A monthly roundup of federal data privacy and security policy and regulatory news
Welcome back to Holland & Knight's monthly data privacy and security news update that includes the latest in policy, regulatory updates and other significant developments. If you see anything in this report that you would like additional information on, please reach out to authors or members of Holland & Knight's Data Strategy, Security & Privacy Team.
LEGISLATIVE UPDATES
A Look Ahead to 2024
A laundry list of critical legislative issues has been kicked to 2024 for U.S. Congress to tackle. First, passing a full year's appropriations bill for fiscal year (FY) 2024 will be a major priority for the first quarter of 2024. The continuing resolution (CR) for FY 2024 funding that was passed in November 2023 created two funding deadlines in 2024: one on Jan. 19 and the other on Feb. 2. However, bipartisan negotiators have yet to come to a deal on annual topline funding figures. These conversations will continue as Congress reconvenes the week of Jan. 8. Additionally, Congress will continue its work negotiating supplemental appropriations and striking a deal on border policy. The Federal Aviation Administration (FAA) and the farm bill also will need to be extended or reauthorized in the coming months.
In addition, artificial intelligence (AI) is expected to dominate the debate around technology this year. U.S. Senate Majority Leader Chuck Schumer (D-N.Y.) said at the end of 2023 that the Senate bipartisan AI group started work on AI legislation since the AI Insight Forums are complete.
FISA Temporarily Reauthorized in NDAA
After much discussion, the National Defense Authorization Act (NDAA) included a short-term extension of the Foreign Intelligence Surveillance Act (FISA) that will keep the program authorized through April 19, 2024. The controversial section of the FISA, colloquially known as Section 702, enables the U.S. government to obtain intelligence by collecting records of foreign persons based overseas who are using U.S.-based communications services.
Both chambers of Congress have indicated a strong interest in considering reforms to FISA to address critics' complaints that the law allows the FBI to search data to collect information on Americans, as opposed to foreign adversaries, without proper justification and without a warrant. In a joint statement on FISA, Senate Majority Leader Chuck Schumer (D-N.Y.) and Minority Leader Mitch McConnell (RKy.) said: "Reforming FISA authorities to prevent abuse while ensuring our ability to defend our nation is a shared bipartisan, bicameral priority. We commit to work in good faith with our Senate Chairs and Ranking Members and the House to negotiate a final bill that can be passed on a bipartisan basis by both the House and Senate early next year."
In the U.S. House of Representatives, Speaker Mike Johnson (R-La.) promised votes on two competing reform bills: the Committee on the Judiciary's Protect Liberty and End Warrantless Surveillance Act (H.R. 6570) and the Permanent Select Committee on Intelligence's FISA Reform and Reauthorization Act (H.R. 6611). The House has not come to a consensus on which is preferred between the two bills.
KOSA Goes Without a Floor Vote for a Second Year
In early November 2023, Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-Wash.) announced plans to "hotline" kids' privacy legislation in the Senate such as the Kids Online Safety Act (KOSA) – which would allow expedited consideration of the legislation through unanimous consent, so long as no senator objects.
The Senate Commerce Committee favorably reported KOSA in July 2023 during a markup. However, Cantwell postponed hotlining the bill in an effort to address remaining objections regarding privacy and censorship concerns.
The bill, introduced by Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.), would impose a duty of care for digital services to prevent harm to younger users. Cantwell is working to address criticism that the bill disproportionately harms LGBTQ+ youth. Additionally, her team is working with the committee's top Republican, Sen. Ted Cruz (R-Texas), and his staff to address privacy groups' concerns surrounding the inclusion of a "duty of care" language that some believe could allow companies to unconstitutionally restrict speech on the platforms. They are working to amend the language, especially considering that kids' online safety laws in Arkansas and California were found to violate the First Amendment. Cantwell has indicated the bill is still a priority in 2024.
Sen. Ron Wyden (D-Ore.) indicated in a November 2023 floor speech he will block the bill from moving under unanimous consent unless it forecloses the ability of state attorneys general to "wage war on important reproductive and LGBTQ content."
