Taking Stock: The State of Data Privacy Law in 2023
As the cybersecurity landscape is ever evolving, so too are the laws and regulations surrounding it. To maintain compliance and avoid potential multimillion dollar fines, hoteliers must stay aware of new data protection regulations.
Increasingly, many countries have enacted laws that expand consumer data rights. Laws have required consent before processing sensitive data, disclosure of the ways data is used, and opt-outs for its collection. By the end of 2023, Gartner Consulting predicts that 65% of the world population will have its data covered by modern privacy regulations—a huge increase from the mere 10% in 2020.
With so much at stake, VENZA is here to lend our cybersecurity expertise and keep you apprised of these latest laws and regulations. In this article, we’ll take stock of the regulatory landscape, give predictions about where the law may be headed this year, and provide our advice about how to prepare for potential changes.
U.S. Data Privacy Law
The United States is one of the few nations with no major overarching federal privacy legislation. While 2022 saw the American Data Privacy and Protection Act (ADPPA) introduced in Congress, it appears to have stalled without support in the Senate. This potential law would create national standards for personal data collection, as well as regulations for algorithmic marketing. However, analysts predict it will remain sidelined for the near future.
Because of federal inaction, U.S. data privacy law will remain primarily governed at the state level, where legislative activity has been prolific. Five states have privacy legislation set to take effect in 2023: California, Colorado, Connecticut, Utah, and Virginia. Five more have shown signs of future action, with legislation passing at least one chamber of their legislature: Florida, Indiana, Iowa, Oklahoma, and Wisconsin. As the 2022 midterm election saw many state legislatures flip to one party governance, it’s worth keeping an eye on Maryland, Massachusetts, Michigan, and Minnesota for signs of future action. You can readily track real-time updates using the IAPP State Privacy Legislation Tracker and their easy-to-use chart.
Legal commentators commonly refer to U.S. privacy law as a “patchwork.” Although most state laws share commonalities in that they seek to increase consumer rights while simultaneously enforcing organizations to meet the highest applicable standard, there are dissimilarities. For example, opt in and out rights for digital advertising vary significantly state-by-state with potential changes on the horizon as they finalize their rulemaking.
Given this, there are signs that this year may see meaningful progress toward regulatory convergence, with 2023 proposed to be a “pivotal milestone” in this push. Compliance costs caused by repetitive multi-state laws are already piling up and expected to exceed $1 trillion dollars in the next ten years. As such, it’s only a matter of time until states look to align their data security laws in order to prevent overregulation.
European Privacy Law
Europe has long been a global leader in the realm of data protection, highlighted by the keystone General Data Protection Regulation (GDPR.) With the massive financial stakes for organizations found noncompliant, any movement regarding this regulation should receive significant attention from any hoteliers.
The legislative juggernaut of the European Union looks to be accelerating its pace in 2023, with potential shifts in privacy laws looming on multiple levels.
In EU rulemaking, a number of laws are being considered, namely the Data Act, the Data Governance Act, and the ePrivacy Regulation. Whether any specific version will become law remains to be seen, but as a general trend, there is movement toward what analysts term a wide “data-view”. As part of this shift, rules will converge on regulating all data, rather than being limited to only personal data. This could include the transmission and collection of non-personal data on a business to consumer and a business-to-business level.
At the European Court of Justice (EJC), several pending rulings could impact how data privacy rules are implemented. In particular, it’s worth monitoring how the court interprets the standard for damages under the GDPR. If it decides that companies can be liable for violations even without a de minimis threshold for actual concern over loss of data, it could “open the floodgates” to far greater GDPR litigation in the coming years.
There is the potential for regulatory action at the country level as well. In the UK, some predict that the Conservative majority may push for reforms to UK data protection law. With post-Brexit maneuvering, it remains to be seen how closely the UK will align with the data privacy position of Brussels.
In sum, 2023 should be an action-packed year on the European data privacy front.
How to Prepare
With so many significant changes and new laws on the horizon, unprepared organizations may struggle to keep their programs compliant. Acting early is critical. Let’s review a few steps to prepare for the coming changes.
1. Data Discovery and Mapping.
The first step is to understand how your organization collects, stores, and uses sensitive data. Building a strong foundation for compliance requires awareness of all areas of potential liability. The simplest and most common method is to complete a Privacy Regulation Readiness Assessment. Be sure to review contracts with third parties with whom you share data—as there can be liability for breaches occurring outside of your organization.
2. Establish an Information Security Policy (ISP).
Your organization should have a written policy that details how and when personal data will be collected, the duration it will be retained, and what measures will be taken to ensure its security. VENZA maintains a library of ISP templates that can get you started.
3. Implement a program to enhance privacy operations.
Work preemptively to improve your data protection methods. Take core steps to minimize data collection, address legacy and inactive records, add opt-out provisions for targeted advertising, and create consumer appeals processes for data collection decisions your organization takes.
Feeling overwhelmed? Don’t be. VENZA and CyberTek are here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team.
Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.
Take VENZA’s free Phishing Test to assess gaps in your human firewall today!
Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.
Disclaimer: In no event shall VENZA Inc. or its subsidiaries be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, consequential, incidental, indirect, economic, or punitive damages, business interruption, loss of business information, or other pecuniary loss) arising out of the use of this document, even if advised of the possibility of such damages.