Marketers face a mishmash of privacy regulations in 2023. Will federal regulation help?

The news: New privacy regulations in California and Virginia kick off a year in which marketers will struggle to follow an increasingly confusing set of state rules—while closely monitoring ongoing efforts to pass a federal data privacy framework.

At the state level: After California became the first state to pass legislation giving consumers more access to and control over their personal information in 2018, its voters have strengthened their landmark law by adding significant data control mechanisms and establishing the first US state agency devoted to data privacy.

  • Now four more states have joined the crazy quilt of regulations. In addition to the California Privacy Rights Act going into effect on January 1, the Virginia Consumer Data Protection Act launched the same day. Similar privacy laws in Colorado and Connecticut will go into effect on July 1, while Utah's privacy law will go into effect on December 31.
  • Under these new laws, consumers typically have a right to access, update, delete, and opt out of having their personal information sold or processed for the purposes of targeted advertising and profiling.

The problems: These laws contain nuances that marketers need to take into account in their compliance plans, including different standards for handling consumer opt-out requests and how to manage sensitive information.

  • Companies will need to decide whether and how to establish a universal browser-accessible system that allows users to block the sale or use of their data for targeted advertising.
  • These opt-out signals prevent consumers from having to visit each website they engage with in order to stop the sale and sharing of their data, and California and Colorado regulators require businesses to abide by them.
  • However, marketers have expressed doubts about the viability of that strategy.

The solution? Congress made advancements toward enacting federal privacy legislation in 2022, with the House handily advancing the American Data Privacy and Protection Act in July. ADPPA would improve data protections for children and teenagers and halt algorithmic prejudice while giving consumers the ability to access, correct, delete, and prohibit the sharing of their personal information.

  • It might be difficult for Congress to build on last year's momentum to pass federal privacy legislation now that Democrats have retained control of the Senate and Republicans have a narrow House majority.
  • But if Congress couldn't get it done while one party was in power, are lawmakers really going to get it done under divided government? Privacy may be a topic that is sufficiently bipartisan for the parties to work on—but that’s a big may be.
  • Even if Congress can’t pass anything, marketers can’t forget the FTC’s willingness to step in and tighten privacy rules based on existing legislation, notes principal analyst Yory Wurmser.

Our take: Regardless of what happens federally, all five of the new rules that take effect this year will require marketers to engage with customers more openly, including in their privacy policies, which are intentionally long, complex, and confusing.

  • To make sure that they are properly handling and securing customer data, marketers will also need to reevaluate their vendor agreements and conduct data protection evaluations.
  • It’s only a matter of when, not if, major lawsuits will be filed against brands who don’t take these new laws seriously.