Each year we look at the trends in business privacy regulation, cybersecurity, technology, and personal data-driven business risks (which range from social engineering to doxxing). Then we take out our crystal ball and attempt to predict what will happen for:
A boom in social-engineering-driven ransomware attacks, and other exploits leveraging workforce PII as the attack vector;
Multiple states passing and implemented new laws regulating business privacy practices, with more likely to advance in the coming year;
The bipartisan consumer privacy legislation (ADPPA) progressed further than expected, driven by pressure from a growing body of new state and international regulations and consumer demand;
New consumer privacy features are increasingly being offered as a key source of competitive advantage by major tech platforms, as well as healthcare, financial services, and telecom firms.
Which of these trends will continue and grow, which will diminish, and how do we expect the privacy landscape to change in the coming year?
Privacy Regulation in 2023
The ADPPA is Dead As is the prospect of any similar comprehensive Federal consumer privacy law in 2023. The mid-term shifts in party control over different houses and committees will leave agenda-setting powers in the hands of people with different priorities. Key Democrats in the Senate were already poised to block the existing bill, and new leadership in the house may have little interest in revisiting the law in ways amenable to their concerns.
Enforcement of the Five New State Privacy Laws Will be Muted Privacy laws in California, Virginia, Colorado, Utah, and Connecticut are all coming into force this year, and yet many are still scrambling to refine rules. Many states still haven’t adequately defined key terms in their regulations and there is likely to be continued amendment-making, and pushback from industry groups, to figure out what adequate compliance with each will look like in practice.
Proposed Children’s Privacy laws mandate more data collection by companies for age verification purposes and have been generally opposed by privacy advocates (including DeleteMe) because identity verification requirements imposed by these laws create more litigation risk for businesses as well as increase database vulnerability
Illinois’ BIPA—which includes a strong private right of action—has been a source of large class-action settlements over the past 3 years, and has been a thorn in the side of businesses trying to utilize facial recognition or other new biometric technologies. As privacy advocates, we like BIPA’s strong private right of action. However, biometrics laws are a tricky topic. While biometrics may end up being the best form of passwordless identity verification, there needs to be a sensible regulatory framework in place first to prevent 3rd party abuse.
FTC and FCC Rules and Enforcement will Expand in Absence of New Federal Legislation While agency new rule-making processes are typically slow, events like the mid-2022 overturn of Roe v. Wade motivated increased agency attention to relevant forms of consumer data collection, like location data tracking, and consumer health privacy.
While some members of congress oppose independent agency action on as yet un-legislated issues, both FTC and FCC wield considerable power to interpret existing rules and are showing an increased willingness to act compared to the recent past.
Cybersecurity in 2023
Ransomware Attack Frequency will Decline but Damages Will Remain High and Increasingly Affect the Public Sector It was inevitable that the explosion in ransomware during 2020-2021 would taper off as US businesses hardened detection and response, and some remote workers return to a more-secure office environment.
But the stats on frequency may be misleading with businesses changing the degree of disclosure around adverse events. Trends show a shift toward softer targets—particularly education, healthcare institutions, and public sector agencies—while the length of disruptions and cost of remediation remain high.
Nation-state-backed Cyber Attacks Will be a Real(er) Issue While there was a concern for potential Russian-backed cyberattacks against US interests in the opening phase of the war in Ukraine, little materialized at the time. But nation-state-backed attacks have grown internationally, and cybersecurity researchers believe economic disruption via supply-chain attacks is increasingly likely to affect US businesses in 2023.
2023 Will Bring the First Widespread use of AI in Real-time Social Engineering Attempts GPT-3 has shown that creating convincing, real-time dialogue algorithms are already a reality. While major industries are all looking at new ways to implement AI tech into commercial practices, the same will be true of cybercriminals, who are likely to deploy scams leveraging the tech over the coming year.
“Privacy as the #1 Key Selling Point” will Continue to Grow While the pandemic saw major tech platforms like Apple and Google launching new privacy features like ‘App Tracking Transparency’, and the ‘Privacy Sandbox’, there is still an upward battle overcoming declining consumer trust in how Big Tech companies handle user data.
In mid-2022, Google added the ability for users to directly remove sensitive personal information from search results, and the trend of offering greater user privacy controls is only increasing. What we’re seeing in 2022 is a wider range of companies across different industries – like Telecoms and Financial Services (e.g. Discover’s New Online Privacy Protection tool) – seeing similar opportunities to recast themselves as sources of improved consumer online privacy, rather than key culprits.
The ‘Cookie’ will Not Die (but Will Become Irrelevant) Google once again postponed its shift towards eliminating cookie tracking in Chrome due to pushback from advertising customers. But with more and more browsers already eliminating the use of the technology, other replacement forms of tracking – like the use of MAID device identifiers – are already becoming more popular with the ad tech industry, and other methods are increasingly proliferating and may become new standards before Google imposes their own.
Third-party Data, Bad. First-party Data, Good Many companies already realize the growing regulatory and security risks of overly relying on 3rd party technology as the basis for consumer analytics, and more will be done to collect what insights they can directly from consumer engagement data.
Passwordless Authentication use will Increase Across a Wide Range of Industries Improving identity verification technology is one of the biggest challenges facing the entire industry landscape. Multi-factor authentication—which has served as an attempt to improve weaknesses in a passwords-only world—is increasingly prone to technical exploits and consumer fraud and identity theft have been rapidly increasing.
We certainly look forward to seeing what 2023 will bring for all of our fellow privacy warriors and cybersecurity community members working at the intersection of privacy and security. It’s going to be another interesting year…
DeleteMe was created in 2010 when we realized the difficulty of navigating privacy issues in today’s interconnected and digital world. Our mission is to provide everyone with the power to control their digital identity.