A monthly roundup of federal data privacy and security policy and regulatory news
Welcome back to Holland & Knight's monthly data privacy and security news update that includes the latest in policy, regulatory updates and other significant developments. If you see anything in this report that you would like additional information on, please reach out to authors or members of Holland & Knight's Data Strategy, Security & Privacy Team.
LEGISLATIVE UPDATES
Government Shutdown Averted; McCarthy Ousted as Speaker
Congress narrowly avoided a government shutdown with both chambers approving a continuing resolution (CR) on Sept. 30, 2023, to keep the government funded. The U.S. House of Representatives passed the "clean" 45-day stopgap funding measure by a bipartisan vote of 335-91. The U.S. Senate then passed the measure on an 88-9 vote.
President Joe Biden signed the legislation into law, which keeps the government open through Nov. 17, 2023, and includes $16 billion in disaster relief funding and a three-month extension of the current Federal Aviation Administration (FAA) authorization. Notably, the CR did not include funding for Ukraine, though Senate leadership maintains that it will take up standalone legislation to send additional support to assist Ukraine's war effort. This may prove challenging given that support is not unanimous, and House support appears unclear given the current dynamics surrounding leadership of the House Republican Conference.
On Oct. 3, 2023, the House of Representatives voted 216-210 to remove Rep. Kevin McCarthy (R-Calif.) as speaker, in part, due to his compromise with Democrats to avert the shutdown. Eight Republicans voted with Democrats to cause the ouster.
House Judiciary Committee Chairman Jim Jordan (R-Ohio) and House Majority Leader Steve Scalise (R-La.) both announced their candidacy for speaker. However, there is significant uncertainty as to whether this will remain a two-horse race. Rep. Kevin Hern (R-Okla.), head of the Republican Study Committee, may also join the race. Other candidates could emerge if no candidate has enough support after the secret ballot election process proceeds.
House Republicans are scheduled to meet on Oct. 10, 2023, to nominate a new candidate for speaker, and then a floor vote to make that official would follow. As House Republicans decide on a path forward, another potential shutdown looms as current funding levels will expire in approximately six weeks.
Fourth Quarter Outlook
The House will spend much of October and November taking up consideration of its various spending bills in an attempt to avoid another shutdown at midnight on Nov. 17, 2023. Even if the Senate matches the lower chamber's pace and considers its versions of the spending packages, reconciling the bills passed in each chamber will likely take significant time and effort, especially considering the large gap between the House and Senate's proposed spending levels. As the appropriations process continues to unfold, the focus on spending will likely continue to take up a significant amount of floor time in both chambers. The Senate is also expected to devote its energy to confirming nominations, advancing artificial intelligence (AI) discussions and conferencing the annual defense bill.
New Bicameral Legislation on Targeted Advertising Introduced
Reps. Anna Eshoo (D-Calif.) and Jan Schakowsky (D-Ill.), along with Sens. Ron Wyden (D-Ore.) and Cory Booker (D-N.J.), recently introduced the Banning Surveillance Advertising Act (H.R. 5534/S. 2833), which would prohibit advertising networks and facilitators from using personal data to target advertisements, with the exception of broad location targeting to a recognized place (e.g., municipality). The bill also prohibits advertisers from targeting advertisements based on protected class information such as race, gender and religion, as well as personal data purchased from data brokers. Notably, the bill allows for contextual ads or ads based on the content a user is currently engaged with.
Schumer AI Insight Forum and Senate AI Hearings Focused on Privacy Implications
On Sept. 13, 2023, Senate Majority Leader Chuck Schumer (D-N.Y.) held his first AI Insight Forum, a closed-door, all-day event in which two thirds of the Senate heard from top tech CEOs, labor and civil rights leaders, and safety advocates on how Congress can help address the risks associated with the development and deployment of advanced AI. Topics included AI's impacts on national security, workforce, privacy, elections and bias, among many others. Additional forums are expected on various aspects of AI to further explore some of these impacts. Moreover, Schumer appointed a bipartisan group – made up of Sens. Mike Rounds (R-S.D.), Todd Young (R-Ind.) and Martin Heinrich (D-N.M.) – tasked with developing AI legislation, but there is no timeline associated with this work.
That same week, the U.S. Senate Committee on the Judiciary conducted a hearing to discuss stakeholder perspectives on the rapid growth in the development and deployment of AI and provide considerations for prospective federal AI legislation to be considered by the Subcommittee on Privacy, Technology, and the Law. Similarly, the Senate Committee on Commerce, Science, and Transportation held a hearing to gather stakeholder perspectives on the capabilities and limitations of AI and provide considerations for legislation to increase AI transparency.
