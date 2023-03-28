The Gist

MediaMath’s 2023 Consumer Privacy Survey revealed that consumers have 10% less trust in brands than they did one year ago. Additionally, 65% of those polled ranked "misuse of personal data" as the No. 1 reason they would lose trust in a brand.

In response to increased consumer awareness of data privacy, in 2022, Congress introduced The American Data Privacy Protection Act (ADPPA), which was designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms and establish meaningful enforcement.” This article will look at the current state of consumer data privacy legislation, its impact and how brands are adapting to these regulations.

The Digital Services Act (DSA) and the Digital Markets Act (DMA)

According to a 2022 Gartner report, by the end of 2024, privacy regulations are projected to cover the personal data of 75% of the global population. Although privacy legislation in the United States has definitely impacted online businesses, the European General Data Protection Regulation (GDPR) has had the greatest impact on brands thus far — one can rarely visit any business website without being presented with a cookie acceptance prompt.

Similarly, two new bills have been introduced in Europe that have the potential to impact online businesses across the globe. The Digital Services Act (DSA) and the Digital Markets Act (DMA) form a single set of rules that apply across Europe. The goals of the two bills are:



To create a safer digital space in which the fundamental rights of all users of digital services are protected.

To establish a level playing field to foster innovation, growth and competitiveness, both in the European Single Market and globally.

Through the DSA and DMA, the European Union has established a modern legal framework that prioritizes the safety of users online, upholds fundamental rights and promotes a fair and open online platform environment. The DSA will introduce transparency around advertising, ensuring that it is clearly labeled, and that consumers know who is placing the ad and why they are seeing it. It will also impose a complete ban on targeted advertising of children based on their personal data.

Although the DSA will have the greatest impact on large multiuser websites such as Facebook, Google, Twitter and TikTok, sites with fewer users will eventually have to comply as well. As of Feb. 17, online platforms are required to publish the number of active users. If a platform or search engine has over 45 million users, the European Commission will designate the service as a very large online platform or a very large online search engine. These services will then have four months to comply with the obligations of the DSA. On Feb. 17, 2024, platforms with less than 45 million active users will also have to comply with DSA rules.

Srini Kadiyala, chief technology officer at OvalEdge, a data governance consultancy and end-to-end data catalog solutions provider, told CMSWire that the relationship between customer and company is becoming increasingly symbiotic. "Consumers know their rights, how significant the fallout of a data breach can be, and the capabilities companies have at their disposal to prevent data misuse. On the flip side, companies know their obligations to protect consumer data, and they know the impact of failing to do so regarding trust degradation and financial penalties." Once new data privacy regulations go into effect, it’s up to brands to live up to consumer expectations.

The American Data Privacy Protection Act (ADPPA)

According to Alison Lindland, CMO at Movable Ink, a marketing customer engagement agency, data privacy will become this year a priority for all businesses, regardless of industry.

"With new technologies coming to the forefront and being regularly introduced, there's a higher risk for any overlooked flaws in security to be potentially exploited by hackers looking to steal consumer data,” said Lindland. “Government scrutiny on tech companies has grown as politicians seek to expand citizen protections, and with the introduction of the American Data Privacy Protection Act (ADPPA) last year, brands must get ahead of the curve to ease these fears."

The American Data Privacy Protection Act, if enacted, will preempt the California Consumer Privacy Act (CCPA), and is designed to "Promote US Innovation and Individual Liberty through a National Standard for Data Privacy.” The proposed act drew the attention of California State Attorney General Rob Bonta, who stated that the ADPPA threatens to preempt California's law with a weaker federally imposed privacy act.

According to a February 2023 Vericast survey, 39% of consumers feel powerless in controlling how brands use their personal data, and 23% say they are unsure what kinds of information brands collect overall. The ADPPA promises to change that, as it specifies that consumers would have the right to know how their personal data will be used and which third parties will receive it. Consumers would have the right to correct and download their user data, and businesses would have up to 90 days to process these requests. Consumers would also have the right to take legal action against businesses that are in violation of the Act for four years after its execution. The adjournment of the 117th Congress took place on Jan. 3, 2022, without taking any action on the ADPPA, so its fate is yet undecided.

