FUTURE PRIVACY COMPLIANCE SERVICES FOR UPCOMING DATA LEGISLATION
UNITED STATES
​
The United States privacy law is complex it involves federal, state, and municipal privacy laws and regulations. There is no one comprehensive national federal privacy law in the United States like in the UK or EU. The US does have sector-specific (financial, health, consumer, and children) privacy and data security laws at the federal level, as well as many more privacy laws at the state level.
TRANSATLANTIC DATA PRIVACY FRAMEWORK (TADPF)
The EU and US have concluded negotiations on a new international data transfer framework to replace Privacy Shield. However, Max Schrems has already announced his intention to challenge the new framework in court.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
​
The CCPA requires business privacy policies to include information on consumers' privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination. CCPA requires organisations to comply with user requests for: All data collected and stored. Each category of sources where data is collected (e.g., financial, contact, medical). The business purpose for collecting and selling user data. A list of third parties that have access to a user's data.
CALIFORNIA PRIVACY RIGHTS ACT (CPRA)
​
The CPRA was approved 4 November 2020 as an improvement to the CCPA. The new rights and requirements of the CPRA apply from 2 January 2023. This will result in a similar EU GDPR consumer protection. There will be additional regulatory compliance for business collecting California consumer data as part of the organisation.
The intention of the Act is to provide California residents with the right to:
​
1. Know who is collecting their and their children's personal information, how it is being used, and to whom it is disclosed.
2. Control the use of their personal information, including limiting the use of their sensitive personal information.
3. Have access to their personal information and the ability to correct, delete, and transfer their personal information.
4. Exercise their privacy rights through easily accessible self-serve tools.
5. Exercise their privacy rights without being penalized.
6. Hold businesses accountable for failing to take reasonable information security precautions.
7. Benefit from businesses' use of their personal information.
8. Have their privacy interests protected even as employees and independent contractors.
AI-POWERED DATA PROCESSING
​
Other emerging 2023 consumer privacy laws governing AI-powered data processing state laws will be applicable in California, Virginia (1 January 2023), Colorado, and Connecticut (1 July 2023).
AMERICAN DATA PRIVACY AND PROTECTION ACT (ADPPA)
​
Will provide privacy protections, particularly in regard to civil rights and child safety.
CHILDREN AND TEENS' ONLINE PRIVACY PROTECTION ACT (CTOPPA)
​
This bill extends to minors (ages 12–16) privacy protections previously applicable only to children (ages 0–12) and otherwise establishes greater online privacy protections for children and minors. The bill prohibits an operator of a website, online service, online application, or mobile application directed to a child or minor with constructive knowledge the user is a child or minor from collecting the user's personal information without:
​
> Providing notice and obtaining consent,
> Providing a parent or minor with certain information upon request,
> Conditioning participation by a user on the provision of personal information,
> Establishing and maintaining reasonable procedures to protect the personal information collected from users.
The bill also prohibits targeted marketing directed to a child or directed to a minor without the minor's consent.
​
The bill has a set of principles governing how operators should collect and use personal information, as well as provide information to a parent or minor. A parent or minor must be able to challenge the accuracy of personal information, and an operator must provide for the erasure or correction of inaccurate personal information. Operators must also implement mechanisms for the erasure or elimination of personal information at the request of users and make users aware of such mechanisms.
The bill prohibits the sale of internet-connected devices targeted to children and minors unless they meet certain cybersecurity and data security standards, and it requires manufacturers of such devices to display a privacy dashboard detailing how personal information is collected and used.
CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
​
COPPA applies to anyone under thirteen, KOSA would apply to anyone under sixteen—an age group that child rights organizations agree have a greater need for privacy and independence than younger teens and kids.
KIDS ONLINE SAFETY ACT (KOSA)
​
KOSA features a duty of loyalty clause requiring technology organisations to prevent harm to minors while mandating more transparency in their algorithms for users and researchers. This Act would also provide researchers an opportunity to study the effects various platforms have on children and teenagers.
​
KOSA would require the following:
​
> A new legal duty for platforms to prevent certain harms: KOSA outlines a wide collection of content that platforms can be sued for if young people encounter it, including “promotion of self-harm, suicide, eating disorders, substance abuse, and other matters that pose a risk to physical and mental health of a minor.”
> Compel platforms to provide data to researchers
> An elaborate age-verification system, likely run by a third-party provider
> Parental controls, turned on and set to their highest settings, to block or filter a wide array of content
CALIFORNIA AGE-APPROPRIATE DESIGN CODE ACT (CAADCA)
​
On September 15, 2022 the Governor of California signed into law the California Age-Appropriate Design Code Act (CAADCA) which is scheduled to take effect 1 July 2024. The Act intends to protect the wellbeing, data, and privacy of children using online platforms, such as social media organisations and gaming organisations.
​
The CAADCA requires that covered businesses take all of the following actions:
​
1. Determine if their online products and services are likely to be accessed by children
2. Prepare for and create a DPIA
3. Carefully review their policies and procedures and begin planning necessary changes to ensure compliance.
4. Update privacy policies and terms.
5. Implement new tracking signals.
6. Comply with consumer rights.