A monthly roundup of federal data privacy and security policy and regulatory news

Welcome back to Holland & Knight's monthly data privacy and security news update that includes the latest in policy, regulatory updates and other significant developments. If you see anything in this report that you would like additional information on, please reach out to authors or members of Holland & Knight's Data Strategy, Security & Privacy Team.

LEGISLATIVE UPDATES

Montana Becomes 1st State to Ban TikTok

Montana Gov. Greg Gianforte signed into law a bill on May 17, 2023, banning app stores from offering TikTok in the state beginning Jan. 1, 2024. App stores that continue to offer TikTok after the ban is in effect could face penalties starting at $10,000. The new ban seeks to prevent TikTok from infringing on Montanans' privacy by storing user information and data and sharing that data with the Chinese Communist Party. Montana's TikTok law comes after efforts to curtail TikTok data-sharing practices at the federal level have stalled. Multiple bills – such as the RESTRICT Act and the Deterring America's Technological Adversaries (DATA) Act – continue to circulate, but neither chamber has held a vote on TikTok-related legislation. These bills range from granting the Biden Administration the authority to block certain transactions involving foreign companies that threaten national security to a nationwide ban of the app. Despite initial momentum, Congress appears to be slow-walking after members on both sides of the aisle have come out against a ban due to First Amendment concerns.

TikTok is challenging the law on constitutional grounds, including violating free speech protections. TikTok filed a complaint in the U.S. District Court for the District of Montana and asked for an injunction to prevent the state from enforcing the ban. In part, the company purports that the ban infringes on the company's right to disseminate and promote third-party speech and is preempted by the federal government, which controls national security issues. Experts believe the legal challenge may succeed, underscoring the need for a federal solution.

COPPA 2.0 Joins a Crowded Field of Child Online Privacy Bills

Lawmakers recently reintroduced several kids' privacy bills, including the Children and Teens' Online Privacy Protection Act (COPPA 2.0). Senate Majority Leader Chuck Schumer (D-N.Y.) has said that he plans to bring kids' privacy bills to the Senate floor for a vote in the coming months. Sen. Ted Cruz (RTexas) has taken over as Ranking Member of the Senate Committee on Commerce, Science, and Transportation. Both Cruz and Committee Chair Maria Cantwell (D-Wash.) have indicated an interest in considering kids' privacy legislation this Congress. Nevertheless, passage in the House will likely be more difficult to achieve. House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-Wash) has indicated that she prefers a comprehensive national standard on data privacy over narrow child protections.

The kids' privacy bills introduced or reintroduced in the Senate last month include:

  • COPPA 2.0: Sens. Ed Markey (D-Mass.) and Bill Cassidy (R-La.) reintroduced this bill, which would reform COPPA to prohibit online companies from collecting personal information from users who are 13 to 16 years old without their consent and ban targeted advertising to children and teens. This is similar to previous renditions of the bill.
  • Kids Online Safety Act (KOSA): Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (RTenn.) reintroduced this bill that would impose a duty of care for digital services to prevent harm to younger users.
  • Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act: The bill encourages the technology industry to take action to make the internet safer for kids online by amending Section 230 of the Communications Decency Act to remove blanket immunity for violations of laws related to online child sexual abuse material (CSAM). It also bolsters enforcement tools and provides civil recourse for survivors. Additionally, the bill brings together stakeholders through a National Commission on Online Child Sexual Exploitation Prevention, which would be responsible for developing voluntary best practices companies can take to prevent, reduce and respond to the online sexual exploitation of children. The Senate Judiciary Committee recently unanimously advanced the EARN IT Act, which now awaits a vote on the Senate floor.
  • Strengthening Transparency and Obligations to Protect Children Suffering from Abuse and Mistreatment (STOP CSAM) Act: Similarly, Senate Majority Whip Dick Durbin (D-Ill.) introduced a bill that would require mandatory child abuse reporting by federal grant recipients that provide services to children. The bill would also strengthen current CyberTipline reporting requirements by removing tech companies' discretion as to whether to report a planned or imminent child exploitation offense. The Senate Committee on the Judiciary voted 20-1 to advance the STOP CSAM Act.
  • Protecting Kids on Social Media Act: A group of bipartisan senators also introduced a bill that would require consent from parents in order for teens between ages 13 and 17 to access social media accounts and would prohibit users who are under age 13 from accessing platforms. Additionally, these online platforms would also be required to verify the age of all users.

Additionally, Sen. Lindsey Graham (R-S.C.) has indicated that he and Sen. Sheldon Whitehouse (DR.I.) plan to introduce legislation to sunset Section 230. He believes that regulatory changes to tighten kids' privacy would be in vain so long as companies can hide behind the liability shield.

