3 Major Happenings in the World of Privacy for 2023

Estimated Reading Time: 8 minutes
January 30, 2023
Three Major Happenings in the World of Privacy for 2023

First things first: Happy Data Privacy Day 2023! We hope you consent to having some fun this year!

As we celebrate Data Privacy Day 2023, there is no shortage of news happening in the privacy world. From large fines (although not large enough according to some) being levied in Europe to new privacy legislation being introduced in state chambers across the United States, it is hard as a marketing professional to differentiate the signal from the noise. Here we outline the three main happenings in the world of privacy to keep an eye on in 2023.

U.S. Privacy Regulations

2023 is the year of privacy in the United States. At the state level: 

Meanwhile, a greater emphasis is being placed on the need for cohesive privacy legislation, with the American Data Privacy and Protection Act sitting in Congress and President Joe Biden calling for federal legislation in an op-ed published in the Wall Street Journal in January. 

This fragmented state of privacy in the United States can lead to tons of operational confusion—where to even begin? The important thing to understand is that privacy requirements are no longer a “European problem”—it’s time to take all of your consumer’s privacy seriously regardless of where your business is located. 

To begin with, there are some consistent themes across the current U.S. State regulations that can be used as a foundation for your operational plans. We covered these in our U.S. State Privacy Regulation Roundup at the end of 2022. Focus on the needs for transparency, opt-out rights, and access/deletion to start. The precursor to all of this is understanding what data is collected, how it is used, and where it flows. If you haven’t already, it’s high time for an audit of the marketing and analytics data practices at your organization.

Fallout from Irish DPC/EDPB Decision on Meta

While the year started with new privacy regulations in the United States, it kicked off with large GDPR enforcement decisions against Meta—390 million Euros for violations on Facebook and Instagram and 5.5 million Euros for violations on WhatsApp. While you may be thinking “well of course Meta is being targeted for privacy violations,” it’s important to note the key findings and ensure your company won’t be next. Many insights can be found in the EDPB’s binding decision regarding the cases in question, but three big take-aways are critical to understand and applied to your organization:

1. Make sure you have a valid lawful basis of processing for actions being taken with personal data

Central to the decision against Meta was the question of the lawful basis for processing users’ personal data for the purpose of behavioral advertising. Meta included this condition within the terms of service required to access and use the platform, relying on “contractual necessity” as the lawful basis for processing the data. The authorities found that advertising was not the core function of the service so it was not contractually necessary to process data in this way to provide the service to the user. Therefore, the processing of users’ personal data was found to be unlawful under GDPR. 

The key takeaway here is that you must ensure you have a valid lawful basis for all processing activities involving personal data. Be specific about what data is being collected and for what purpose. Ensure that for each of those identified purposes you have a valid lawful basis. As a quick refresher there are six lawful bases for processing available, with consent and legitimate interest being the primary ones used for advertising purposes. All lawful bases are well summarized in this resource from the IAPP. 

2. Revisit and update your data disclosures

Another finding was that Meta was not fully transparent about the data being processed and the purposes for which it was being processed. Further, if not being fully transparent then there could not be an expectation that people would understand the contractual requirement they claimed justified the processing behavior. 

The key for your organization is to revisit your disclosures to ensure what personal data is collected, why it is processed, and that the lawful basis for the specific processing purpose is specific and clear to the user. This should all be done in an organized and understandable manner. No longer can you use catch-all terms like “we may collect this information to advertise to you”; you must be specific about what information is being collected and how you are using it to advertise to the user. 

3. Consider the concept of “fairness” when making decisions about the necessity and outcomes of processing activities 

The concept of “fairness” is embedded in the GDPR through things like the “balance test” requirement when using legitimate interest as a lawful basis for processing. In this process, you must balance the value derived from the processing of a user’s personal data (value both for the business and the user) against the risk of harm to the user resulting from the same activity. This decision takes on the concept of fairness in a broader context. 

Is it fair to expect a user to understand what they are agreeing to in the scenario of consent or contract acceptance? Is the processing activity itself fair with respect to the outcome for the user? These are the types of questions you need to be asking about any processing activity and outcome which relies on personal data. Simply take off the advertising cap for a second and think, “if I explained this to a typical user, would they consider it fair?” This process can go a long way in ensuring you’re on the right path for compliance.

Progress in the Privacy Sandbox

With Google’s currently stated date for the phasing out of third-party cookies in Chrome still set for the second half of 2024, many eyes are shifting to the Privacy Sandbox initiatives meant to preserve advertising use cases in the cookieless world. As Google progresses in these initiatives, more organizations are beginning to test activation via the Topics API and FLEDGE. Both of these solutions are expected to be generally available in the second half of 2023. 

The Privacy Sandbox has not progressed without headwinds, however. On January 15, the w3c (web standard board) group responsible for reviewing the Topics API came to the conclusion that “the proposed API appears to maintain the status quo of inappropriate surveillance on the web, and we do not want to see it proceed further.” Concerns raised were related to the lack of true privacy-preserving protection, as well as the stated positions from WebKit (Safari) and Mozilla (Firefox) that they have no intention of adopting the solution. Varying browser support would result in fragmented browser standards and challenges for the application ecosystem. Google disagrees with the board’s assessment and has vowed to continue developing the solution. 

So where does all of this leave us on this Data Privacy Day 2023?

  1. A more private web is coming!
  2. U.S. regulations are on the rise with the prospect of a full federal standard on the horizon.
  3. Learn from the sins of others! Check your disclosures, verify your lawful bases, and make sure you are being explicit, transparent, and fair with your users.
  4. Technology to support a web without third-party cookies is progressing, but it’s not going to be a silver bullet. Focus on the fundamentals and meaningful relationships with your consumers.

Interested in more data privacy analysis throughout the year?

Stay connected and talk to us! We're the experts, after all.

Author

  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
Last Updated: January 30, 2023

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.