As of 2023, 43 states have introduced or passed their own privacy bills. Because of the myriad of different privacy rules and regulations that are in place in the United States, a consortium of technology and corporate trade groups, including the US Chamber of Commerce and the Consumer Technology Association, came together in a campaign titled United for Privacy. They stated that the current privacy legal landscape is a “conflicting patchwork of privacy laws” that will cost the US economy over $1 trillion over the next decade. Their website decries that “We need a uniform national privacy law that would protect consumers’ data and privacy no matter where they live and provide businesses certainty about their responsibilities.” Perhaps the ADPPA is a step in that direction.

New State Privacy Legislation

Christine Frohlich, head of data governance at Verisk Marketing Solutions, a leading data provider for the insurance, mortgage and banking industries, told CMSWire that although there have been numerous proposals for privacy legislation at the federal level (such as the aforementioned ADPPA), a comprehensive law has not been passed — which means it is at the discretion of each individual state’s government to dictate how they want businesses to handle sensitive data within their constituency.

Virginia, California, Colorado, Connecticut and Utah have enacted or plan to enact data privacy legislation this year. Legislation includes the Virginia Consumer Data Protection Act (VCDPA), the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA) and the Utah Consumer Privacy Act (UCPA).

Each of the state regulations that will go into effect in 2023 include consumer notification requirements that may impact a brand’s data privacy policy, especially if it has not been recently reviewed.

The Virginia Consumer Data Protection Act (VCDPA), which went into effect on Jan. 1, grants consumers the right to access and delete their personal data and requires businesses to conduct data protection assessments related to processing personal data for targeted advertising and sales.

Businesses must now comply with all express statutory requirements of the CCPA, as amended by the California Privacy Rights Act (CPRA). The CPRA, which went into effect on Jan. 1, modified the CCPA but did not create a separate, new law.

Although the Colorado Privacy Act (CPA) rules were adopted on Feb. 23, they are still awaiting review by the Colorado attorney general. The CPA mandates that controllers obtain affirmative consent from consumers prior to collecting and processing sensitive data, processing personal data for purposes other than those specified at the time of collection, and selling or processing personal data for targeted advertising after a consumer has opted in.

Starting July 1, the Connecticut Data Privacy Act (CTDPA) grants Connecticut residents certain rights over their personal data and establishes privacy protection standards and responsibilities for data controllers who process personal data.



The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022, and goes into effect on Dec. 31 of this year. It provides privacy protections for Utah residents, and establishes data privacy responsibilities for businesses operating in the state.

Frohlich suggested that with consumer privacy being the most principal aspect of the five new state laws, updating a brand’s services and website privacy policies is paramount. “A key element of these updates should include creating explicit procedures for consumers to exercise their rights on the data collected on a brand’s website(s) and the data collected from other sources (loyalty programs, third-parties, etc.),” said Frohlich. “Keep in mind how the privacy policy will come across on the consumer's end.” Frohlich explained that brands should be asking themselves the following questions:

Is it easy to understand?

Are the terms and conditions clearly outlined?

Does it cover all of the ways in which a business may use a consumer’s data?

Frohlich emphasized that now is a great time for brands to review their data inventory and processes to determine exactly what changes need to be made. “For example, state laws in Virginia, California, and Colorado now give consumers the right to correct inaccuracies in their personal data. Does your business have an existing operational process for consumers that choose to make corrections?”

Final Thoughts on Data Privacy Regulations

Many countries and states now have privacy regulations that specify and limit the ways that businesses obtain and use consumer data, with new privacy legislation likely to come. Now is the time for brands to review their privacy policies and ensure compliance with current regulations, while preparing for future changes.