Businesses will have to obtain opt-in consent to process sensitive personal information, not just extend an opt-out right.
Consumers will have the right to appeal denials of consumer rights.
Businesses will have to conduct and document data protection assessments when engaging in certain data activities, like selling data, processing personal data for targeted advertising, engaging in profiling, or any other activity that presents a heightened risk of harm to consumers. These assessments are required to identify and weigh benefits and risks - to the business, the consumer, other stakeholders, and the public - related to the proposed data processing activity, as well as whether risks may be appropriately mitigated by safeguards. Assessments must be written and may be demanded by the Virginia Attorney General as related to an investigation.
Consumer data privacy compliance will continue to be an ongoing effort in 2023, as the consumer data privacy landscape continues to evolve through new laws and regulations. Laws in Colorado, Connecticut, and Utah are set to take effect later in 2023, and Colorado is currently engaged in rulemaking efforts related to its law. More states will consider next year broad privacy legislation, as well as more targeted proposals, like those related to biometric information, geolocation information, and website information. The FTC is considering broad privacy and data security rulemaking, the CFPB is working on implementing consumer rights to personal financial records under section 1033 of the Dodd-Frank Act, and debate about federal privacy legislation will likely start back up in the new Congress.
Amidst the changing landscape, businesses are strongly encouraged to keep data inventory and mapping efforts up to date and consider the risks - in opportunities - that come out of data collection and processing.