Each year brings new advancements, both in the technologies consumers use and in the laws and regulations imposed on those technologies to protect customer data. 2023, of course, is no exception.
However, reporters well-versed in data privacy and security have noted a distinct and profound shift in recent years. While traditionally, privacy protections have been rooted in a “harms-prevention-based” approach, today, under the “rights-based” approach of the EU’s General Data Protection Regulation (GDPR) and similar regulations, individuals have been empowered as the legal owners of their personal data.
This shift to protect an individual’s right to decide how their data can be used, and who has access to it, will only expand in the years to come.
In this post, we’ll summarize what consumer brands can expect from data privacy protections in 2023 and beyond, including:
- New privacy laws and regulations going into effect this year
- The legal trends we’re seeing for mobile marketing channels
- The growing use of artificial intelligence (AI) and how the world is responding
- Quick takeaways on what these developments mean for your business
This article is designed to be a brief overview of 2023 data privacy, security, and compliance updates. For Iterable’s specific privacy and anti-spam policies, please visit our Trust Center.
Protection at Home: Updates to U.S. Regulations
Five U.S. states have new statutes going live in 2023:
- The California Privacy Rights Act (CPRA), effective Jan. 1, 2023, amends the California Consumer Privacy Act (CCPA) by creating a new state agency and adding rights to rectification, restriction, and sensitive personally identifiable information (PII). These amendments will protect consumers’ rights to correct inaccurate data and limit the use and disclosure of the PII collected about them.
- The Colorado Privacy Act (CPA), and The Connecticut Data Privacy Act (CTDPA), both effective July 1, 2023, require controllers to conduct data protection assessments for each of their high-risk processing activities. The controllers these acts apply to include commercial businesses that are intentionally targeted to state residents and that either (1) control or process personal data of at least 100,000 consumers annually or (2) derive revenue from the sale of personal data of at least 25,000 consumers.
- The Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023, provides similar protections as other states but was amended in April 2022 to include a “right-to-delete” exception for businesses that obtained personal data from a source other than the consumer.
- The Utah Consumer Privacy Act (UCPA), effective Dec. 31, 2023, has a much narrower scope than other state statutes and favors businesses in its approach to consumer privacy. Controllers subject to the UCPA are not required to conduct risk assessments, recognize universal opt-out signals or grant Utah consumers the right to correct data inaccuracies.
Quick takeaway: With more states enacting consumer privacy protections, we expect the rest to follow suit, sooner or later. U.S. businesses should take a proactive approach to data privacy by aligning their processes to statutes that require the most transparency on behalf of customers.
Protection Abroad: Global Regulation at a Glance
A host of new privacy laws are expected around the world, so while this list is not exhaustive, these are the ones making major headlines:
- Canada’s Digital Charter Implementation Act, Bill C-27, expected to become federal law in 2023, creates an enforcement regime and recommends penalties reaching the higher of $10 million CAD or 3 percent of an organization’s previous year’s gross global revenue.
- India’s Digital Personal Data Protection Bill proposes data processors, called data fiduciaries, to obtain consumer consent and provide notice and purpose of data collection. It establishes a board to oversee compliance and impose penalties of up to 5 billion rupees.
- The EU-US Data Privacy Framework was signed via executive order by President Biden in October 2022 to provide a mechanism for the transfer of data across EU and U.S. borders. A determination is expected by the European Commission this year, and if approved, will become effective immediately.
Quick takeaway: Data moves much more freely than physical products, but its safety is just as important. These new global regulations often come with strict penalties, so it behooves brands to consult appropriate legal counsel regardless of where they’re headquartered.
Protection in Your Pocket: Mobile Data Privacy
While brands take a wait-and-see approach to the potential U.S. ban of TikTok, the battle of Big Tech continues as Google and Apple drive the final nails into the coffin of third-party cookies:
- Google’s Privacy Sandbox Beta is coming to Android early this year, which will provide new APIs that don’t use identifiers that track consumer activity across apps and websites. Users can see the topics Android has estimated they’re interested in and block any that aren’t relevant to them.
- In addition to kneecapping its competition with AppTrackingTransparency (ATT), Apple is rumored to be building a demand-side platform (DSP). This would further its advertising business and close off Apple’s products and services within its own ecosystem.
Quick takeaway: These technological advancements don’t necessarily mean that consumers’ data is better protected, but it will mean that walled gardens are getting exponentially steeper. To reach their audiences more effectively, brands will need to invest in personalization efforts using zero-party data.
Privacy Moving Forward: Regulatory Response to AI
With the meteoric rise of AI chatbots—like OpenAI’s ChatGPT—comes more legal and regulatory scrutiny of AI technologies. Here are the most significant developments from around the world:
- United States: While no federal legislation exists, the Biden Administration introduced the AI Bill of Rights in October, which contains five principles around building safe and effective systems, protecting against algorithmic discrimination, safeguarding data privacy, informing the public via notice and explanation, and providing alternative options. Additionally, 15 U.S. states and localities have proposed legislation concerning AI. New York City’s law to prevent AI employment bias became effective in January.
- European Union: In 2021, the EU introduced the Artificial Intelligence Act (AIA), which defines four levels of risk an AI technology could pose to a person’s health, safety, or fundamental rights: minimal (like spam filters), limited (like chatbots), high (like autonomous vehicles), and unacceptable (like government social scoring). The higher the risk level of an AI technology, the more rigorous it will be regulated by the AIA.
- China: In 2017, the Chinese government established a goal to become the world’s primary AI innovation center by 2030, with the core AI industry generating 1 trillion RMB, or approx. $154 billion annually. The country currently regulates how private companies use online algorithms for consumer marketing, and as of Jan. 10, 2023, prohibits the use of AI-generated media without clear identifiers, such as watermarks.
Quick takeaway: Legal and ethical concerns about AI tech exist in every corner of the globe, and time will tell how regulatory response will evolve. AI can be a powerful tool to develop smarter personalization strategies, but brands should seek solutions that provide a transparent, glass-box experience.
Regardless of what comes to pass in 2023, both your company and your customers deserve to know how AI-driven marketing technologies are deriving deeper insights and powering predictions.
If you’re looking to unpack AI beyond the hype, join Iterable’s executive team and CMOs from Strava, Gitlab, and Vimeo at Activate, both in-person in San Francisco and virtual next week. We’ll discuss what the next generation of the industry will hold for marketing teams and how to use AI to elevate our customer engagement game.
Excited about the next generation of AI technology? To learn more, register for Iterable’s Activate Summit and schedule a demo of our AI Optimization Suite today.