Review of 2023 in data privacy around the world

Data privacy definitely ramped up globally in 2023. More regulations were passed, and consumers continued to become more savvy and concerned about access to and use of their personal data. The app industry started to take notice and realize that privacy compliance wasn’t an onerous legal requirement, but a potentially massive revenue opportunity.

Perhaps most of note, however, is that impetus to achieve privacy compliance has started to shift and a greater push is coming not from governments, but from businesses. Laws like the Digital Markets Act (DMA) will affect big tech companies like Alphabet, Facebook and Amazon.

Millions of businesses use those companies’ platforms and services to sell products, collect user data, advertise, and more. If the big tech companies are required to comply with DMA obligations, they will require third parties that rely on them for reach and revenue to comply as well. This hits a lot closer to home than, for example, headlines about “The Biggest GDPR Fine Ever!”

AI has also been an ever-present topic in 2023, with reactions running the full gamut from giddy excitement to alarmist. It’s been good to see that people seem to be aware of and talking about the data privacy issues of AI training, particularly, and laws to regulate AI development and use are already in the works. The EU should have their AI Act finalized in early 2024.

Let’s have a look at what was new and in the news in data privacy in 2023.

This year several long-awaited data privacy regulations came into effect, and many were passed that will come into force in the coming years. 2024 looks to become an even bigger year for regulation and enforcement, accompanied by increasing B2B expectations of businesses for their partners and customers.

Laws targeting big tech also got a lot of attention, and it will be very interesting to see how that plays out in the market and their effects on competition and innovation. Regulation of AI, which also brings significant data privacy concerns, will also continue to grow.

Let’s look at where new privacy laws were passed in 2023.

The United States passed more data privacy laws than any other country in 2023, but that’s because they are still passed state by state. To date the country still doesn’t have a federal-level data privacy law. 14 states of 50 (there’s also the District of Columbia, Puerto Rico, etc.) have now passed data privacy legislation.

California is the only state with two active laws, the California Consumer Privacy Act (CCPA) having come into effect in 2020 and the California Privacy Rights Act (CPRA) having come into effect in 2023.

40 US states introduced privacy legislation in 2023. In many cases these were repeat attempts. Eight states actually passed new data privacy laws, which their respective governors signed into law:

• Iowa Consumer Data Protection Act (ICDPA)
• Indiana Consumer Protection Act (Indiana CDPA)
• Tennessee Information Protection Act (TIPA)
• Montana Consumer Data Privacy Act (MTCDPA)
• Florida Digital Bill of Rights (FDBR)*
• Texas Data Privacy and Security Act (TDPSA)
• Oregon Consumer Privacy Act (OCPA)
• Delaware Personal Data Privacy Act (DPDPA)

The laws in Montana, Florida, Texas, Oregon and Delaware come into effect in 2024. Iowa and Tennessee’s laws come into effect in 2025, and Indiana’s doesn’t come into effect until 2026.

*Florida is not always listed among states that passed “comprehensive data privacy laws”, as there are fairly significant restrictions to organizations it affects. It’s also called a “Digital Bill of Rights” and not a “Privacy Act”. For example, only companies with a billion dollars or more in revenue have to comply, and it targets companies operating app stores or digital platforms.

All of the US states that have enacted privacy laws to date have used an opt out consent model, which means that in most cases, users’ data can be collected without having to obtain their consent. This differs from the opt out or “prior consent” model used in many of the world’s data privacy laws.

Canada has not updated their federal data privacy law recently, as Bill C-11, which would have become the Consumer Privacy Protection Act, did not pass in 2021. PIPEDA, which is over 20 years old, remains in effect. In the province of Québec, however, the majority of the provisions of Law 25, which was passed in 2021, came into effect in September 2023. The law brings a variety of data privacy and protection requirements for organizations. A number of its provisions resemble privacy laws in Europe more than those in the US.

Switzerland already had a data privacy law, but it was 30 years old, so the Swiss Federal Data Protection Act (FADP), which came into effect in September, is a much needed update. The FADP has some differences from the General Data Protection Regulation (GDPR). For example, consent or a legal basis is required in fewer instances. But the two laws largely align, as a major goal of the FADP is enabling the flow of business between Switzerland and the European Union, as Switzerland is not a member of the EU.

