{"id":6894,"date":"2022-11-23T11:38:33","date_gmt":"2022-11-23T17:38:33","guid":{"rendered":"https:\/\/board.org\/?p=6894"},"modified":"2026-01-30T00:51:15","modified_gmt":"2026-01-30T06:51:15","slug":"preparing-for-privacy-regulations-in-2023-advice-from-industry-experts","status":"publish","type":"post","link":"https:\/\/board.org\/dataprivacy\/resources\/preparing-for-privacy-regulations-in-2023-advice-from-industry-experts\/","title":{"rendered":"Preparing for privacy regulations in 2023: Advice from industry experts"},"content":{"rendered":"[vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_column_text text_direction=&#8221;default&#8221;]\n<p><strong>Highlights:<\/strong><\/p>\n<ul>\n<li>Despite increased momentum, federal data privacy legislation is unlikely to come to fruition in 2023.<\/li>\n<li>Instead, enterprises will need to comply with a patchwork of five upcoming state laws.<br \/>\nThe new state laws actually have more commonalities than differences, but there are some important distinctions.<\/li>\n<li>Ultimately, these laws bring the U.S. closer to the European GDPR framework, and if your organization operates globally, it\u2019s beneficial to leverage the work that\u2019s already been accomplished.<\/li>\n<\/ul>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_column_text text_direction=&#8221;default&#8221;]\n<h2>Regulations in 2023<\/h2>\n<p>The argument to make privacy and data protection an organizational imperative has never been more clear as legislative action ramps up across the country.<\/p>\n<p>We\u2019re just months away from the implementation of five new U.S. privacy laws, each with slightly varied requirements and definitions:<\/p>\n<ul>\n<li><a href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\" target=\"_blank\" rel=\"noopener\">California Privacy Rights Act<\/a> (CPRA) \u2014 effective January 1, 2023<\/li>\n<li><a href=\"https:\/\/lis.virginia.gov\/cgi-bin\/legp604.exe?211+sum+SB1392\" target=\"_blank\" rel=\"noopener\">Virginia Consumer Data Protection Act<\/a> (VCDPA) \u2014 effective January 1, 2023<\/li>\n<li><a href=\"https:\/\/leg.colorado.gov\/bills\/sb21-190\" target=\"_blank\" rel=\"noopener\">Colorado Privacy Act<\/a> (CPA) \u2014 effective July 1, 2023<\/li>\n<li><a href=\"https:\/\/www.cga.ct.gov\/2022\/ACT\/PA\/PDF\/2022PA-00015-R00SB-00006-PA.PDF\" target=\"_blank\" rel=\"noopener\">Connecticut Data Privacy Act<\/a> (CTDPA) \u2014 effective July 1, 2023<\/li>\n<li><a href=\"https:\/\/www.cga.ct.gov\/2022\/ACT\/PA\/PDF\/2022PA-00015-R00SB-00006-PA.PDF\" target=\"_blank\" rel=\"noopener\">Utah Consumer Privacy Act<\/a> (UCPA) \u2014 effective December 31, 2023<\/li>\n<\/ul>\n<p>It\u2019s paramount that companies are in tune with these looming regulatory requirements to ensure they remain compliant and avoid hefty lawsuits and fines.<\/p>\n<p>How will these regulations impact your privacy program, and what do you need to know to guarantee you\u2019ve prepared your enterprise?<\/p>\n<p>Three data privacy leaders \u2014 <a href=\"https:\/\/www.linkedin.com\/in\/harrietpearson\/\" target=\"_blank\" rel=\"noopener\">Harriet Pearson<\/a>, Senior Counsel at Hogan Lovells, <a href=\"https:\/\/www.linkedin.com\/in\/mhintze\/\" target=\"_blank\" rel=\"noopener\">Mike Hintze<\/a>, Partner at Hintze Law PLLC, and <a href=\"https:\/\/www.linkedin.com\/in\/audrey-jean-579239\/\" target=\"_blank\" rel=\"noopener\">Audrey Jean<\/a>, Senior Vice President of Legal and Chief Privacy Officer at AARP \u2014 recently shared their expert advice with the Data Privacy Board during a <a href=\"https:\/\/wom.us\/3V3GLWv\" target=\"_blank\" rel=\"noopener\">panel on privacy regulations in 2023<\/a>.<\/p>\n<h2>Post-Mid-Term Election Insights<\/h2>\n<p>The Data Privacy Board panel discussion kicked off on November 9, the morning after the U.S. midterm elections, so panelists gave their predictions for what privacy legislation could look like on a national scale.<\/p>\n<p>There have been several failed attempts at instating a uniform national standard around data privacy. However, in June of 2023, a bipartisan draft bill \u2014 <a href=\"https:\/\/www.commerce.senate.gov\/services\/files\/6CB3B500-3DB4-4FCC-BB15-9E6A52738B6C\" target=\"_blank\" rel=\"noopener\">American Data Privacy and Protection Act<\/a> \u2014 was released.<\/p>\n<p>If enacted into law, it would provide a <a href=\"https:\/\/www.politico.com\/news\/2022\/06\/03\/bipartisan-draft-bill-breaks-stalemate-on-federal-privacy-bill-negotiations-00037092\" target=\"_blank\" rel=\"noopener\">national standard<\/a> on what data enterprises can gather from consumers and how they can use it, as reported by <a href=\"https:\/\/www.linkedin.com\/in\/kernrebecca\" target=\"_blank\" rel=\"noopener\">Rebbeca Kern<\/a>, POLITICO Tech Policy Reporter.