The year 2023 will go down in history as marking the beginning of a profound shift in the philosophy underlying data privacy laws in the United States.

Historically data privacy laws here have been rooted in a "harms-prevention-based" hodgepodge of privacy protections, seeking to prevent or mitigate harms in specific sectors. In contrast, under the broader "rights-based" approach exemplified by the European Union's General Data Protection Regulation (GDPR), individuals effectively own their personal information and thus presumptively have the legal right to control it, and who can use it is a matter for them to decide.

Following California's lead, four other states — Colorado, Connecticut, Utah, and Virginia — will begin enforcing new GDPR-inspired statutes in 2023. More states are sure to follow. The implications of this fundamental shift in the underlying philosophical framework regarding data privacy protection will be profound in the years and decades to come. 2023 will mark the shift.

The United States has historically allowed businesses and institutions to collect personal information without express consent, while regulating those uses to prevent or mitigate harms in specific sectors.

Illustratively, these sectors have included laws and regulations applying to the financial (e.g., Graham-Leach-Bliley Act (GLBA)) and medical sectors (Health Insurance Portability and Accountability Act (HIPAA)), education (Family Educational Rights and Privacy Act (FERPA)), children (Children's Online Privacy Protection Act (COPPA)), and other sectors, at both the federal and state levels.

Statutes such as these create rules applicable to specific industries and types of institutions. These rules protect against and prevent misuse of certain categories of personal information. Consistent with their underlying philosophy to allow collection and uses of personal information but prevent harms, these rules impose restrictions on industries and institutions regarding their handling of personal information.

In contrast to this harms-prevention-based philosophy, countries in the European Union (EU) have long pursued a rights-based regime for protecting personal information. Historically this philosophy holds that data privacy is a fundamental human right. Individuals effectively own their personal information, and who can use it is a matter for them to decide.

This differing worldview of the right to privacy has roots in Europeans' historical experience in suffering through the infamous data collection of the Nazis, who collected and catalogued information regarding individuals' ancestry and affiliations (among other facts) and used it in committing atrocities. The enormity of these crimes against humanity was followed by the similar collection of data by the formerly communist East Germany's secret police. This tragic history resulted in the understandable necessity of regulating the collection, storage, and usage of personal information.

In 1970, the German state of Hesse enacted the world's first data protection law decades before the Internet and the World Wide Web became ubiquitous. In 1978, Germany adopted its Federal Data Protection Act. And in 1983, the German Federal Constitutional Court held that each person has a constitutional right to "informational self-determination."

With this historical background in Europe, and Germany acting as a leader in developing data privacy laws, by 2016, the EU recognized the need for a modernized approach to data privacy. This recognition arose in light of advancements in information technology and accelerating use of personal data in a globally interconnected world. Accordingly, the EU adopted the General Data Protection Regulation (GDPR). The GDPR, which became enforceable in 2018, codified several key principles reflecting the Europeans' human-rights-based philosophical foundation for data privacy protection.

Understanding the underlying principles codified in the GDPR is useful in understanding what is going on with the new data privacy statutes slated to go into effect in the coming weeks and months of 2023. The new laws coming online in 2023 in California, Colorado, Connecticut, Utah, and Virginia (and in the additional states likely to follow in their footsteps in the coming years) reflect the influence of GDPR's rights-based philosophical framework. These new laws represent a comprehensive approach to privacy protection, applying to businesses across numerous sectors, in addition to the sector-specific laws that remain in place.

GDPR categorizes between "data controllers" and "data processors." Data controllers, as the name suggests, are the businesses and entities that control the collection and use of the data — the data controllers decide what to do with data. Data processors carry out the instructions provided by the data controllers. The obligations that apply to data controllers and their responsibilities differ from those that apply to the data processors. The new state data privacy laws contain this distinction and approach.

GDPR sets forth several rights of individuals with respect to their personal information. The specific rights that apply depend on the type of data, especially data deemed highly sensitive. Details among the U.S. laws differ, but basically the rights parallel those originally established in the GDPR.

These rights include the following:

  • Access — individuals have the right to request access to inspect their personal information.
  • Correction — individuals have the right to request that errors in their personal information be corrected.
  • Portability — individuals have the right to request that their personal information be transferred to another entity.
  • Erasure — individuals have the right to request that their personal information be deleted.
  • Consent — individuals have the right to decide whether their personal information may be sold or whether it may be used for purposes of receiving targeted advertising.
  • Appeal — individuals have the right to appeal a business's denial of their request.

In addition to providing for these rights for individuals (called "data subjects" in GDPR's parlance), GDPR lays out certain governing principles. These principles include the following:

  • Privacy or data protection by design — the data management system should be designed with privacy protection in mind (including data mapping, so you know what data are stored where, and the protections are appropriate to the level of sensitivity of the data).
  • Record-keeping — adequate records should be maintained regarding the collection, processing, and use of data.
  • Data minimization — personal information, especially that which is sensitive, should be kept, if at all, only long enough to serve its purposes. If the data aren't stored, then they can't be stolen by hackers in a breach.
  • Transparency, informed consent, and legitimate uses — personal information should be used with informed consent from the data subjects, in a way that is understandable to them, and only for legitimate uses allowed under law.
  • Data protection officers and data impact protection assessments — trained personnel should be monitoring compliance with privacy protection requirements, and data protection should be assessed using appropriate risk-management principles.
  • Best cybersecurity practices — data should be protected using best practices for cybersecurity to minimize the risks of data breaches, including appropriate physical as well as technological defenses.
  • Data breach notifications — in the event of data breaches, a tested incident response plan should be in place to ensure that appropriate notifications can be delivered in a timely manner under the different deadlines applicable under law.
  • Employee training — employees should be trained in privacy protection practices pursuant to well-designed policies, and employee access to sensitive personal information should be limited to mitigate risks.
  • Requiring appropriate contractual language — contract provisions regarding data and privacy protection should be used to ensure that vendors and contractors are also guarding against misuses and breaches of personal information.

The foregoing lists of rights and legal principles are not exhaustive; GDPR's 99 articles contain much more. But becoming familiar with them helps in examining the rapidly evolving data privacy laws in the U.S. and in anticipating the new ones to come.

Here is a list of the new state data privacy statutes slated to come online in 2023:

(1) Most of the provisions of the California Privacy Rights Act (CPRA) become effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, similar to data protection agencies in the EU countries charged with enforcing the GDPR.

(2) The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for "high-risk" processing.

(3) The Connecticut Data Privacy Act (CDPA), like Colorado's new privacy law, goes into effect on July 1, 2023. CDPA likewise creates a suite of GDPR-like individual rights, and requires data minimization, security, and assessments for "high risk" processing.

(4) The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights, and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments.

(5) The Virginia Consumer Data Privacy Act (VCDPA) becomes effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the "right-to-delete" was replaced with a right to opt out from certain processing.

While these new state statutes are intended to be comprehensive in scope, they contain certain carve-outs for data already protected under other laws, such as HIPAA. The statutes vary with respect to their reach, based on businesses that hit certain revenue thresholds or based on the number of residents, consumers, households, or devices with data in the applicable state. Each statute is different and should be carefully analyzed as to its scope, requirements, potential liabilities and penalties, and its means of enforcement.

However, an understanding of what these new laws are getting at, and where they are coming from, will create a foundation from which to analyze and understand their requirements, and those from new laws yet to come. Data privacy laws in this country (and around the world) are changing more in 2023, and there will be no looking back.

Originally Published by Thomson Reuters

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.