The Saudi Arabia Personal Data Protection Law (PDPL) came into force after an amendment in September 2023. Compliance enforcement will begin in September 2024. The PDPL follows a prior consent model, and organizations that have achieved GDPR compliance will have done most of the work necessary to comply with the Saudi law.

India enacted the Digital Personal Data Protection Act (DPDP Act) in August 2023, replacing relevant provisions from existing laws from 2000, 2008 and 2011. The DPDP Act generally follows laws like the EU’s GDPR, and requires prior user consent for data collection in many cases, though “legitimate use” exceptions can be invoked.

After being without an adequacy agreement since 2020, the EU and US came to agreement on the EU-U.S. Data Privacy Framework in July. This framework helps to ensure data protection with international data transfers between the two regions. It brings seven core principles:

• Notice: informing data subjects
• Choice: choices for data subjects about processing their data (or declining)
• Accountability for onward transfers: required compliance with certain terms if data is transferred to a third party
• Security: reasonable protection measures
• Data integrity and purpose limitation: personal data must be kept accurate and can only be used for stated purposes and with consent
• Access: data subjects must have access to their data and be able to have it corrected and deleted (with some exceptions)
• Recourse, enforcement and liability: participating companies must implement robust recourse mechanisms for requests and complaints

The European Commission enacted the Digital Services Act (DSA) and Digital Markets Act (DMA), with some designations and provisions coming into effect in 2023, and more to come in 2024.

Digital Services Act (DSA)

The Digital Services Act (DSA) targets a wide array of digital intermediary services, particularly designated very large online platforms (VLOPs) and very large online search engines (VLOSEs) with 45 million or more monthly active users in the EU. The law imposes a number of strict requirements to address societal risks associated with the operation of these platforms. The Act aims to create safer digital spaces and protect users’ rights. It also assigns new responsibilities to VLOPs and VLOSEs for content published and protection and respect for user data.

Digital Markets Act (DMA)

The Digital Markets Act (DMA) primarily focuses on fostering a fair and competitive digital market in the EU, “leveling the playing field” so to speak. It includes provisions to enable smaller companies to better compete against dominant tech players, which it designates as “gatekeepers”: Alphabet, Amazon, Apple, Bytedance, Meta and Microsoft.

The law requires more openness and transparency from the gatekeepers, giving smaller players access to more data about audiences and algorithms. Data portability requirements will also benefit consumers and be one of the changes that may help spur competition and innovation.

The DMA also introduces additional data privacy requirements. Some gatekeepers have already begun passing down privacy compliance requirements to third parties that use their platforms and services, e.g. Google requiring implementation of a certified consent management platform supporting the TCF 2.2 and Consent Mode.

In 2023 Google initiated changes and made several announcements that will have significant effects on its customers’ operations. Beginning in January 2024, publishers and developers using Google AdSense, Ad Manager or AdMob must use a Consent Management Platform (CMP) partner that’s Google-certified and integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF).

This is required if they want to continue serving ads to users in the European Union (EU), European Economic Area (EEA) and/or the United Kingdom (UK). Usercentrics CMP is Google-certified and integrates the TCF 2.2 as well as Consent Mode v2.

A number of the laws passed in 2023 will come into effect in 2024, or enforcement will begin. This will no doubt cause a privacy compliance scramble for some organizations. Other companies will continue to evolve their data privacy strategies and solutions to maintain compliance as their tech stacks change and their businesses grow.

Several countries have been working toward updating or passing data privacy legislation, and it is likely that will conclude in 2024, in Australia, for example. It’s increasingly likely the ePrivacy Regulation will come into force next year as well in the EU. The United States gained momentum with state-level privacy laws this year, which we expect to continue, especially as more states table updated legislation.

The EU’s AI Act should be finalized by January 2024, and will be the first of its kind, likely to have significant influence on future similar regulations, much as the GDPR has had since coming into effect in 2018.

Business-centered laws like the Digital Services Act and especially the Digital Markets Act are expected to catalyze significant changes in European digital markets, which may well have strong global ripple effects on data privacy, but also in transparency, competition and innovation.