<\/p>\n<p>\u201cThe bill released Friday includes agreement between Republicans and Democrats \u2014 for the first time \u2014 on two areas that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits,\u201d Rebecca wrote.<\/p>\n<p>With bipartisan backing and relative business backing, Harriet said the current iteration of this bill is the clear front-runner for federal privacy legislation. Yet, the contents of the American Data Privacy and Protection act could change following the <a href=\"https:\/\/rollcall.com\/2022\/11\/16\/republicans-secure-house-majority-but-it-will-be-a-narrow-one\/\" target=\"_blank\" rel=\"noopener\">Republicans flipping the house<\/a>.<\/p>\n<blockquote><p>\u201cMy prediction would be that the content of that front-runner bill is going to change, but there\u2019s still significant interest on a bipartisan basis for federal legislation.\u201d<\/p>\n<p><em>Harriet Pearson, Senior Counsel at Hogan Lovells<\/em><\/p><\/blockquote>\n<p>In part, Harriet explained how the momentum for a more uniform standard has been fueled by the upcoming state laws and the pain they will likely cause in terms of inconsistencies and enforcement actions.<\/p>\n<p>Despite this promising momentum, Harriet, Mike, and Audrey all agreed that any federal privacy action would be unlikely in 2023. Audrey added that she\u2019s operating under this assumption at the enterprise level.<\/p>\n<p>Mike agreed that the house flipping could significantly alter the dynamic. Additionally, he said, the potential for federal action has, in part, been held up by current legislation in California.<\/p>\n<blockquote><p>\u201cOne of the biggest issues is the preemption when we have all this state activity. There\u2019s a lot of momentum and a lot of reason to get behind a federal bill that would bring some rationality and consistency across the country,\u201d<\/p>\n<p><em>Mike Hintze, Partner at Hintze Law PLLC<\/em><\/p><\/blockquote>\n<p>Mike added, \u201cThat help got held up because of mainly California making a lot of noise saying that the federal bill shouldn\u2019t take away the rights that California has.\u201d<\/p>\n<h2>Key Takeaways on Upcoming Regulations<\/h2>\n<p>Without uniform data privacy standards, U.S. enterprises are left to tackle a patchwork of state legislation, which is no easy task.<\/p>\n<p>The looming question remains, should an enterprise enact umbrella terms and policies or attempt to set controls on a state-by-state basis? Furthermore, what are the implications of potentially providing certain protections, as required by state law, to some consumers and not others?<\/p>\n<p>Audrey said at AARP, the goal is to develop frameworks and processes that are as harmonized as possible.<\/p>\n<blockquote><p>\u201cI think every enterprise has to decide for themselves, which among the highest standards they\u2019re going to make universal in their program \u2014 versus picking and choosing. I think that depends a lot on your individual situations and how much data you have in every state.\u201d<\/p>\n<p><em>Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP<\/em><\/p><\/blockquote>\n<p>As part of this process, it\u2019s important for enterprise data privacy leaders to understand the key commonalities and differences between these state laws.<\/p>\n<p>Mike explained that Virginia, Utah, Connecticut, and Colorado share relative similarities as they were based on the same basic model proposed in Washington. He said California is a bit of an outlier but still, they all have more commonalities than differences.<\/p>\n<p>As <a href=\"https:\/\/wraltechwire.com\/2022\/11\/15\/cybersecurity-you-five-state-comprehensive-data-privacy-laws-and-counting\/\" target=\"_blank\" rel=\"noopener\">outlined by WRAL TechWire<\/a>, all five new laws include the following conditions and are roughly 85% identical:<\/p>\n<ul>\n<li>They include broad definitions of personal information.<\/li>\n<li>They include a new definition of Sensitive Information.<\/li>\n<li>They all include effectively the same broad data subject rights.<\/li>\n<li>They require detailed privacy notices and employee training.<\/li>\n<li>They require detailed recordkeeping and have an expanded Right of Opt-Out.<\/li>\n<li>They are only enforced by their Attorneys General and preclude a private cause of action for violations of the statute.<\/li>\n<\/ul>\n<p>At a high level, Mike said in terms of requirements and obligations, Connecticut and Colorado are a bit more robust while Utah is less stringent, and Virginia sits somewhere in the middle.<\/p>\n<p>Mike referred to Utah as the \u201cmost business-friendly\u201d and said, \u201cpeople shouldn\u2019t be losing sleep over Utah.\u201d<\/p>\n<p>California is often acknowledged as the strictest of the new data privacy laws, and Harriet said California\u2019s sunsetting of the exemption for employment data is a dynamic yet to be seen in the U.S.