Every once in a while, the experts get it right. 2023 was widely predicted to be an inflection point for data privacy in the United States, the year when the issue finally achieved critical mass. It did not disappoint. New laws were passed, old laws were amended, and the pace is showing no signs of slowing in the coming year.

It’s easy to forget everything that’s happened in the last 12 months, so here’s a brief look back at the biggest developments in privacy in 2023.

Five New Laws Went into Effect

Even before the year began, it was clear there would be a lot of work to do to stay privacy-compliant in 2023. Five privacy laws that had already been passed were set to go into effect this year.

• California Privacy Rights Act, January 1, 2023

• Virginia Consumer Data Protection Act, January 1, 2023

• Colorado Privacy Act, July 1, 2023

• Connecticut Data Privacy Act, July 1, 2023

• Utah Consumer Privacy Act, December 31, 2023

While the California Privacy Rights Act amended the existing California Consumer Privacy Act, the other four laws were completely new. This means that multi-state privacy compliance finally became a reality in 2023.

Health Data Gets Extra Protection

Protecting the privacy of consumer health data became a big legislative priority in 2023. Following the Supreme Court’s Dobbs decision which overturned Roe v. Wade, there was concern that personal data that could reveal a person’s access to abortion services in states where it is legal could then be used as evidence in a criminal prosecution where abortion is illegal.

This may have been the initial impetus, but legislation like Washington’s My Health My Data Act and Connecticut’s SB 3 go much further than simply protecting data related to reproductive health. Under these laws, any data that identifies a person’s health condition or diagnosis receives extra protection (if it is not already covered by HIPAA). The Washington law is particularly broad and grants consumers a private right of action, so it’s likely to serve as the basis for many future lawsuits.

California Delete Act

Online privacy advocates hailed the passage of California’s Delete Act, which regulates data brokers operating within the state. Among other things, the Delete Act calls for the creation of an opt-out registry for consumers by 2026, which will allow them to request the deletion of their personal data from all data brokers at once. Other states may join the effort in the future, but for now only California residents will be able to take advantage.

Record-Breaking GDPR Fines

Though official numbers are hard to find, total GDPR fines for 2023 are estimated to have exceeded 2 billion euros ($2,195,000USD), a dramatic increase over previous years. So who were the biggest winners?

1. Meta

With nearly €1.6 billion in GDPR fines in 2023 alone, Facebook and Instagram’s parent company is the leader by far. After losing a €1.2 billion case related to international data transfers, Meta shattered the record for highest single GDPR fine, which previously had been held by Amazon (€746 million in 2021).

On a side note, the decision against Meta appears to have spurred U.S. and EU officials to finally approve the Data Privacy Framework, an international agreement which allows for the lawful transfer of Europeans’ personal data to the United States.

2. TikTok

TikTok was no stranger to controversy this year. Besides drawing the ire and suspicion of U.S. lawmakers, the Chinese social media giant also racked up a €345 million fine for failing to properly handle the personal data of children. Despite having a minimum user age of 13, European regulators found that TikTok had failed to properly enforce that standard. The UK also got in on the action, levying its own fine of £12.7 million.

3. Criteo

The French ad tech company was fined €40 million this year for a number of GDPR violations, including for failure to properly gather consent and grant data subjects access to their personal data.

‍