{"id":2567,"date":"2023-03-29T14:01:00","date_gmt":"2023-03-29T20:01:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2567"},"modified":"2025-05-08T14:13:49","modified_gmt":"2025-05-08T19:13:49","slug":"your-2023-privacy-compliance-roadmap-tips","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/your-2023-privacy-compliance-roadmap-tips\/","title":{"rendered":"Navigating Your 2023 Privacy Compliance Roadmap: Tips for Companies"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Navigating Your 2023 Privacy Compliance Roadmap: Tips for Companies<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tCasey Kuktelionis<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

If the first quarter has been any indication, 2023 will be yet another busy year in data protection and privacy. With so many global regulations to pay attention to, knowing where to focus your privacy resources is challenging. But despite the chaos, these are the key laws and topics you should have on your 2023 privacy compliance roadmap.<\/p>\n

Anticipated changes to existing privacy regulations<\/h2>\n

Five U.S. State privacy laws go into effect in 2023<\/h3>\n

In January, the Virginia Consumer Data Protection Act (finalized) and the\u00a0California Privacy Rights Act (CPRA) (amending the California Consumer Protection Act (CCPA))<\/a>\u00a0became effective.<\/p>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t

Although the CPRA does make significant changes to the CCPA, rulemaking is still in progress.<\/strong>\u00a0On February 14, 2023,\u00a0CCPA regulations<\/a>\u00a0were submitted to the Office of Administrative Law for final review, which has 30 business days to review the rulemaking package. Enforcement of the CCPA is already underway, but CPRA enforcement is expected to start in July 2023.<\/p>\n

However, that date could change, and you should monitor the\u00a0California Privacy Protection Agency\u2019s<\/a>\u00a0announcements. CCPA rulemaking will continue in phases and focus on different types of notices, Global Privacy Control (GPC) and universal opt-out mechanisms, how to exercise individual rights, and other topics such as the annual security audit and privacy impact assessment requirements.<\/p>\n

Next, Connecticut CT-SB6 (CTDPA) and the Colorado Privacy Act will become effective on July 1, 2023. The CTDPA won\u2019t require controllers to enable consumers to exercise their opt-out rights through a universal mechanism until January 1, 2025.<\/p>\n

Final rules for the Colorado Privacy Act<\/a>\u00a0were filed with the Secretary of State on March 15, 2023. Regulations include consumer rights, universal opt-out mechanisms, controller obligations, data protection assessments, and important topics such as automated decision making and consent.<\/p>\n

And lastly, to ring in the new year, The Utah Consumer Protection Act will go into effect on December 31, 2023. Because each U.S. state privacy law is different, all five should be on your privacy compliance roadmap.<\/p>\n

EU-U.S. Cross-border data transfers and The Executive Order<\/h3>\n

It\u2019s been over a year since the EU and the U.S. struck an understanding on a revamped Privacy Shield data transfer agreement, now called the\u00a0EU-U.S. Data Privacy Framework<\/a>\u00a0(DPF). In December 2022, the European Commission published its\u00a0draft adequacy decision<\/a>\u00a0recognizing the essential equivalence of U.S. data protection standards.<\/p>\n

 <\/p>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t

\u201cWe will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can\u2019t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again \u2013 in flagrant breach of our fundamental rights.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t

A final decision should come in the next few months. And because data transfers have become vital to international trade, this decision will be critical for your 2023 privacy compliance roadmap.<\/p>\n

More data protection and privacy regulations to watch in 2023<\/h2>\n

Although a U.S. federal privacy law was proposed in 2022, that bill stalled before the close of federal government business in December. Both political parties have different motivations for the\u00a0American Data Privacy Protection Act<\/a>, and it may be brought before congress again.<\/p>\n

Whether or not we will see a\u00a0U.S. federal privacy law<\/a>\u00a0in 2023 remains uncertain. But don\u2019t give up hope. At a recent hearing, the Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis (R-FL) declared,\u00a0\u201cAmericans need and deserve more transparency over how their information is collected, processed, and transferred.\u201d<\/strong><\/em><\/p>\n

In March 2023, the Iowa Senate and House unanimously voted to approve\u00a0Senate File 262<\/a>, potentially making Iowa the\u00a0sixth U.S. state<\/strong>\u00a0to enact an omnibus privacy law. Iowa\u2019s law is similar to the frameworks in Colorado, Connecticut, Utah, and Virginia\u2019s laws and is set to take force on January 1, 2025. Notably missing from Iowa\u2019s Bill are sensitive data opt-in consent requirements, a user\u2019s right to correct, required risk assessments, and practice purpose limitations.<\/p>\n

Across the Atlantic, the U.K. government released the second draft reform of the UK GDPR, called the\u00a0Data Protection and Digital Information (No.2) Bill<\/a>. This bill doesn\u2019t change the fundamental principles of the U.K. GDPR, data subject rights, or core obligations. IAPP writer Joe Jones summarizes the\u00a0top 10 takeaways from the draft reform<\/a>.<\/p>\n

2023 data protection and governance hot topics<\/h2>\n

Two new Acts passed in the EU raise the question of what the government\u2019s role should be regarding major tech companies and online services.<\/p>\n

The\u00a0EU Digital Markets Act (DMA)<\/a>\u00a0will apply in the EU from May 2023 to ensure dominant tech companies behave fairly online. Including the monitoring of practices that might restrict the growth of new and alternate platforms.<\/p>\n

In the DMA, large platforms like Google, Facebook, and Amazon are given the title\u00a0Gatekeepers<\/em>.\u00a0Gatekeepers are prohibited from:<\/strong><\/p>\n