Broker Check

Top 10 Privacy Issues for 2023

December 28, 2022

Cybersecurity firm Merudata has issued their "top 10" list of privacy concerns for 2023.

  1. The California Privacy Rights Act (CPRA) is effective 1/1/23 expanding on the California Consumer Privacy Act (CCPA).
  2. The Virginia Consumer Data Protection Act is effective 1/1/23.
  3. The Digital Markets Act became effective in the European Union 11/1/22. It applies to "gatekeeper" online platforms.
  4. The Digital Services Act applies in the EU to all providers of digital services.
  5. Personal health information is not only subject to HIPAA but additional state and proposed federal laws.
  6. California has passed the Age-Appropriate Design Code Act with higher standards for children's data than the Children's Online Privacy Protection Act.
  7. Business-to-business exemptions under the CCPA end 1/1/23.
  8. Geolocation data is considered sensitive personal information in California and other states.
  9. Biometric data is regulated by the GDPR, HIPAAA and the Illinois Biometric Information Privacy Act (BIPA).
  10. Algorithmic bias affects artificial intelligence by amplifying biases embedded in data (in other words, bias in, bias out).                    

Merudata's post at includes recommendations for dealing with each of these issues. Since some apply in multiple cases, here is a summary:

  • Have the required tools and resources to deal with data subject requests.
  • Review data sharing with third parties.
  • Ensure consumers have options to limit the sharing or sale of personal information.
  • Delete personal information when no longer needed.
  • Conduct data protection assessments when processing personal data.
  • Obtain prior consent from users when collecting or processing sensitive personal data.
  • Maintain transparency about how you share and sell personal data.
  • Have tools and resources when courts or authorities point out illegal content.
  • Have mechanisms for reporting and taking action on illegal content.
  • Monitor advertising based on sensitive data and/or targeting minors.
  • Conduct regular assessments of systemic risks.
  • Study relevant regulations applicable in your jurisdiction.
  • Obtain parental consent, with right to review, when collecting children's personal information.
  • Encrypt personal data during transmission.
  • Have a clear privacy policy.
  • Make sure data in artificial intelligence is accurate and diverse.