Last year, the landscape of data privacy laws in the United States changed significantly, bringing to light the increased focus on individual data protection rights across the country. Organizations have had to adjust their operational practices to prioritize data protection, privacy and the acceptable use of personal information. But is this just the beginning?
In this piece, Amy Doyle Ellwood, Director of Client Services at Ziff Davis’ Campaigner and SMTP.com, provides an overview of the various data privacy practices brought into place in 2023 and what this means for email marketers in 2024.
Compliance for the Win
When creating an email marketing campaign, it is very easy to focus on those more exciting elements, such as the creative process and decision-making, the injection of data analytics and AI to create powerful results in your marketing experiments, and the benchmarking of success metrics for your company.
What is less exciting though is the single most important element of your email marketing campaign – is it compliant with country and state-specific privacy laws.
Keeping up with data privacy regulations can be difficult especially when we see the pace at which the landscape is changing particularly in the last 12 months.
Let’s take a look back on the changes in US data privacy laws in the last year and what path these changes laid for organizations in 2024.
1. California Privacy Rights Act (CPRA)
The CPRA, often referred to as “CCPA 2.0,” became fully operational, building upon the foundations of the California Consumer Privacy Act (CCPA). Building on the foundation laid by the California Consumer Privacy Act (CCPA), the CPRA introduced stricter data protection measures. It provides consumers with more control over their personal data, requiring organizations to be more transparent about their data collection and use practices.
2. Virginia Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act (CDPA) came into effect on January 1, 2023. Similar to the CCPA, it requires organizations to adhere to several key provisions to protect the privacy of consumers’ personal data, including the introduction of Data Subject Rights, Data Protection Assessments, Data Minimization requirements, Explicit Content, and Non-Discrimination against consumers who exercise their rights under this act, amongst other provisions.
3. New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
New York enhanced the SHIELD Act, a data privacy and cybersecurity law that aims to enhance data security and protect the personal information of New York residents. New York’s SHIELD Act places specific requirements on businesses and organizations that collect and store personal information.
4. Colorado Privacy Act (CPA)
Colorado passed the Colorado Privacy Act (CPA) in 2021 and it officially came into effect on July 1, 2023. The CPA places several obligations on businesses and organizations that collect and process personal data of Colorado residents and provides consumers with rights to access, correct, delete, and port their personal data, and imposes data protection obligations on businesses.
5. Upcoming State-Level Privacy Laws
In addition to those states discussed above, several other U.S. states have actively discussed and considered data privacy acts or bills, some of which are expected to come into effect in 2024. These include:
- The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. The TDPSA, which mostly takes effect on July 1, 2024, except for global opt-out technology provisions, is similar to the Virginia Consumer Data Protection Act (CDPA) discussed above, which is generally more “business-friendly” relative to laws such as those in California and Colorado. The TDPSA contains several notable provisions that companies should consider when developing their privacy compliance programs.
- The Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces were signed into law in 2023, expected to be in effect on July 1, 2024. The FDBR is somewhat modeled on California’s Consumer Privacy Act though it also addresses matters not addressed by the CCPA and other current and emerging comprehensive state privacy laws.
- The Washington Privacy Act (WPA) was a bill introduced in Washington State, aiming to establish comprehensive data privacy regulations.
- The New York State Senate passed the New York Privacy Act to strengthen protections over consumers’ personal data and create accountability standards for businesses that collect, process, and use consumers’ personally identifiable data. As of the date of writing, this bill is In the Assembly Committee stage.
- The North Carolina Consumer Privacy Act was introduced in the state legislature but has not yet been enacted into law.
- The Minnesota Consumer Data Privacy Act is currently being discussed and seeks to establish data privacy rights and protections.
Note: To stay informed about the progress of these bills and any new data privacy laws, consider monitoring state government websites, and legal news, or consulting with legal experts specializing in data privacy and cybersecurity.
6. Enhanced Data Breach Notification Requirements
With the evolving data privacy landscape, 2023 saw new requirements for organizations to report data breaches promptly. The introduction of state-specific breach notification laws in some areas, like New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, adds complexity for businesses operating across state lines. These laws typically demand stringent timelines for reporting data breaches, emphasizing the importance of robust data security measures. In 2024, it is assumed that many more states will introduce requirements similar to the SHIELD Act.
7. Data Security Standards
Over the course of the year, the industry experienced heightened emphasis on data security requirements. Moving into 2024, this will mean organizations need to adopt more robust measures to protect sensitive customer information. Penalties for non-compliance with these standards, including fines and legal action, have already been introduced.
8. Consent and Transparency
Underpinning all enacted and considered data privacy legislation is consumers’ consent and their right to know how their data is being used are central themes in the evolving data privacy landscape. Regulations will continue to require organizations to obtain explicit consent for data collection and clearly communicate their data practices. We have already witnessed a growing emphasis on demonstrating explicit consent from individuals before collecting their data, most notably in SMS marketing with network carriers requesting evidence of clear opt-in processes before approving US Toll-Free numbers. This emphasis on transparency will require organizations to adopt clearer data usage policies and make it easier for individuals to exercise their privacy rights.
9. Data Protection Officers (DPOs)
In some states, the appointment of Data Protection Officers continues to become a requirement for certain organizations. DPOs play a critical role in ensuring data privacy compliance and serving as a point of contact for data protection matters.
2023 saw a significant evolution in US data privacy laws, reflecting a growing awareness of the need to protect individuals’ personal data. These changes emphasized the importance of transparency, consent, data security, and compliance.
Organizations operating in the United States faced new challenges in navigating the complex web of state-level regulations, with a strong focus on respecting individual rights and ensuring the security of customer information. As data privacy continues to be a paramount concern, organizations must remain vigilant and adaptable in their efforts to meet these evolving legal requirements.
Email marketers must adapt and embrace these new regulations. The landscape of email marketing is evolving, and respecting consumer privacy and data protection is more crucial than ever. By ensuring that your email marketing practices align with these changes, you can build trust with your subscribers, maintain compliance, and continue to deliver effective and responsible email marketing campaigns in this new era of data privacy.
Join the MailCon community to gain deeper insights into different aspects of email and SMS marketing, consumer privacy updates, and more.