Attorneys Michele Shuster and Josh Stevens from the law firm Mac Murray and Shuster explain how new data privacy laws will impact businesses in 2023. Despite numerous concerns about data privacy, there are few laws in the United States that comprehensively regulate how information is collected and used. But that’s about to change. New state laws will go into effect beginning in 2023, giving consumers more control over their data—and potentially derailing companies’ current marketing strategies.
Michele Shuster, founding partner of the law firm Mac Murray & Shuster, and Josh Stevens, a partner at the law firm, recently presented a webinar that explains the impending changes and explains how today’s marketers, who rely on online tools to generate quality leads, will need to shift to stay in compliance.
Both Shuster and Stevens have extensive experience in privacy and data security, federal regulatory matters, and advertising and marketing. They both closely monitor the changing regulatory landscape.
New federal data privacy law in the works
With no comprehensive federal data privacy law, the U.S. offers citizens few protections. Other nations, like countries in the European Union, have more robust regulations in place. This may be about to change.
In July, the American Data and Privacy Protection Act (ADPPA) won bipartisan support in the U.S. House of Representatives Committee on Energy and Commerce. The bill is now pending before Congress, and negotiations are ongoing. This bill would give consumers certain rights over their data and require that businesses process data under a fiduciary obligation (or under a duty of trust). The bill would also empower the Federal Trade Commission (FTC) to regulate privacy in a more explicit manner.
However, Stevens points out that the FTC has already announced an advanced notice of proposed rulemaking and has sought public comment on the harms of businesses collecting, analyzing, and monetizing information about consumers. “This shows that the FTC is not waiting on Congress and that they are working toward regulating this space,” he said.
New regulations in several states
In addition to federal laws on the horizon, in 2023, several states will institute their own privacy regulations as well. The California Privacy Rights Act, approved in 2020, will take effect Jan. 1, 2023. The act provides California residents with the right to know who is collecting their information, how it is being used, and to whom it is disclosed. Other states like Colorado, Connecticut, Utah, and Virginia have additional privacy laws in the works as well. It’s important to note that even businesses in states without data privacy laws in place can be impacted when interacting with consumers in the more highly regulated states.
For example, recently, a plaintiff represented by a well-known plaintiff’s firm in California filed a lawsuit against an Ohio jewelry company. The California consumer visited a website that included a tool that captured the consumer’s keystrokes on the site. Earlier this summer, the Ninth Circuit allowed a case to proceed under California’s wiretapping laws against a website that used ActiveProspect software. ActiveProspect captures a consumer’s interaction with a website by tracking and recording web session data. The case filed in Ohio copied the strategy from the ActiveProspect case. “I expect we’ll see more of these copycat cases until it gets squashed or we get more clarity,” Stevens said. Because these violations can be costly, Stevens recommends a couple of best practices:
- If you use technology that captures keystrokes, make a cookie banner or pop-up visible on the page and explain the use of the technology. The consumer should have to consent to its use to continue engaging with the website.
- The tool should not engage until consumers have had a chance to review that cookie banner, close it out or accept it, or take another action that evidences their implied consent.
The California Privacy Protection Agency has published new draft regulations under the California Privacy Rights Act that could impact how certain marketing messages must be phrased.
In response to a request for public comment, Mac Murray & Shuster submitted, on behalf of the Professional Association for Customer Engagement, some areas of concern that could be problematic for businesses. For example, one regulation states that businesses cannot use “shaming or guilting” language to steer a consumer to a less privacy-protected choice. An example of this language would read, “I like to pay full price.”
“Our position is that there is an informative aspect that allows the consumer to understand the impact of their decision, and that should be allowed,” Stevens said. The regulations may also require businesses to translate their privacy disclosures into every language a potential consumer may speak, which could be enormously burdensome to businesses.
“Finally, we have requested that a portion of the proposed regulations that center around the browser-based opt-out mechanism be delayed,” said Stevens. “This opt-out mechanism allows consumers to state that they do not want their information sold. Yet, this technical standard may be difficult for some companies to achieve quickly.”
Buying and selling data
One of the most frequent questions we hear from companies is whether they will still be able to buy and sell data under new privacy laws. The answer is YES, but under stricter parameters.
Under the California Privacy Rights Act regulations, if you are selling data to a third party, your contract with the third party MUST contain certain provisions defining how the third party can use the data. You should also retain rights to stop the use of that data if the third party does not follow the provisions.
When working with data processors, the contract is key to protecting your business. Make sure the contract fits within applicable state law parameters and beware that more than one state’s laws could apply. For example, if you are a large business subject to all five of the new privacy frameworks, then your contract is going to need to comply with all of them. You should also have the right to monitor and audit the company you are working with to collect consumer data.
For a lower-risk provider, that may be the simple act of sending a questionnaire to the IT team. For higher-risk providers, you may need to visit their facilities to ensure your standards are being upheld. Before ever signing a contract, you should put the provider through a due diligence process that mimics how they collect data on your behalf.
As more states begin exploring how to protect consumer data, you’ll begin to see commonalities among these state and federal regulations. Under the California Consumer Privacy Act in California, consumers will get the rights to know:
- What information is being collected about them
- How that information is being used
- How to request a copy of their information
- How to delete information
- How to opt-out of the sale of their data
Under the California Privacy Rights Act, consumers will also get the right to opt-out of cross-context behavioral advertising, which is advertising to a consumer based on their behavior across several apps and websites, the right to correct their data, and the right to limit how their sensitive personal information is used.
How buying leads will be impacted
If you’re like many companies out there, part of your marketing strategy includes buying leads from different sources. Stevens says it’s imperative to make sure any provisions you must follow according to applicable state laws are in your contract. One often overlooked aspect of the contract is clearly spelling out that your data source cannot transfer data from consumers who have opted out of sale of their data.
Publicly-available data, fair game?
Yes, but take heed. Under the California Privacy Rights Act and other new state frameworks, publicly-available information is not considered personal information. Information available to the public includes items that are lawfully made accessible by a local, state or federal government. An example of this would be property appraisal data.
However, if you’re going to use this information, you must be able to show that you got it from a government source in a lawful manner. Where you can run into trouble is that some states have laws that restrict certain government records for marketing purposes. If the reason behind gathering this information does not fall within the permitted scope, you cannot use it for marketing purposes. “While the public exception is nice for people who rely on this data, being able to prove the source and that it was lawful might be harder in practice than it sounds,” Stevens said.
The important role of counsel as laws evolve
In an evolving digital world, data privacy protections are long overdue in the United States. However, for businesses and marketing teams, navigating these new regulations can be challenging.
As you’re considering how to evolve your marketing or data management strategy, it’s critical to bring counsel into the process early so you can have privacy by design. It is much easier to put into place a compliance program BEFORE you implement certain aspects of your marketing plan. Going back and retrofitting a compliance program after the fact can be time-consuming and costly.