Data Privacy Laws 2023 (TLDR)

Data privacy laws are infuriatingly complicated because of the nature of the internet is that it is accessed by countries around the globe, thus resulting in jurisdiction complications. To add insult to injury, the governments around the world are continually updating laws. Here is a brief summary of where data privacy laws stand in 2023.

USA Laws

Here is a brief scoop:

  • there is no comprehensive law; it is a mess
  • separate laws for different sectors and industries
  • The FTC is one agency that acts to ensure organizations protect data
  • COPPA is a law protecting minors
  • HIPPA protects health information
  • GLBA protects banks and financial institutions
  • FCRA protects collection and use of credit information
  • FERPA protects privacy of student education records
  • CPPA is California’s new privacy legislation
  • CDPA is Virginia’s new privacy law that came out in January of 2023
  • CPA is Colorado’s new privacy act
  • UCPA – Utah (less private)
  • CTDPA – Conneticut

There are more laws, but it is cumbersome to differentiate between them and I have no time to create a comparison table at the moment.

A lot of these laws have exceptions written in them.


Europe has the GDPR. It has main points that it enforces on threat of fine:

  • consent
  • data breach notification
  • data subject rights

There is also the DSA, legislation that forces large platforms to remove illegal content and be in touch with authorities. It applies to network infrastructure, hosting se4rvices, online platforms, and “very large” online platforms.

Another law is the DMA, one that targets huge “FAANG” types of platforms and prevent them from exercising monopoly. Fines for violating this law are very big, 10-20% of annual global turnover.

Also, watch for EU-U.S. Data Privacy Framework; it’s not law per se, but it is meant to guide the transfer of data between the EU and the US. However, due to the US foreign surveillance policies, this is very complicated to sort out, and has to be hyandled case by case.

There are more laws in the making.

More notes:

  • Brazil has its own laws for privacy
  • SO does Canada
  • Also, China
  • there are over 130 data privacy laws
  • there are firms that businesses can hire to sort through this stuff

That is a heck of a lot of jargon to sift through.

Here are some subjects that these laws cover, each to some extent more or less:

  • right to delete
  • consent
  • non-diclosure
  • prohibition of selling data without consent
  • destruction of records which are no longer mantained
  • disclosure of breaches
  • personally identifying information
  • notify customers of their rights
  • right to deletion
  • right to opt-out
  • right to not be discriminated against for pursuing privacy rights

In general, the GDPR is more concrete, more strong, and better enforced than the US privacy laws. The GDPR requires companies to employ a data protection officer. The US is a mess. (Again, I would love to do a comparison table when I have time).

If you are a business with an online presence, compliance requirements will depend on industry, size, location, and customer base.

(There are consulting firms for sorting through this mess. If the US ever gets its act together and makes things more simple, a lot of people will be out of a job.)

Make sure to have a Privacy Policy on your website.

SCC is a Standard Contractual Clause. Basically, it is an agreement that serves to ensure information from the EU is still protected by GDPR standards even after leaving the EU. They also have sub clauses to allow for adjustment based on the needs of each data transfer. The exact details are very complicated and a bit boring. See for more information.

  • The EU-US privacy shield kind of fell apart and had to be replaced
  • The new legislation was called “EU-U.S. Data Privacy Framework”
  • New SCCS helped with that
  • Follow EDPB recommendations will help ensure you don’t get regulators and lawyers circling above your entity like vultures because of your privacy practices

The GDPR is neat.

  • separates data handlers into processors and controllers.
  • fines any entity that fails to protect against data breaches
  • organizations are required to notify when data is breached
  • “right to be forgotten”


Leave a Reply

Your email address will not be published. Required fields are marked *