What You Need to Know About GDPR, CCPA, and Data Privacy Laws in 2023

It seems like every day there is another data privacy law being discussed in the United States. Currently, there are a handful of bills that have either passed legislation or are currently being legislated in several states, which makes it more vital than ever for organizations to develop comprehensive data privacy policies and strategies.

It can seem daunting and difficult to stay in compliance with the ever-changing data privacy landscape, but it is an increasingly important task that must be done for all organizations, especially those organizations that deal with sensitive or personal information.

Data and sensitive information is becoming increasingly important to the continued development of communities and organizations involved in economic development. Because many economic development organizations are public entities (or public-private), they have an even higher level of responsibility and obligation to protect their stakeholders and those whose personal information they aggregate.

In this article, we would like to give a brief overview of the data privacy landscape in the United States so that you can more easily understand what your organization faces in developing a data privacy protection policy.

New State Data Privacy Laws Are on the Rise

The goal of the state consumer data privacy laws passed in the last five years, such as the California Consumer Privacy Rights Act passed in 2018 and the Virginia Consumer Data Protection Act (CPPA) passed in 2022, is primarily to protect consumers from misuse of their personal data. Many of the state laws that have passed legislation used Europe and Canada’s General Data Protection Regulation (GDPR) framework as a foundation for their policies.

Camoin Associates’ ProspectEngage™ team stays up to date on all of these laws due to the nature of the service we offer, which identifies business visitors on our clients’ websites for business attraction and retention purposes.

We and Camoin Associates’ lead generation and prospecting team conduct outreach campaigns in international markets, which required our team to gain a comprehensive understanding of the GDPR, as well as US state laws.

Since 2018, the number of states considering consumer data privacy legislation has consistently grown from two states in 2018, 16 states in 2022, all the way up to 29 in 2022. Most of these bills were not passed, but as time goes on data privacy bills are more and more likely to be passed into law.

In 2023, new data privacy laws will go into effect in five states: California, Utah, Colorado, Connecticut, and Virginia. In addition to the laws that have already been passed by legislators, three states have introduced new data privacy laws into legislation this year, and 17 states have laws that are currently in the process of being passed.

The animated image below gives us a visual understanding of data privacy laws being brought to legislation in the United States in 2018-2022.

Source: International Association of Privacy Professionals (IAPP)

How is the GDPR Enforced?

Compliance with these data privacy laws is being enforced more now than ever in places like Europe and Canada, with extremely stiff fines being levied against violators. Just last month, the GDPR’s European Union board pushed the country of Ireland to increase a fine against Meta (Facebook) from $30 million to $420 million for violating GDPR policies.

GDPR violations and penalties are considered to be somewhat extreme and considering that they could potentially fine an organization up to 2% of its total global revenue, it is clear to see that violating these laws can be extremely detrimental to an organization.

What Are the Major Areas of Focus of New Data Privacy Laws?

The primary sections in which data privacy and protection laws are categorized encompass two major areas: Consumer Rights and Business Obligations.

Consumer Rights

The following are the main consumer rights that serve as a foundation for data protection laws, such as GDPR and CCPA:

• Right to access: The consumer has the right to access the information or the categories of information that a company collects on individuals, as well as the information that is shared with third parties.
• Right to correct: The consumer has the right to correct or update personal information stored by a company.
• Right to delete: The consumer has the right to request the company delete personal information about them.
• Right to opt out of certain processing: The consumer has the right to restrict a company from collecting certain types of personal information about them.
• Right to opt-in for sensitive data processing: The consumer has the right to opt-in before any of their personal or sensitive information can be processed.

Business Obligations

The following are the main business obligations that a business must follow under data privacy and protection laws:

• Opt-in default: A restriction that outlines the opt-in default for consumers who are under a certain age related to the sale of their personal information.
• Notice/transparency requirement: The requirement for a company to provide a notice to consumers about data practices and privacy practices.
• Risk assessments: An obligation placed on a company to conduct risk assessments of its privacy and security procedures.
• Prohibition on discrimination: Prohibits a company from treating a consumer who exercises their privacy rights differently than consumers who don’t exercise their rights.
• Purpose/processing limitation: A restrictive guideline prohibiting the processing or collecting of personal information unless there is a specific purpose for processing that information.

There are other business obligations and consumer rights laid out in the various state and global data protection laws, however, those listed above cover the main sections of each.

Focus Growing on Data Privacy Policies for Organizations in 2023

Considering the number of new state laws being passed in recent years, it is looking inevitable that we may soon have a federal-level data privacy law that governs the entire United States. This law would pre-empt individual state laws and make it easier for organizations to comply with data privacy laws.

Rather than learning about each state’s laws, organizations would only need to focus on staying in compliance with federal law. However, we’re not there yet, so it is important that each organization assign a team or individual(s) to be responsible for staying informed about existing and new laws and educating their organization on the latest data privacy requirements.