<\/p>\n<p><a href=\"https:\/\/www.polsinelli.com\/publications\/cpra-and-employee-data-what-businesses-need-to-know\" target=\"_blank\" rel=\"noopener\">An article by the Am100 law firm Polsinelli<\/a> states that the CPRA will eliminate the California Consumer Privacy Act\u2019s (CCPA) exemptions that applied to the processing of employee data. Under the CPRA\u2019s new obligations, state employers must prepare and provide a privacy notice to employees or job applicants at or before the time personal information is collected, among other requirements.<\/p>\n<p>Audrey said she thinks there will be a lot of eyes on how the CRPA plays out and enterprises will certainly want to prepare their colleagues in Human Resources and employment law.<\/p>\n<h2>Benchmarking with Other Privacy Leaders<\/h2>\n<p>Ultimately, the panelists agreed that each of the five upcoming laws brings the country closer to the European regulatory framework for data privacy. As a result, Audrey and Harriet advised leaders at global companies to find the pre-existing playbooks within their institutes.<\/p>\n<p>\u201cIf you have global operations and people have been dealing with this in Europe, leverage that work that\u2019s already been done because a lot of this is similar and can be aligned with General Data Protection Regulation (GDPR), particularly on the HR side,\u201d Harriet said.<\/p>\n<p>With so much change on the horizon, it\u2019s also beneficial to benchmark strategies with other enterprise privacy leaders. You can learn invaluable insights from leaders operating at similar enterprises among different industries, states, and nations.<\/p>\n<p>The Data Privacy Board is where senior enterprise privacy leaders can receive candid peer insights in a confidential and vendor-free setting.<\/p>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=&#8221;full_width_background&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; bg_image=&#8221;10232&#8243; bg_position=&#8221;left top&#8221; background_image_loading=&#8221;default&#8221; bg_repeat=&#8221;no-repeat&#8221; scene_position=&#8221;center&#8221; top_padding=&#8221;75px&#8221; bottom_padding=&#8221;50px&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;center&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; gradient_type=&#8221;default&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; column_position=&#8221;default&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/1&#8243; tablet_width_inherit=&#8221;default&#8221; animation_type=&#8221;default&#8221; bg_image_animation=&#8221;none&#8221; border_type=&#8221;simple&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221;][vc_custom_heading text=&#8221;Interested in learning more?&#8221; font_container=&#8221;tag:h2|font_size:35px|text_align:center|color:%23000000|line_height:1.5&#8243; use_theme_fonts=&#8221;yes&#8221;][divider line_type=&#8221;No Line&#8221; custom_height=&#8221;15px&#8221;][vc_custom_heading text=&#8221;As a leader, your mission is important. We\u2019re here to help you win.&#8221; font_container=&#8221;tag:h3|font_size:30px|text_align:center|color:%23000000|line_height:1.5&#8243; use_theme_fonts=&#8221;yes&#8221;][divider line_type=&#8221;No Line&#8221; custom_height=&#8221;15px&#8221;][nectar_btn size=&#8221;medium&#8221; button_style=&#8221;regular&#8221; button_color_2=&#8221;Accent-Color&#8221; color_override=&#8221;#000000&#8243; solid_text_color_override=&#8221;#ffffff&#8221; icon_family=&#8221;fontawesome&#8221; text=&#8221;Apply to Join&#8221; icon_fontawesome=&#8221;fa fa-chevron-right&#8221; url=&#8221;\/join\/&#8221;][\/vc_column][\/vc_row]\n","protected":false},"excerpt":{"rendered":"<p>[vc_row type=&#8221;in_container&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overflow=&#8221;visible&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; column_element_direction_desktop=&#8221;default&#8221; column_element_spacing=&#8221;default&#8221; desktop_text_alignment=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_backdrop_filter=&#8221;none&#8221; column_shadow=&#8221;none&#8221;&#8230;<\/p>\n","protected":false},"author":4,"featured_media":6895,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[204],"tags":[],"class_list":{"0":"post-6894","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-dataprivacy","8":"content-type-blog"},"acf":{"boardmc_hide_post_header":null,"boardmc_hide_site_header":null},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts\/6894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/comments?post=6894"}],"version-history":[{"count":0,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/posts\/6894\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/media\/6895"}],"wp:attachment":[{"href":"https:\/\/board.org\/wp-json\/wp\/v2\/media?parent=6894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/categories?post=6894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/board.org\/wp-json\/wp\/v2\/tags?post=6894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}