E&C Hearing and the Call for a National Data Privacy Standard
The House Committee on Energy and Commerce held its first full committee hearing on AI since the White House released its AI executive order. The committee held a series of subcommittee hearings over the past few months examining AI's impact in different sectors of the economy. The hearing, "Leveraging Agency Expertise to Foster American AI Leadership and Innovation," included witnesses from the U.S. Departments of Energy, Commerce and HHS and focused on a discussion of how the Biden Administration can work with Congress to leverage the sector-specific knowledge of federal agencies to address the evolving AI marketplace. During the hearing, members such as Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) advocated for Congress to strengthen data security protections to safeguard people's information against threats. She argued that establishing foundational protections more broadly will ensure greater public trust in AI and ensure future innovations are made in the United States.
Despite this, 12 states have passed some privacy law adding to the existing patchwork of state privacy bills. Utah's law went into effect on Dec. 31, 2023, and six more state privacy laws will go into effect in 2024: Florida, Montana, Nevada, Oregon, Texas and Washington. With state legislatures coming back into session in early 2024, state lawmakers are expected to try to advance additional privacy laws, making the path forward for any federal privacy bill more tenuous.
EXECUTIVE AND DEPARTMENTAL UPDATES
FTC Issues Proposed Amendment to COPPA Rule
On Dec. 20, 2023, the Federal Trade Commission (FTC) proposed a rule to amend its Children's Online Privacy Protection (COPPA) Rule by further limiting companies' ability to monetize children's data. The proposed rule would require targeted advertising to be off by default, would impose limits on push notifications, restrictions on surveillance in schools and require stricter data security requirements. The rule also prohibits conditioning a child's participation on collection of personal information and increases accountability for safe harbor programs. Generally, the proposal aims to shift the burden from parents to providers.
The COPPA Rule first went into effect in 2000 and requires websites and online services that collect personal information from children under age 13 to provide notice to parents and obtain verifiable parental consent before collecting, using or disclosing personal information from these children. It also limits the type of data that companies may collect, dictates how long they can retain that data and requires them to secure the data.
FTC Chair Lina Khan stated that "The proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life – and where firms are deploying increasingly sophisticated digital tools to surveil children. By requiring firms to better safeguard kids' data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents."
Sens. Ed Markey (D-Mass.) and Bill Cassidy (R-La.), the sponsors of COPPA 2.0, praised the FTC's proposal and claimed it is "critical to modernizing online privacy protections for children and addressing Big Tech's new tactics that exploit, track and target kids online." They also noted that the act should be passed quickly to prioritize the well-being of children. COPPA 2.0 would reform COPPA by prohibiting online companies from collecting personal information from users who are 13 to 16 years old without their consent and ban targeted advertising to children and teens. The Senate Committee on Commerce, Science, and Transportation favorably reported the bill in July 2023 during a markup. The bill similarly made it out of committee before ultimately failing to secure floor time for a vote last year.
FCC Votes to Broaden Scope of Data Breach Rules
On Dec. 13, 2023, the Federal Communications Commission (FCC) adopted rules to modify the Commission's 16-year-old data breach notification rules to ensure telecommunications companies are required to adequately safeguard sensitive customer information and to enable customers to protect themselves in the event their data is compromised. Specifically, the move will expand the scope of the breach notification rules to cover certain personally identifiable information that carriers hold with respect to their customers. Additionally, the definition of breach is expanded to include inadvertent access, use or disclosure of customer information in most circumstances. The Commission's vote on the Report and Order was 3-2. However, similar data breach rules to ensure telecom providers safeguard consumers' information was killed by a 2017 Congressional Review Act (CRA) resolution of disapproval on the same issues. The CRA forbade the FCC from issuing similar proposals. The rule could be overturned as a result.
The FCC under Chair Jessica Rosenworcel has been pushing for additional privacy and security initiatives in telecommunications networks and stood up a Privacy and Data Protection Task Force to focus on data breaches and other cyber intrusions in June 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
