United States: 6 Predictions, 6 Attorneys – Goodwin's 2023 Data, Privacy, & Cybersecurity Outlook

In honor of Data Privacy Week and as we kick off 2023, many of us are wondering what this year's hot topics and trends will be in the privacy and cybersecurity sector. How will the new Privacy Shield in the EU and UK effect data regulation? How will state privacy laws contribute to the uncertainty of regulatory efforts? Will California's updated privacy law cause a domino effect among other states? Will we see more regulation among the privacy rights of minors? What will businesses need to do to keep-up with the ever-changing requirements for their cybersecurity programs? Continue reading to gain insights on how Goodwin's Data, Privacy, & Protection team are thinking about these issues and more.

Lore Leitner: "In 2023, we should hopefully see the replacement Privacy Shield come through, which will significantly decrease the compliance burden at both sides of the Atlantic. Other than that, there is an increasing amount of data regulation on the horizon, in the EU and UK but also globally. To challenge things further, we will see a large increase in technologies such as AI and metaverse, which are difficult to regulate and monitor. Where the GDPR is concerned, I expect we will start to see more coordinated enforcement and a further increase in fines."

Boris Segalis: "My prediction is that the space will continue to be unpredictable demanding resources from companies to stay on top of developments and adjust their practices. It's not a great situation for businesses to be in, and this lack of certainty in the privacy space is persistent problem that's getting worse. State privacy laws will contribute significantly to this uncertainty as they draft regulations that are difficult to understand or implement – this is a typical issue with state level legislation. On the cyber side – as Jud and Kaylee I am sure will note – there are a ton of regulatory efforts to tighten cyber incident reporting requirements that will certainly force companies to disclose more and lead to more enforcement and litigation."

Omer Tene: "In 2023, expect to see a wave of enforcement actions under California's updated privacy law. Last summer, the California Attorney General sent a shot across the bow of adtech players, including publishers and advertisers. The stakes become higher as California's updated privacy law comes into force. In addition to California, other states- including Colorado, Virginia and Connecticut – are ramping up toward enforcement of their new privacy laws. And litigation will continue pursuant to Illinois' biometric privacy law, which provides a private right of action. 2023 is also the year when AI regulation, including a focus on algorithmic bias and discrimination, will become a mainstream issue for companies in a broad range of industries, including tech and life sciences, finance and education."

Jackie Klosek: "2023 will see regulators, legislators and litigants continuing to focus on privacy rights of minors. 2022 bore witness to strong FTC messaging on children's privacy rights, prominent investigations into social media companies for activities involving children and the proposal of a number of bills concerning children's privacy as well as the passage of the transformative California Age Appropriate Design Code Act. In the coming year, we will see these trends continue, while we also witness the virtual explosion of technological solutions to assist in the protection of the privacy interests of minors."

Jud Welle: In 2023, more organizations will come to recognize that their current multi-factor authentication solutions are inadequate to keep cyber threat actors out of their systems, leading to greater adoption of new authentication technologies. Companies seeking cyber insurance or contracts with sophisticated commercial and government clients will have to meet more exacting standards for the maturity of their information security programs."

Kaylee Bankston: "I anticipate there will be heightened scrutiny of businesses' cybersecurity programs in 2023, including with respect to cyber risk management and governance. Coupled with that, companies can likely expect a continued trend toward more prescriptive legal requirements for their cybersecurity programs – including technical controls – whether those requirements are imposed by specific legislation or effectively established through regulatory enforcement actions or litigation."

To learn more about Goodwin's Data, Privacy & Cybersecurity team, visit our website.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.