Consulting and digital marketing firms are prioritizing data protection privacy and making investments in staffing and digital tools to raise their level of expertise in the data privacy realm. For larger organizations, this amounts to bringing on new employees to be part of their data and privacy teams. For smaller organizations, this may not require adding more employees, additional capacity, or creating new positions, but it does mean that these organizations need to take a hard look at their data privacy practices and formulate a strategy to comply with these new laws moving forward.

Many organizations are seeking external consultants who provide counsel or specific recommendations on what steps their organization must take to stay compliant with new data privacy laws. Companies like OneTrust or ServiceNow offer comprehensive platforms that will handle all data privacy compliance issues from the top down. Digital marketing platforms like HubSpot have built GDPR compliance into their software, which can be customized to fit your organization’s specific needs.

This type of external software and assistance may be necessary for many organizations, especially those who engage in a large amount of external marketing outreach, inbound marketing that involves collecting or using customer data, or those dealing with information of a sensitive nature. The hard reality is, most economic development organizations are likely in need of either internal or external help formulating a comprehensive data privacy strategy.

With that in mind, I would like to offer some practical advice and specific solutions about common data privacy law topics and questions. These questions and topics are relevant to both public and private organizations regarding data privacy laws.

What Can You Start Doing Right Now to Ensure Compliance with Data Privacy Laws?

• Conduct an information audit on the data you currently store about companies and individuals and determine who has access to that information.
• Clearly define your legal justification for collecting someone’s information.
• Provide a clear statement in your company’s privacy policy regarding your methods of data collection, as well as your legal justification for collection.
• Encrypt and anonymize personal data whenever possible.
• Identify a clear internal security process and policy, and educate all team members about the importance of the policy.
• Designate someone responsible for GDPR compliance across your organization.
• Sign a data processing agreement between your organization and any third parties who process personal data on your behalf.
• Ensure that it is easy for consumers to request and receive all personal information you have stored of theirs.
• Make it easy for consumers to correct or update incomplete or inaccurate personal information.
• Ensure consumers can easily request that their personal information can be deleted.
• Make sure you have clear and simple instructions on how a consumer can object to you collecting their data (most commonly done using cookie consent policies).

When Is It Okay for an Organization to Collect or Store Personal Data or Information?

The primary policy governing when it is okay to collect and store a person’s personal information is the concept of having a legal basis for data collection and/or storage. Here are a few examples:

• The consumer gave you specific consent to process the data, such as opting into a marketing email list.
• Processing or storing people’s data would be necessary for a contract to be prepared or executed by a consumer with an organization.
• Specific data needs to be processed to comply with a legal obligation.
• Processing the data is necessary to complete a task of public interest or part of carrying out an official function.
• You have a legitimate interest to process a consumer’s data (the broadest and most flexible legal basis).

Are You Still Able to Send Emails to Companies or People in States or Countries with Data Privacy Laws in Place?

Yes, you can still send emails to prospects and companies. However, some very specific requirements must be met to remain in compliance with data privacy laws when you are sending external marketing emails, especially if they are considered “cold emails.”

• You can’t simply send out a cold email to a random list of people or organizations. The targets you select for email outreach must be vetted very carefully, keeping in mind that you must have a legitimate reason to claim that the person or company you’re emailing would benefit from what your email is regarding.
• You should have a notice in your email or on your website (if you’re directing them to a landing page or your general website), that clearly states exactly what information you will be processing, what the purpose is, and how they can unsubscribe or be removed from your email list.
• You should clearly state how the recipient can unsubscribe from any future emails and the method by which the recipient would be able to remove their data from your list or database. The unsubscribe link is the most common way to achieve this, along with messaging on the unsubscribe landing page regarding the way your data is used and instructions on how it can be removed.
• You should also inform all visitors on your website that you use cookies (which you should already be notifying all visitors of).
• Your data privacy policy should be easy to understand and written in clear, concise language and made available on all websites and social media accounts.

How Camoin Associates is Handling These Rapidly Changing Data Privacy Laws

Camoin Associates’ lead generation and website identification tool, ProspectEngage™, tracks website visitation and provides enhanced data about those visitors, so we have conducted thorough research into how these laws impact our digital marketing practices, as well as those of our clients.

We do not provide legal advice, however, we will provide guidance related to the way our ProspectEngage™ service would interact with their website and impact their website visitors’ experience. We can also provide recommendations about the language they should use on their website’s privacy policy or cookie consent policies related to ProspectEngage™.

Camoin Associates has updated both its cookie consent policy and its privacy policy to ensure we are meeting the requirements of new data privacy laws. We have also conducted thorough research on this subject in order to launch business attraction outreach campaigns for our clients in international markets. Our team has also developed a strategy to conduct business attraction outreach to high-level corporate executives while remaining fully compliant with GDPR and other data privacy laws.

Please reach out to us to find out more about how we have been able to navigate data privacy law changes when it comes to specific services, such as lead generation, ProspectEngage™, social media marketing, and business attraction and retention.

Additional Reading:

• Complete Guide to GDPR Compliance (GDPR.eu)
• Complete Guide to General Data Protection Regulation (GDPR) Compliance (onetrust.com)
• Why Media Agencies Are Prioritizing Building Privacy Expertise This Year as a Host of New Laws Roll Out (digiday.com)