2022 in Review: Privacy gains footholds in the US; EU continues to lead
2022 saw privacy truly take hold in the U.S., while Europe buttressed its position as the global leader and other regions worked to get up-to-speed with new or amended laws.
U.S. Privacy in 2022
Laws passed in 2021 and 2022 meant many U.S. companies spent the past year preparing for new privacy requirements that came into effect on January 1st in California and Virginia, with more to come out of Colorado and Connecticut in July, and Utah on December 31st. The new laws put new categories of personal data in scope (employee and B2B in California), bring new data subject rights, and GDPR-like processes, such as Data Protection Impact Assessments (DPIA). With California and Colorado expected to introduce additional requirements via Attorney General regulations, companies will likely need to further adapt their programs in 2023.
As states stitched together a patchwork of privacy laws, lawmakers in Washington, D.C. worked swiftly to introduce and revise landmark bipartisan, bicameral federal privacy legislation: The American Data Privacy and Protection Act (ADPPA). Alas, then-Speaker of the House Nancy Pelosi held the bill from vote due to its preemption of California’s law (as well as other state privacy laws), so the U.S. remains without a comprehensive federal privacy law. There is talk that the newly seated Congress may revisit it under Speaker Kevin McCarthy’s leadership, and if so, it could move quickly to pass. While comprehensive privacy remains elusive, children’s privacy may be more attainable in 2023, with two bills of note worth watching: Kids Online Safety Act (KOSA) and a bill to amend the 1998 Children’s Online Privacy Protection Act (COPPA 2.0).
2022’s final quarter saw major enforcement actions from the Federal Trade Commission (FTC), state Attorneys General, and the court system.
The FTC issued its largest-ever fine for violating COPPA, a combined $520 million, against gaming company Epic (maker of popular online game, Fortnite), for allegedly illegally collecting children’s personal information, using default settings that harmed young players and, in a separate settlement, using manipulative techniques (“dark patterns”) to compel players to make unwanted in-game purchases.
A coalition of 40 state Attorneys General marked the largest AG-led consumer privacy settlement, settling with Google for $391.5 million over its location tracking practices. The Attorneys General found that Google mislead consumers about its location tracking practices starting in 2014, and that the company caused users to believe they had turned off location tracking in their account settings but continued to collect their location information.
Lastly, Illinois’ Biometric Information Privacy Act saw its first jury verdict after a federal jury found that BNSF railway, operator of one of the largest freight railroad networks in North America, violated BIPA by collecting employee fingerprints without proper consent, resulting in a groundbreaking $228 million judgment.
International Privacy in 2022
The fourth quarter also saw movement in the enduring saga that is transatlantic data flow. With the first two EU-U.S. transfer mechanisms invalidated by the Court of Justice of the EU, the European Commission and its U.S. counterparts have been working to create a new legal framework that would end the uncertainty currently plaguing thousands of companies operating in the $6.2 trillion economy. In October, President Biden issued a long-awaited Executive Order mandating new legal safeguards over U.S. national security agencies’ access and use of personal data, and on December 13th, the European Commission published its draft adequacy decision for the EU-U.S. Data Privacy Framework.
By the end of 2022, the EU had cemented both the Digital Services Act and the Digital Markets Act, as well as marched out the text for its Artificial Intelligence Act, another piece of legislation expected to become a global standard. Australia, now holding the record for number of data breaches per capita, amended its privacy law to carry heavier penalties for data breaches. Australia’s Attorney General, Mark Dreyfus, remarked that 2023 would bring with it changes to the country’s outdated privacy laws. And India, which has been discussing comprehensive privacy for years, introduced a new bill, The Digital Personal Data Protection Bill, 2022.
What can we expect in 2023? Politics could scuttle comprehensive privacy in the U.S. once more and with it, lawmakers are likely to focus on data-specific legislation, e.g., children’s data, location data, and reproductive health data. Despite that, it is now widely understood that consumer privacy has arrived in the U.S., and it will continue to expand with or without federal law. Additionally, many companies will be closely watching movement on the EU-U.S. Data Protection Framework and the likely challenges it will face. Internationally, attention will spread to the APAC region as India works to pass its newly introduced law and Australia examines updating its privacy laws. And lastly, there will be a continued focus on introducing legislation to harness artificial intelligence.
About the Authors:
Emily Leach is the privacy director at Blueprint Technologies, overseeing privacy operations, creating content for the company’s privacy program management technology and consulting for businesses from Fortune 500 to SMBs. Emily has been working in data privacy for 15 years and holds CIPP/US and CIPP/E certifications from the IAPP.
Molly Hulefeld is a privacy analyst at Blueprint Technologies, supporting consultants and clients by tracking and reporting on changes in the privacy landscape globally. Molly creates content for the company’s privacy program management technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.