially those organizations that maintain operations both within and outside the borders of the Buckeye State—should not wait for new privacy laws to be passed, but instead should take proactive steps to formalize and build out their privacy compliance programs at this time. This can be achieved by implementing the overarching privacy principles that are common threads in today’s privacy regu- lation, including privacy policies, notices, consents, procedures for satisfying consumer rights requests, and “reason- able” data security measures.
Ultimately, for all organizations that currently utilize personal data—or are considering doing so in the future—the best course of action is to speak with experienced counsel to determine the necessary policies, procedures, and prac- tices that need to be in place to satisfy the full range of current and anticipated privacy compliance obligations and prop- erly manage potential risk.
Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. He is also the chair of the CBA’s Cybersecurity & Data Privacy Practice Group.
 THE REPORT | March/April 2023 | CincyBar.org
9