5 Privacy Law Questions for 2023

It’s a new year in privacy, and as usual, there are many things to watch. Here are 5 burning questions:

5. What will be the impact of the U.S. state privacy laws taking effect? The consumer privacy laws of California, Colorado, Connecticut, Utah, and Virginia all take effect this year.  Regulations are in process for several laws, including CA and CO.

Enforcement of the CCPA by the new California Privacy Protection Agency (CPPA) will commence this year. And the CCPA now applies to employee data. Exciting times! 

4. Will there be new U.S. state privacy laws? There were a number of bills in the states in 2022, but I think that the states took a pause because of the federal privacy bill, the American Data Privacy and Protection Act (ADPPA). Now that the ADPPA has fizzed out, the states might resume their onward march. 

New bills have been introduced in New York, Kentucky, and Tennessee. More will likely follow.

3. Will India finally pass a data privacy law? Maybe. Every year is purportedly the year. And this has happened year after year. I feel like Charlie Brown with the football on this one. 

2. What will happen in the EU? Last year, a new agreement was reached to patch cross-border data transfer after Schrems II: Schrems Strikes Back.  This new arrangement, the Transatlantic Data Transfer Framework, makes changes in the U.S. surveillance regime via executive order, and it revives the EU-US Privacy Shield. It is currently under review by the European Commission. Once finalized, it will surely be challenged by Schrems, and we’ll see what the European Court of Justice thinks in Schrems III: The Return of Schrems.  

In 2022, the UK said it would ditch its GDPR after enacting it a few years prior in an almost verbatim version to the EU’s GDPR. Noise about this seems to have quieted down given all the government upheaval. Maybe the UK has bigger fish to fry. Or, maybe we’ll see something this year. 

Will this be the year we finally see the ePrivacy Regulation enacted? It’s like waiting for Godot on this one.

Also, watch out for the AI Act, which might be enacted this year.

1. Will the U.S. pass a comprehensive data privacy law? Short answer: No.

Last year, Congress got fairly close to passing a comprehensive privacy law (the ADPPA). But it preempted state law, and it predictably met opposition from California policymakers who didn’t want to curtail the power of their state and was quietly killed.

I think that if a law is good, it doesn’t need preemption, but not many share my view – even many privacy advocates. It seems to be the new ineluctable truth that preemption must be the political price for a comprehensive law, but just a year ago, it was the ineluctable truth that a law couldn’t have a private right of action.

So, what will happen this year? Nothing. Although President Biden recently stated he wanted a law, I don’t think that this will move the needle. The U.S. House will be a clown show. I expect nothing serious to come out of the House this year. 

Read more privacy news on the blog at TeachPrivacy, my company that provides privacy and data security training to businesses, healthcare institutions, universities, and other organizations.

Join my free weekly email newsletter for more great privacy analysis, cartoons, whiteboards, events and resources.

Daniel J. Solove is a law professor at the George Washington University Law School and a leading international expert on privacy law. Learn more at TeachPrivacy.com. For education and events, check out the Privacy + Security Academy.