House Energy and Commerce Committee Questions Data Brokers Following Oversight Hearing

Following the House Energy and Commerce Committee's Subcommittee on Oversight and Investigations hearing examining the role of data brokers in the digital economy, committee leaders wrote to the heads of 22 companies requesting pertinent information to help the committee understand how "data brokers" purchase, collect, use, license and sell Americans' data. During the hearing, members discussed the collection and selling of personal data and how data brokers profit from that data, which could establish a record for future legislative action. The letters – sent by Chair McMorris Rodgers, Ranking Member Frank Pallone (D-N.J.) and bipartisan leaders of several Energy and Commerce subcommittees – suggested that the American Data Privacy and Protection Act may address some of these issues.

Tennessee and Montana Become 8th and 9th States to Pass State Privacy Laws; Texas to Follow as 10th State

Tennessee Gov. Bill Lee signed into law on May 11, 2023, the Tennessee Information Protection Act (TIPA) (HB 1181), comprehensive consumer data privacy legislation that received unanimous support in both houses of the state's General Assembly. The bill enhances consumers' control over their personal data by giving consumers the right to delete data collected by third parties, the right to opt out of targeted advertising and the right to correct inaccurate information, similar to other state privacy bills signed into law this year. The law will go into effect on July 1, 2025.

Montana Gov. Greg Gianforte signed into law on May 22, 2023, the Montana Consumer Data Privacy Act (MCDPA) (SB 384), which provides residents with a right to delete their information and to opt out of the sale of their data. The new law will go into effect on Oct. 1, 2024.

Lastly, on May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA) (HB 4), which requires covered entities to conduct data protection assessments, establish data processing agreements and recognize universal opt-outs. The bill is modeled after the Virginia Consumer Data Protection Act (VCDPA), which is considered more business-friendly than the California privacy laws. The Texas bill would go into effect on July 1, 2024. Texas Gov. Greg Abbott will likely sign the bill into law.

These additional state laws make it less likely that Congress will pass a federal privacy law, since lawmakers from the states that have adopted privacy laws will likely oppose federal preemption. For a federal privacy law to effectively prevent a patchwork of different state laws, some states would need to relinquish the states' preferred models to regulate privacy.

EXECUTIVE AND DEPARTMENTAL UPDATES

FTC Proposes Health Breach Notification Rule

The Federal Trade Commission (FTC) released a notice of proposed rulemaking to amend its Health Breach Notification Rule in an effort to tighten regulation of health data privacy. The amendments to the 14-year-old rule seek to clarify how it applies to digital health apps and tools that the Health Insurance Portability and Accountability Act (HIPAA) does not govern. If finalized, the rule would require vendors of personal health records and related entities to notify individuals, the FTC and, in some cases, the media of a breach of unsecured personally identifiable health data. The Health Breach Notification Rule would apply to health apps offering health services such as fitness, sleep, wellness and mental health capabilities.

White House Rolls Out AI R&D Roadmap

The White House Office of Science and Technology (OSTP) released a National Artificial Intelligence (AI) Research and Development (R&D) Strategic Plan on May 23, 2023. The plan outlines key priorities and goals for federal investments in AI R&D that aim to promote responsible innovation and protect people's rights and safety. It builds on the Blueprint for an AI Bill of Rights the White House published last year. OSTP also issued a Request for Information (RFI), which seeks input on national priorities for mitigating AI risks, protecting individuals' rights and safety and harnessing AI to improve lives. Responses are due by July 7, 2023.

Court Asks FTC to Weigh In on COPPA Defense

In a recent case regarding alleged kids' online privacy violations, the Federal Trade Commission (FTC) argued that the federal Children's Online Privacy Protection Act (COPPA) does not protect tech companies from state-level regulations. A tech company argued that the 1998 federal law setting data privacy protections for children 13 years old and younger preempts state regulation after plaintiffs alleged the company had collected data on children without consent, violating privacy regulations in California, Colorado and Indiana. The district court sided with the tech company and found that COPPA preempts state law. However, the U.S. Court of Appeals for the Ninth Circuit reversed the decision.

As the Court of Appeals reviews its decision at the plaintiff's request and weighs rehearing the case en banc, the court asked the FTC to share its perspective on "whether the preemption clause [in COPPA] preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA." In its amicus brief, the FTC argued that nothing in COPPA's text, purpose or legislative history supports a sweeping preemption, but rather COPPA's preemption clause only applies to state laws inconsistent with COPPA.

RELATED HOLLAND & KNIGHT ALERTS

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.