Data Privacy and Security Report: January 2023
A monthly roundup of federal data privacy and security policy and regulatory news
Welcome to Holland & Knight's first monthly data privacy and security news update. We are excited to bring you the latest in policy, regulatory updates and other significant developments. If you see anything in this report that you would like additional information on, please reach out to authors or members of Holland & Knight's Data Strategy, Security & Privacy Team.
General Congressional Update
The U.S. Senate of the 118th Congress was sworn in on Jan. 3, 2023, where Democrats maintained control and increased their ranks by one seat. Members of the U.S. House of Representatives were sworn in on Jan. 7, 2023, after electing Rep. Kevin McCarthy (R-Calif.) as Speaker of the House following a historic 15 rounds of votes. Republicans claimed a slim House majority of 222 to 213, wresting control from Democrats last Congress. The divided Congress means that legislation must have bipartisan support to become law and creates new dynamics for privacy- and data security-related issues.
Congressional Committee Leadership
Congressional leaders have now solidified committee memberships. The primary committees of jurisdiction over data privacy and security issues are the House Committee on Energy and Commerce (E&C Committee) and the Senate Committee on Commerce, Science, and Transportation (Commerce Committee). In the House, Rep. Cathy McMorris Rodgers (R-Wash.) takes the helm of the E&C Committee, and Rep. Frank Pallone (D-N.J.) remains her Democratic counterpart in the minority. In the Senate, Sen. Maria Cantwell (D-Wash.) remains chair of the Commerce Committee, though Sen. Ted Cruz (R-Texas) has taken over for Sen. Roger Wicker (R-Miss.) as the ranking member of the committee. Sen. Cruz is expected to focus heavily on technology company oversight. E&C Republicans and Democrats have released their subcommittee members, while the Commerce Committee has only released full committee members. One notable change is that Sen. Richard Blumenthal (D-Conn.), a privacy leader, will no longer serve on the Commerce Committee but will lead the Committee on Homeland Security and Government Affairs (HSGAC) Permanent Subcommittee on Investigations. The House E&C Committee announced its first hearing, "Economic Danger Zone: How America Competes to Win the Future Versus China," which focused, in part, on the risk of China getting access to U.S. consumer data.
Update on Comprehensive Data Privacy and Security Legislation
Negotiations over a comprehensive federal privacy bill are expected to resume in the 118th Congress. The American Data Privacy and Protection Act (ADPPA), which achieved more bipartisan support than any proposal in recent years, will serve as the starting point. While there continues to be general consensus around the need for such legislation, disagreements remain about the scope and enforcement mechanisms. Commerce Committee Chair Cantwell has not yet lent her support to the ADPPA due to enforcement concerns and objections of the trial lawyers, and it's unclear where Sen. Cruz will fall on the bill. Congressional champions of the ADPPA have vowed to reintroduce the bill this
Congress, though the timeline for reintroduction is unclear. Various advocates have called for changes to expand or limit ADPPA protections or have urged Congress not to take a more narrow approach to privacy such as only focusing on kids' privacy, in part because it would diminish momentum for a sweeping privacy bill.
In the meantime, pressure on Congress to pass federal privacy and related consumer protection legislation continues to mount, and various stakeholders are weighing in. President Joe Biden recently penned an op-ed in the Wall Street Journal calling on Congress to pass legislation to reign in Big Tech and address digital privacy, competition and online safety concerns. In addition to passing privacy legislation, especially related to kids' privacy, he recommended reforming Section 230 of the Communications Decency Act, which protects online platforms from liability for content posted therein. The op-ed comes as the Federal Trade Commission (FTC) prepares to issue a proposed data privacy and security rulemaking in 2023, which could motivate Republicans to push the legislative route.
At the same time, businesses are facing the prospect of a 50-state privacy regime. On Jan. 1, 2023, two new privacy laws went into effect: the California Privacy Rights Act (CPRA), which amends the original California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA). On July 1, 2023, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) become effective. In addition, the Utah Consumer Privacy Act (UCPA) will go into effect on Dec. 31, 2023. Only the CPRA and the CPA authorize rulemakings. Both California and Colorado have published draft rules but have not yet finalized them. Several states have already introduced new privacy bills in 2023, including Oregon, New York, Indiana, Hawaii, Massachusetts and Tennessee.
