Privacy Developments in 2023: Year in Review

With 2023 behind us, we’re looking back on the biggest headlines that shaped the data privacy landscape across Europe and the United States. 

Data Privacy in Europe: A Year in Evolution 

Even though GDPR turned 5 years old in 2023, there was no shortage of regulatory and enforcement activity in Europe. From the approval of a new US/EU data transfer framework, to Meta’s shift to a subscription model, and the major fines enforced in between, Europe witnessed a year of continued evolution in privacy and compliance.

New EU/U.S. Data Privacy Framework

The previous agreement between the United States and the European Union for trans-atlantic data transfers, Privacy Shield, was invalidated by the Court of Justice of the European Union pursuant to the case Data Protection Commission v. Facebook Ireland, Schrems (aka “Schrems II”).

The European Commission initially published an adequacy decision at the beginning of 2023, but it wasn’t until midyear that the EU/U.S. Data Privacy Framework was finalized with a stamp of approval from the European Parliament, and took effect July 11, 2023. 

The approval signaled that under the new framework, the United States would ensure an adequate level of protection for personal data transferred from the EU to the US, providing assurance to European companies that contracting with US companies wouldn’t result in additional regulatory scrutiny.

Large fines for lack of proper consent 

TikTok, Apple, and Voodoo were all fined by French data protection authority, CNIL, for not collecting sufficient consent before processing user data. 

1. Voodoo – 3M euros – mobile apps were found to still read a user’s IDFV technical identifier and process the IDFV and browsing habits for advertising purposes, even if the user refused ad tracking through Apple’s ATT request.
2. Apple – 8M euros – found to be enabling personalized advertising by default on older versions of its mobile OS.
3. TikTok – 5M euros – found to have a consent flow on their web version designed to make it much easier to accept all processing than to opt-out. 

The CNIL also fined adtech company Criteo for failing to verify that publishers were properly obtaining user consent for Criteo’s data collection on publisher properties. Per the CNIL, Criteo should not only have been contractually requiring publishers to obtain consent, but also conducting audit campaigns to ensure its publisher partners were actually collecting the consent. 

Cookie guidelines required “Reject All” 

Guidelines issued by the UK, Spain, and Belgium’s data protection authorities included requirements for equal prominence between Reject All and Accept All options when collecting consent. Such guidelines are not new, as French and German DPAs have also previously required cookie banners to include the option to Reject All. 

The UK’s ICO followed up on its guidance in Q4, sending warning letters to some of the top UK websites giving them 30 days to comply with their guidance.  

DPAs considered subscription/cookie walls

Meta rolled out a paid subscription model as an alternative to consent in response to regulator scrutiny, including a ban on targeted advertising issued first by Norway and then by the European Data Protection Board (EDPB). The model is currently under review by the EDPB, which may give credibility and concrete guidance to other companies looking to offer a similar model. 

Meta is not actually the first company in Europe to offer paid subscriptions as alternatives to consent, and multiple data protection authorities have blessed the model, although within the parameters of certain guidance. 

The Danish DPA announced in February 2023 general guidelines allowing for “cookie walls” as long as certain criteria are met. And in 2022, the French DPA issued “Cookie Wall Evaluation Criteria” which advised, among other criteria, that websites conditioning access to a service on the acceptance of cookies or other tracer’s on the user’s terminal device should provide a fair alternative at a reasonable price. 

Data Privacy in the US: Navigating the Patchwork

In the absence of a federal privacy law, the US privacy landscape continued to be defined by a patchwork of laws. Some laws went into effect within the past year, while others like the VPPA have a much longer history but have been newly applied to bring about a whole new surge of privacy class actions.  

State privacy laws continued to roll in

The California Privacy Right Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA) went into effect on Jan 1, 2023. 4 new states saw comprehensive privacy laws officially go into effect: Virginia’s law on January 1, Colorado’s and Connecticut’s laws on July 1, and Utah’s law on December 31.

7 states—Iowa, Indiana, Tennessee, Montana, Texas, Oregon and Delaware—passed comprehensive privacy laws in 2023, bringing the total to 12. 

Washington passed a health-specific privacy bill called the My Health My Data Act, requiring purpose-by-purpose consent for health data collection or sharing, including health data inferences. Nevada and Connecticut also passed health-specific privacy bills, but unlike Washington’s law, both have narrower definitions of consumer health data and don’t provide for private right of action. 

FTC made health data an enforcement priority

In its press release about changes to the Health Breach Notification Rule (HBNR), the FTC made clear that “protecting the privacy and security of personal health data is a high priority for the FTC.”

This was evident in the surge of settlements with health-related companies such as GoodRx, Betterhelp, and Premom. The enforcement actions alleged violations of the FTC Act, the HBNR, or both. In most cases, the companies were found to be sharing personal health data with third-parties via analytics tech providers or social media pixels without sufficient disclosure or consent. 

Following several of these settlements, the FTC announced proposed changes to the HBNR underscoring its applicability to health apps, as well as 13 key takeaways for companies collecting or using health data. 

Class actions targeted tracking pixels

Class action lawsuits under the Video Privacy Protection Act (VPPA) and state and federal wiretapping laws continued to gain traction in 2023, with multiple courts allowing the cases to proceed, in turn leading to more settlements and more filings. 

The class actions all targeted companies that shared personally identifiable information with third parties via tracking pixels, ranging from social media to analytics. Many of the cases took aim at companies collecting or sharing sensitive information, like tax information or health information. 

Patterns in which cases overcome motions to dismiss versus which ones didn’t provided companies better indications of the types of activity that pose the greatest risks. They also helped clarify for plaintiffs which cases are more likely to succeed in court. As a result, VPPA cases seemed to become more targeted as the year progressed. 

State regulators looked at expanding universal opt-out mechanisms 

Although several states have enacted laws requiring the recognition of universal opt-out mechanisms, California’s requirement is the only one that has taken effect so far. 

In 2023, the California Privacy Protection Agency (CPPA) staff proposed, and the agency approved, an initiative to push legislation requiring all web browsers to offer the ability for users to opt out of the sale and sharing of their personal data at the browser level. Currently only a few browsers offer the capability. The initiative could be an indicator that recognition of opt-out preference signals will be one of the CPPA’s enforcement priorities in 2024. 

Meanwhile, Colorado released a “shortlist” of universal opt-out mechanisms that would be recognized under Colorado law, and ultimately selected Global Privacy Control (GPC) as the only approved mechanism. Colorado’s requirement takes effect July 1, 2024. 

Subscribe to A Little Privacy, Please NEWSLETTER

A Little Privacy, Please, written by Sourcepoint’s General Counsel and Chief Privacy Officer, Julie Rubash, provides weekly recaps on the latest privacy news. To all our subscribers, thanks for another great year! To get our weekly recaps in your inbox, subscribe today.