Data Privacy in 2023: The future of US cyber privacy regulation is here

Authored by Danielle Roth, AXA XL’s Head of Cyber & Technology Claims in the Americas

It was only a matter of time.

In April 2016, the European Union adopted the General Data Protection Regulation (GDPR), which gives individuals control over their personal data and how it may be used by a company. The GDPR became enforceable in May 2018, and companies were required to adopt increased standards to protect consumers’ data and give individuals the ability to opt out of the gathering of such data. Other countries soon followed, using the GDPR as a model.

Now U.S. lawmakers are slowly putting their own privacy regulations on the books. This year, the House Energy and Commerce Committee voted to advance the federal American Data and Privacy Protection Act (“ADPPA”), a proposed federal online privacy bill designed to regulate the gathering and storing of consumer data. The bill is expected to be considered when Congress reconvenes in 2023.

States already have been busy bringing their own legislation to fruition. At this writing, five states have comprehensive data privacy laws passed and set to take effect in 2023 – California, Colorado, Connecticut, Utah and Virginia. Of those, the California Consumer Privacy Act (CCPA), passed in 2018, is considered to be the strictest privacy regulations within the U.S., arming residents of the state with the ability to control how businesses are able to use their personal data. Likewise, the California Privacy Rights Act, which takes effect January 1, 2023, expands the CCPA to include the right to restrict use of sensitive personal information, the right to correction, the right to access information about automated decision making, and the right to opt out of automated decision-making technology. The CPRA also expands consumer privacy rights in ways similar to the GDPR, including the right to delete, the right to opt out and the right to access individual information. The CPRA also creates the California Privacy Protection Agency, exclusively charged with the interpretation and the enforcement of data privacy issues under the CPRA.

As of October 2022, there were 29 states considering legislation, so we expect state privacy regulation to only increase in 2023 and beyond.

Private Right of Action

Should the federal ADPPA pass, it might be viewed as something that pre-empts state regulation. Even without a privacy law at the federal level, state laws can present high exposure for organizations handling consumer data. In particular, some state laws may contain a private right of action – the legal right of a private individual or entity to file suit. The exposure in such privacy breach cases can be substantial – whether as a settlement or a jury verdict.

In a recent Illinois-based case, the first brought under Illinois’ Biometric Information Protection Act (“BIPA”) to go to trial, a jury awarded $228 million in a class action suit brought by truckers who claimed the railroad company they worked for collected their fingerprints without written consent or appropriate disclosures about the purpose of collecting and storing the biometric data. While the railroad company is appealing, the verdict is an indication of the significant impact privacy laws can have on businesses.

Whether the ADPPA actually moves forward, or the data privacy landscape remains a patchwork of state laws, organizations need to prepare now for increased regulatory oversight of personal information.

Getting Ready for Privacy

First and foremost, your organization should conduct an assessment to determine which data privacy laws apply to your business and develop a compliance plan and road map. As part of that, an organization should look at the types of data it collects and develop a data map and management plan, which will allow an organization to build a standard process of informing individuals in writing, alerting them to how a company is storing and using data, and to obtain appropriate consent or allow an individual to opt out.

Review your insurance policy with your carrier. While data misuse lawsuits may not be covered, your carrier can provide resources that will assist in establishing a data privacy compliance plan using best practices and can recommend counsel to help understand which laws apply to your organization – whether state, federal, or international, which is particularly important in this age of global commerce. Counsel can also provide advice for a robust data management framework and governance plan.

Forewarned & Forearmed

Taking the steps above can go a long way toward showing that your organization is cognizant of the privacy laws and is making best efforts to comply. Having a data management plan in place, as well as a plan to provide appropriate notice and disclosures, and to obtain consent or allow an individual to opt-out, all demonstrate a willingness to abide by the law and protect individuals.

As more states and the federal government move toward increased privacy regulation, it behoves your organization to prioritize compliance now. The preparation and attention you give to building your process now will pay off when privacy regulations become the standard for businesses everywhere.

Danielle Roth is AXA XL’s Head of Cyber & Technology Claims in the Americas. She is responsible for developing and implementing the segments’ claims strategy and best practices, as well as coverages analysis, claims investigations, reserving and resolution of claims.