Kids' Privacy Legislation
Senate Majority Leader Chuck Schumer (D-N.Y.) intends to advance children's privacy bills this year. He plans to work with his colleagues to reintroduce kids' privacy bills in February, hold markups in March and hold a floor vote in June. This effort would build on the failed attempt at the end of 2022 to pass two kids' privacy bills (the Kids Online Safety Act (KOSA) and Children and Teens' Online Privacy Protection Act (COPPA 2.0)). Although both bills enjoyed bipartisan support in the Senate Commerce Committee, kids' privacy advocates worked to prevent these bills from being passed as part of year-end appropriations legislation, arguing that such legislation could incentivize more data collection and the protections did not go far enough. While this type of obstacle may persist, it's possible that, in a divided Congress, kids' privacy could be a rare bipartisan issue.
Narrow Data Privacy and Security Bills
Other privacy, data security and consumer protection bills of note that have been introduced or reintroduced in January include:
Rep. Chuck Edwards (R-N.C.) has introduced the Transparency Over Toys Spying (TOTS) Act (H.R. 413), which requires that so-called "smart toys," which connect to Bluetooth and the internet and which – unbeknownst to parents – collect data on their children, be clearly labeled and have data security policies that parents can easily understand and access.
Sens. Cruz and Cantwell, along with Reps. John Curtis (R-Utah) and Seth Moulton (D-Mass.), reintroduced the Informing Consumers about Smart Devices Act, which would require the FTC to create reasonable disclosure guidelines for products that have audio or visual recording components such as televisions, speakers, refrigerators and other smart devices.
On Jan. 25, 2023, Rep. Ken Buck (R-Colo.) and Sen. Josh Hawley (R-Mo.) introduced theNoTikTok on the United States DevicesActoverprivacy and national security concerns that China isusing the app to accessAmericans' data.The House plans to vote on a nationwide TikTok ban billin February, and TikTok's Chief Executive Officer Shou Zi Chew hasagreedto appear before the E&C Committee on March 23, 2023, to testify on kids' privacy.
Holland & Knight tracksrelevant legislation closely. Should you have any questions about the impact ordynamics of certain bills, please contact the authors for more information.
House Votes to Create China Competition Committee
The new Republican-majority House of Representatives have made China competition a priority. On Jan. 10, 2023, the House voted on a bipartisan basis (365 to 65) to create a new Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. The committee will investigate and submit policy recommendations on the status of China's economic, technological and security progressand its competition. Rep. Mike Gallagher (R-Wis.) will serve as the chairman of the new select committee.
E&C Holds Roundtable on Big Tech andFentanyl
On Jan. 25, 2023, the E&C Committee held a roundtableon the dangersposed by Big Tech to children amidst the fentanyl poisoning crisis. One witness, Sheriff John Nowels of the Spokane County(Washington) Sheriff'sOffice, emphasized the importance of technology companies sharing data with law enforcement and focused on the need for data retention. The sheriff floated the idea of legislation that would compel tech and socialmedia companies to retain data and timely respond to lawenforcement requests.
EXECUTIVE AND DEPARTMENTAL UPDATES
NTIA Requests Public Comment on Privacy
On Jan. 20, 2023, the U.S. Department of Commerce's (DOC) National Telecommunications and Information Administration (NTIA) published in the Federal Registera Request for Comment(RFC) onhow commercial use of privacy data harms the public. Specifically, the RFC seeks information on "howthe processing of personal information by private entitiescreates, exacerbates, or alleviatesdisproportionate harms for marginalized and historically excluded communities; to explore possible gaps in applicable privacy and civil rights laws; and to identify ways to prevent and deter harmfulbehavior, address harmful impacts, and remedyany gaps in existing law." The comments received byNTIA will be used to develop a report that will aim to guide Congress on privacy legislation. Commentsare due on March 6, 2023.
