In 2023, publishers will face numerous data protection challenges regarding international laws such as the CCPA, GDPR, or LGPD, as well as federal and state-level legislation. The looming federal and state privacy laws scheduled to go into effect in 2023 will require publishers to monetize their inventory while remaining compliant with the various online privacy laws in the U.S. It’s critical that publishers stay up to date about the new federal and state laws so that they can remain compliant in the U.S.
Knowing the exact obligations detailed in privacy laws is the first step to incorporating privacy standards and avoiding violations. Most publishers have already updated their privacy and security policies to meet well-known privacy laws like the GDPR, the Children’s Privacy Protection Act (COPPA), and CCPA, since violations may lead to extensive fines and penalties.
How many data collection laws are there in the U.S.?
Unlike in Europe where the General Data Protection Regulation (GDPR) protects a wide variety of privacy rights, there is no single federal law that provides comprehensive privacy protection in the U.S. There are a variety of U.S. federal laws that cover different types of data privacy and data security as well as some types of consumer protection provided by the Federal Trade Commission, information collected by financial institutions, and the collection and use of data related to the federal government in the U.S. For example, the children’s online privacy protection act (COPPA) covers data privacy for children under 13, and the Health Insurance Portability and Accountability Act (HIPAA) defines protected health information, although some types of health information like biometric data are not covered in the law nor is there a private right of action expressly stated in HIPAA. However, to date, there are no federal laws that cover all elements of privacy and security and how to prevent data breaches in the U.S.
Five states in the U.S. have passed significant state laws related to online privacy, data security, and data collection—California, Virginia, Colorado, Utah, and Connecticut. Other large states like New York, Florida, and Pennsylvania have yet to follow suit with similar data privacy laws and privacy policies. Therefore, companies operating in those states have more leeway in how they manage personal information.
California Privacy Rights Act (CPRA) on January 1, 2023
California has been the U.S. leader in data privacy laws, passing many laws that ensure privacy protections and set privacy policy policies for California residents and companies. The newest privacy law passed in California is the California Privacy Rights Act, also known as the CRPA. The compliance date for the CPRA is January 1, 2023, and once it goes into effect, the employee exception available under the California Consumer Privacy Act (CCPA) will no longer be valid. That means that California-resident employees, applicants, emergency contacts, beneficiaries, independent contractors, and members of boards of directors will have the same rights as other consumers with regard to their personal data including access, correction, portability, and the right to request deletion of personal information collected by companies, service providers, and third parties. The California legislation has led the way for other online privacy laws in the U.S.
Virginia Consumer Data Protection Act (CPDA) on January 1, 2023
Virginia is the second state in the U.S. to enact a comprehensive consumer data protection act, following California. Like the California consumer data privacy legislation, Virginia’s data privacy law, the CPDA, aims to expand data privacy rights and consumer data protection for Virginia residents, supported by law enforcement. It includes various data privacy protections that must be implemented by companies including the right to access, right of rectification, right to delete, right to opt-out, right of portability, and the right against automatic decision-making. It also expands the definition of personal information, adds a sensitive data category, and places obligations on data brokers and controllers including data protection assessment.
Colorado Privacy Act (CPA) on July 1, 2023
Colorado was the third state in the U.S. to pass an expansive consumer data privacy law. The law requires that companies, third parties, and service providers offer clear privacy notices to customers about the use and disclosure of the data they collect. In cases with a “heightened risk of harm,” the data privacy law also requires them to conduct data protection assessments for any personal data processing. The CPA doesn’t stop there. It also gives consumers the right to request to opt-out of personal data processing for targeted online advertising or for the sale of their personal data to data brokers, including biometric data.
Utah Consumer Privacy Act (UCPA) on December 31, 2023
Utah is the fourth state in the U.S. to enact online data privacy laws following California, Virginia, and Colorado. The Utah Consumer Privacy Act (UCPA) goes into effect beginning on December 31, 2023. It is similar to the internet data privacy laws passed in other states, but the UCPA law has a more business-friendly approach to online consumer privacy and the use of personal data than the online privacy laws passed in the other states.
Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA) on July 1, 2023
Connecticut is the fifth state in the U.S. to pass an expansive online privacy protection act that covers personal information. Most provisions in Connecticut’s privacy law will go into effect alongside the Colorado Privacy Act on July 1, 2023. The law applies to people and companies in Connecticut and protects personal information in ways similar to the data privacy laws passed in other states.
How to identify privacy risks
In order for publishers to protect their sites and platforms from a data breach and maintain data security on their sites or on any online service, it’s critical that they take the following action to identify and mitigate risk:
- Audit third-parties, SSPs, DMPs, and the ad server regularly to verify how data is collected and make sure that sensitive data and personally identifiable information is being handled according to the various internet privacy laws.
- Research any past data breach, see how it was handled, who the responsible party was, and how you can prevent it from happening in the future.
- Conduct regular audits of website vulnerabilities and make sure you have an effective system for breach notification.
- Work with third parties to do a thorough online Privacy Impact Assessment (PIA).
Prioritize Data Privacy in Your Advertising Practices
Publishers need a way to monetize their inventory while remaining compliant with the various online privacy laws in the U.S. These are some things publishers can do to advance a privacy focused approach.
Use a Consent Management Platform (CMP)
A CMP makes it easier to manage personal data collection, maintain online privacy, and meet the requirements of the various state and federal laws by automating the consent process. CMPs can support the right to access and help boost transparency by informing users about the disclosure of personal information. Using a CMP, users can select the vendors with whom their personal data is shared, and even delete personal data if they choose.
Make Use of a Customer Data Platform
Publishers need to understand data collection in order to maintain online privacy on their sites and make sure that the data they collect isn’t being used inappropriately. Data mapping can be helpful, but it doesn’t give publishers a clear way to view unified records of user profiles. Customer Data Platforms (CDPs) make it easier to create a concise singular user profile and see how personal information is being used.
Stay up to date with new data privacy laws
As described above, privacy laws are constantly being added and updated, both federal privacy laws and laws passed by the various states in the U.S. Any law can have implications for companies that handle various types of data, so it’s important to stay on top of legal developments at both the state and federal levels.
Concise Documentation of Privacy Policies
Some privacy laws make documenting online privacy policies mandatory, and regardless of the law, it is always a good idea to have clear guidelines when it comes to handling sensitive data. A clear privacy policy shows users that you are committed to upholding data privacy laws on the internet and that you value their privacy. Given the dynamic nature of data privacy laws, it’s important for companies to update their privacy policies frequently.
Opt-out Options
The only way to meet the consent requirements of most privacy laws is to give users a way to opt-out of sharing their personal data. Research shows that users are often willing to share their personal information to gain access to gated content or other rewards, but they don’t want their personal data to be used without their permission. In many cases, state laws and federal law require publishers to provide an opt-out as well.
Transparency is key here. It’s important for all companies to include a pop-up message or some type of notification on their websites that informs users how you plan to use their personal data, what they will receive when they share it, the security measures they use, and a clear way to indicate that they don’t want to share personal information online.
Wrapping it up
Privacy laws to protect personal information are critical in today’s internet-based world. Although no law applies to all companies, from financial institutions to health insurance providers, and the federal government has not passed many federal laws to protect personal information, states are passing security laws that impact many types of companies, including publishers. Now is the time for publishers to take steps to make sure that they comply with the privacy laws that are scheduled to go into effect in the coming year.