Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Every once in a while, the experts get it right. 2023 was widely predicted to be an inflection point for data privacy in the United States, the year when the issue finally achieved critical mass. It did not disappoint. New laws were passed, old laws were amended, and the pace is showing no signs of slowing in the coming year.
It’s easy to forget everything that’s happened in the last 12 months, so here’s a brief look back at the biggest developments in privacy in 2023.
Even before the year began, it was clear there would be a lot of work to do to stay privacy-compliant in 2023. Five privacy laws that had already been passed were set to go into effect this year.
While the California Privacy Rights Act amended the existing California Consumer Privacy Act, the other four laws were completely new. This means that multi-state privacy compliance finally became a reality in 2023.
Protecting the privacy of consumer health data became a big legislative priority in 2023. Following the Supreme Court’s Dobbs decision which overturned Roe v. Wade, there was concern that personal data that could reveal a person’s access to abortion services in states where it is legal could then be used as evidence in a criminal prosecution where abortion is illegal.
This may have been the initial impetus, but legislation like Washington’s My Health My Data Act and Connecticut’s SB 3 go much further than simply protecting data related to reproductive health. Under these laws, any data that identifies a person’s health condition or diagnosis receives extra protection (if it is not already covered by HIPAA). The Washington law is particularly broad and grants consumers a private right of action, so it’s likely to serve as the basis for many future lawsuits.
Online privacy advocates hailed the passage of California’s Delete Act, which regulates data brokers operating within the state. Among other things, the Delete Act calls for the creation of an opt-out registry for consumers by 2026, which will allow them to request the deletion of their personal data from all data brokers at once. Other states may join the effort in the future, but for now only California residents will be able to take advantage.
Though official numbers are hard to find, total GDPR fines for 2023 are estimated to have exceeded 2 billion euros ($2,195,000USD), a dramatic increase over previous years. So who were the biggest winners?
With nearly €1.6 billion in GDPR fines in 2023 alone, Facebook and Instagram’s parent company is the leader by far. After losing a €1.2 billion case related to international data transfers, Meta shattered the record for highest single GDPR fine, which previously had been held by Amazon (€746 million in 2021).
On a side note, the decision against Meta appears to have spurred U.S. and EU officials to finally approve the Data Privacy Framework, an international agreement which allows for the lawful transfer of Europeans’ personal data to the United States.
TikTok was no stranger to controversy this year. Besides drawing the ire and suspicion of U.S. lawmakers, the Chinese social media giant also racked up a €345 million fine for failing to properly handle the personal data of children. Despite having a minimum user age of 13, European regulators found that TikTok had failed to properly enforce that standard. The UK also got in on the action, levying its own fine of £12.7 million.
The French ad tech company was fined €40 million this year for a number of GDPR violations, including for failure to properly gather consent and grant data subjects access to their personal data.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.