HOLLAND & KNIGHT INSIGHT:The comments received by NTIA could impact the trajectory of privacy legislation, as well as the FTC's privacy rulemaking. Holland & Knight’s Data Strategy, Security & Privacy Teamcan assist organizations with developing comments and recommend that organizations review submitted comments to ensure awareness of issues raised that are relevant to your organization.
NIST Releases First AI Management Framework
On Jan. 26, 2023, the DOC's National Institute of Standards and Technology (NIST) released its long-awaited Artificial Intelligence Risk Management Framework (AI RMF 1.0), a guidance document 18 months in the making for voluntary use by organizations designing, developing, deploying or using artificial intelligence (AI) systems to help manage the many risks of AI technologies. The AI RMF is divided into two parts: "The first part discusses how organizations can frame the risks related to AI and outlines the characteristics of trustworthy AI systems. The second part, the core of the framework, describes four specific functions – govern, map, measure and manage – to help organizations address the risks of AI systems in practice. These functions aim to be applied in context-specific use cases and at any stages of the AI life cycle."
HOLLAND & KNIGHT INSIGHT: Other NIST frameworks for privacy and cybersecurity have become the de facto baseline industry standards, and this AI framework is expected to follow the trend. Organizations should review the framework against their current AI practices and approach.
FTC Fines Digital Health Company
On Feb. 1, 2023, the FTC accused GoodRx Holdings Inc. (GoodRx), a telehealth and prescription drug discount provider, of violating the Health Breach Notification Rule by failing to notify consumers of its unauthorized disclosures of personal health information to third-party, Big Tech companies. As a result, GoodRx will be "prohibited from sharing user health data with applicable third parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule." The proposed order must be approved by the federal court to go into effect. The FTC issued a policy statement in September 2021 affirming that digital health apps are subject to the Health Breach Notification Rule, putting the industry on notice that the FTC could pursue enforcement actions for violations. (See Holland & Knight's alert, "FTC Seeks First-Ever Health Breach Notification Rule Enforcement: Pixel Users Beware," Feb. 2, 2023.)
What's Ahead for FTC
The Biden Administration released its Fall 2022 Unified Agenda on Jan. 4, 2023, outlining regulatory actions that the administration and agencies plan to issue over the next year. This includes updating the Children's Online Privacy Protection Rule (COPPA), which is in the pre-rule stage. The process for this rulemaking began in 2019, but it could pick up again, given the FTC's increased focus on kids' privacy enforcement.
HOLLAND & KNIGHT INSIGHT: The FTC and Congress's increased attention to kids' privacy raises the import of compliance for companies that "direct" certain products and services to children under 13.
As expected, the agenda also includes issuing a privacy and data security rulemaking. In August 2022, the FTC began this rulemaking process by releasing an Advanced Notice of Proposed Rulemaking (ANPRM), "Trade Regulation Rule on Commercial Surveillance and Data Security," under Section 18 of the FTC Act, which authorizes the Commission to promulgate, modify and repeal trade regulation rules that define with specificity acts or practices that are unfair or deceptive in or affecting commerce within the meaning of Section 5(a)(1) of the FTC Act. Comments were due by Nov. 21, 2022. The FTC is in the midst of reviewing those comments before taking further action (under 15 U.S. Code § 57a, the next step would be a Notice of Proposed Rulemaking).
HOLLAND & KNIGHT INSIGHT: This rulemaking is expected to advance as a priority of FTC Chair Lina Khan, but will face legal challenges down the road if the FTC is able to issue final rules. Several Republican senators sent a letter in November 2022 to the FTC, opposing the rulemaking argument that preempting state laws would exceed FTC's statutory authority. If the FTC's rulemaking does not preempt state laws, it could create additional or different obligations on entities trying to comply with multiple regimes. Ultimately, it's anticipated that the FTC will take an increasingly aggressive approach to regulating and enforcement data-handling practices in 2023.