While the U.S. currently does not have a comprehensive policy regulating AI, senators have begun introducing bipartisan bills focused on increasing transparency and accountability. Just prior to the hearings, for instance, Sens. Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) introduced their framework for the development of AI legislation. Within the context of their framework, the most highly discussed topics at the hearing included consumer safety and security regulatory frameworks, software development and distribution restrictions, and comprehensive advisory and enforcement networks. Both hearings emphasized an urge to pass comprehensive data protection legislation that would address some of the risks AI technology poses.
Organizations Urge Senate to Consider Child Privacy and Protection Legislation
A national nonprofit organization aimed at eliminating sexual exploitation – along with 138 organizations and 22 survivor-leaders – sent Sens. Chuck Schumer (D-N.Y.) and Mitch McConnell (R-Ky.) a letter urging them to bring a slate of child protection legislation to a vote, including:
- Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act (S. 1207): The bill encourages the technology industry to take action to make the internet safer for kids by amending Section 230 of the Communications Decency Act to remove blanket immunity for violations of laws related to online child sexual abuse material (CSAM). It also bolsters enforcement tools and provides civil recourse for survivors. Additionally, the bill brings together stakeholders through a National Commission on Online Child Sexual Exploitation Prevention, which would be responsible for developing voluntary best practices companies can take to prevent, reduce and respond to the online sexual exploitation of children.
- Kids Online Safety Act (S. 1409) (KOSA): KOSA would impose a duty of
care for digital services to prevent harm to younger users.
Strengthening Transparency and Obligation to Protect Children Suffering from Abuse and Mistreatment (STOP CSAM) Act (S. 1199): The STOP CSAM Act would require federal grant recipients that provide services to children to report child abuse. The bill would also strengthen current Cyber Tipline reporting requirements by removing tech companies' discretion as to whether to report a planned or imminent child exploitation offense. - Revising Existing Procedures on Reporting via Technology (REPORT) Act (S. 474): The bill would improve the Cyber Tipline by requiring reporting of child sex trafficking and enticement.
- Project Safe Childhood Act (S. 1170): The bill would modernize the U.S. Department of Justice's (DOJ) Project Safe Childhood Program to enhance law enforcement's response to online child sexual exploitation.
The Senate Committee on the Judiciary unanimously advanced the EARN IT Act and STOP CSAM Act in May 2023. Both bills now await a vote on the Senate floor. Similarly, the Senate Committee on Commerce, Science, and Transportation advanced KOSA in July 2023. Senate Majority Leader Chuck Schumer (D-N.Y.) has indicated he plans to bring kids' privacy bills to the Senate floor this fall, but a definitive timeline for consideration remains to be seen.
EXECUTIVE AND DEPARTMENTAL UPDATES
CFPB Takes Aim at Data Brokers
On Sept. 15, 2023, the Consumer Financial Protection Bureau (CFPB) released an outline of proposals and alternatives under consideration to guide the organization's process to regulate data brokers and consumer data collection more broadly. CFPB first announced in August 2023 its intent to propose a rule that would apply the 1970 Fair Credit Reporting Act (FCRA) to companies that track, harvest and sell people's data. The FCRA places specific legal obligations on consumer reporting agencies and gives consumers a number of rights over the information in their credit reporting files. The rule would clarify how sensitive information is purchased by data brokers and would also ban these companies from selling consumer data for purposes of targeted advertising and training AI models.
The CFPB's outline confirms that data brokers would be regulated as consumer reporting agencies and covered by the FCRA to the extent that they sell certain types of sensitive consumer data. The sale of data collected by data brokers for advertising or targeting would be limited "to only those companies or persons to whom the consumer applied for credit, insurance, employment, housing, or some other service, or to whom the consumer otherwise authorized access."
The CFPB's move comes after the White House roundtable on data brokers that included the CFPB, Federal Trade Commission (FTC), DOJ, White House Office of Science and Technology Policy (OSTP) and National Economic Council. Administration officials pledged during the roundtable to continue using their authorities to subject data brokers to greater regulation and oversight.
Privacy Oversight Board Issues Recommendations to Congress on Governmental Surveillance
The Privacy and Civil Liberties Oversight Board (PCLOB) released its report on the surveillance program operated pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA). The Section 702 program was designed for counterterrorism efforts and allowed the National Security Agency (NSA) to collect certain foreign intelligence information by electronic surveillance. Section 702 authorizes the government to target non-U.S. persons, though data collected on citizens may be "incidentally" collected.
The report found that significant reforms to the Section 702 program are needed to address privacy risks to Americans. The new report includes 19 recommendations to Congress that would enhance oversight of the program and establish more checks against the data-collection capabilities Section 702 grants intelligence agencies. Congress most recently reauthorized Section 702 in January 2018, and the authority is set to expire on Dec. 31, 2023. As Congress considers reauthorizing the sweeping U.S. government surveillance power, the report will be relied on by members seeking to curtail abuses.
NTIA Releases RFC on Kids Online Safety Best Practices
On Sept. 29, 2023, the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) released a request for comment (RFC) on best practices to protect minors' mental health, safety, and privacy online. NTIA's Task Force on Kids Online Health and Safety will use the responses to develop voluntary guidance, policy recommendations and a toolkit on privacy-by-design for industry to apply in developing digital products and services. The task force is an interagency collaboration between the U.S. Department of Health and Human Services (HHS) and Commerce Department as part of the Biden Administration's larger efforts to address kids' online safety concerns. Written comments in response to the RFC must be provided to NTIA by Nov. 17, 2023.
FTC's Sam Levine Takes Aim at Data Broker Industry
At the 2023 Consumer Data Industry Association (CDIA) Law and Industry Conference, Director of the FTC's Bureau of Consumer Protection Sam Levine spoke out against contemporary data collection and took aim at the data broker industry specifically. During his speech, he emphasized that the U.S. privacy regime is "grounded entirely in the fiction of notice and choice" and that data brokers have "led to the creation of detailed digital dossiers on almost every American." His remarks likely signal more aggressive enforcement efforts to come from the agency.
Last year, the FTC issued an Advanced Notice of Proposed Rulemaking (ANPR) regarding commercial surveillance and data security practices. Levine shared that the agency is in the process of reviewing more than 11,000 comments submitted on the ANPR. The agency is working to finalize that rulemaking, and it is also continuing its ongoing review of the Children's Online Privacy Protection Act (COPPA) Rule, which regulates online services to children under 13 years old.
STATE UPDATES
Data Broker Law Clears California Legislature
On Sept. 14, 2023, the California legislature passed the Delete Act (Senate Bill 362), legislation that would allow residents to ask that companies delete all the data they have on a person rather than just the data they collected themselves. The bill, which the legislature sent to the governor's desk just before wrapping its legislative session for the year, seeks to remedy what some view as a loophole in the California Consumer Privacy Act's (CCPA) that allows consumers to request data brokers delete information obtained from them, but not information aggregated about them from other sources. The bill would allow Californians to press a "delete button" that would require the state's 500 registered data brokers to delete all personal information for that resident. The bill now awaits the governor's signature, who has until Oct. 14, 2023, to sign bills from the latest session into law.
Attorneys General Write to Congress on AI-Generated CSAM
More than 50 state attorneys general sent a letter to lawmakers urging Congress to expand restrictions on CSAM to specifically cover AI-generated content. They wrote, "As a matter of personal privacy, AI can even study short recordings of a person's voice, such as from voicemail or social media posts, and convincingly mimic that voice to say things that person never said. This technology has already been used by scammers to fake kidnappings." They called on Congress to examine how the emerging technology could be used to exploit children and asked that Congress expand existing restrictions on CSAM to ensure prosecutors have the tools needed to protect children.
CCPA Issues Draft Privacy Risk Assessment Regulations
On Sept. 8, 2023, the California Privacy Protection Agency (CPPA) Board met to discuss the draft risk assessment and cybersecurity audit regulations, which are rulemakings required by the California Privacy Rights Act of 2020 (CPRA). The CPRA's risk assessment is analogous to what other states have referred to as data protection assessments. The drafts are solely for discussion purposes, and the CPPA has not yet begun the formal rulemaking process. Under the draft regulations, companies that engage in a list of activities that present a significant or heightened risk of harm to consumers – such as selling or sharing personal information – would be required to conduct a risk assessment. The risk assessment would require businesses to analyze the processing activity's risks to consumers and provides a list of enumerated harms for businesses to consider in conducting this analysis. The draft goes on to also set forth a list of safeguards companies must consider implementing to address the harms identified. The CPPA will continue to make conforming changes to the draft regulations before they meet again in December 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
