As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail IoT updates in Congress, the states, and federal agencies.

Part IV: Internet of Things

This quarter’s IoT-related Congressional and regulatory updates ranged from promoting consumer awareness to bolstering the security of connected devices.  In particular, the Federal Communications Commission (“FCC”) has taken a number of actions to promote the growth of IoT while the National Institute of Standards and Technology (“NIST”) continues to work to fulfill its obligations under President Biden’s May Executive Order on Improving the Nation’s Cybersecurity (“EO”).  The IoT Cybersecurity Improvement Act of 2020 (H.R.1668) additionally tasked NIST with developing security standards and guidelines for the federal government’s IoT devices.  This year NIST put out a number of reports to carry out this mandate, including guidance documents to assist federal agencies with evaluating the security capabilities required in their IoT devices (NIST SP 800-213).

As was the case last quarter, a number of IoT-related bills in Congress focus on consumer cybersecurity literacy and connected device security.  For example, the Informing Consumers about Smart Devices Act (H.R.5696), introduced by Representative Chris Jacobs (R-NY-27), would prohibit manufacturers and developers of connected devices from collecting, processing, or disclosing camera or microphone data unless such actions are consistent with “reasonable consumer expectations” or they obtain user’s “express, affirmative consent.”  In order to obtain consent, the entity must provide users a brief notice that describes the data collection, processing, or disclosure; obtain an affirmative response; and maintain a separate privacy policy for this activity.  In addition, the Improving Cybersecurity of Small Organizations Act of 2021 (S.2483), introduced by Senator Jacky Rosen (D-NV), would require the Cybersecurity and Infrastructure Security Agency to promote cybersecurity guidance for use by small organizations, including the risks posed by connected devices used by employees and contractors.  As part of efforts in Congress to promote broadband access and close the digital divide, Senator Raphael Warnock (D-GA) and Congressman A. Donald McEachin (D-VA-4) introduced the Device Access for Every American Act (S.2729; H.R.5257), which would establish a program to administer up to $400 vouchers for low-income Americans to purchase connected devices, including laptops and tablets.

States considered their own range of related proposals, which centered on IoT device data collection and consumer rights.  For example, California introduced a bill (A.B.1262), which would require manufacturers of smart speakers to inform users of voice recognition features, as well as prohibit recordings from being used for advertising purposes or shared with third parties without first obtaining the user’s “affirmative consent.”  New Jersey similarly introduced the Concerns the Consumer Electronic Voice Recognition Information Act (A.B.3072), which would prohibit voice recognition features on connected devices before informing users of the feature.  Illinois also introduced the Automatic Listening Exploitation Act (S.B.2080), which would prohibit an entity from recording users from smart speakers or sharing such recordings without first obtaining the user’s “express informed consent.”

On the agency front, the FCC has taken a number of actions to support the growth of IoT.  As detailed in an earlier blog post, the FCC adopted a Notice of Inquiry (“NOI”) in its September meeting regarding actions it could take to promote IoT deployment.  The NOI sought comment on a range of issues, including how to ensure adequate spectrum is available for IoT, the requirements regarding IoT services provided by satellites, and what regulatory barriers may exist to providing needed spectrum access for IoT.  Additionally, the FCC adopted a Notice of Proposed Rulemaking (“NPRM”) in July to expand the permissible uses for short-range radar in the 57 to 64 GHz band, which could impact a wide range of applications, including IoT technologies for smart home appliances and factory automation.

NIST has been engaging in a number of IoT-related projects as well to carry out its obligations under the cybersecurity EO.  For example, NIST sought feedback at an initial workshop in September on developing a cybersecurity labeling program for IoT devices and hosted a second event in December to provide an update on its activities.  By February 2022, in coordination with the FTC, NIST is required by the EO to finalize its IoT cybersecurity criteria for the program and consider ways to incentivize manufacturers and developers to participate.

We will continue to update you on meaningful developments in these updates and across our blogs.  To learn more about our IoT team and work, please visit Covington’s Internet of Things website.  For more information on developments related to AI, CAV, and data privacy, please visit our AI Toolkit and our Connected and Autonomous Vehicles and Data Privacy and Cybersecurity websites.

Print:
EmailTweetLikeLinkedIn
Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on a wide range of issues. Jennifer has more than two decades of experience advising clients in the communications, media and technology sectors, and has served as a co-chair for these practices for more than 15 years. On IoT issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including legal issues with respect to connected and autonomous vehicles, internet connected devices, smart ecosystems, and other IoT products and services.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements with cable, satellite, and telco companies, network affiliation and other program rights agreements for television companies, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Communications and Media Practice Groups. Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries. Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

Photo of Lindsay Brewer Lindsay Brewer

Lindsay Brewer is an associate in the firm’s Washington office. She advises clients on environmental, product safety, occupational safety, and public policy issues. She has experience with a wide range of environmental and safety programs, with a focus on the Clean Air Act…

Lindsay Brewer is an associate in the firm’s Washington office. She advises clients on environmental, product safety, occupational safety, and public policy issues. She has experience with a wide range of environmental and safety programs, with a focus on the Clean Air Act (CAA), the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA/Superfund), the Federal Trade Commission Act (FTC Act), the Consumer Product Safety Act (CPSA), the Federal Motor Vehicle Safety Standards (FMVSS), and the Occupational Safety and Health Act (OSH Act).

Photo of James Yoon James Yoon

James Yoon is an associate in the firm’s Data Privacy and Cybersecurity Practice Group. Prior to joining the firm, he served as a law clerk to Judge J. Clifford Wallace on the U.S. Court of Appeals for the Ninth Circuit and Judge Barbara…

James Yoon is an associate in the firm’s Data Privacy and Cybersecurity Practice Group. Prior to joining the firm, he served as a law clerk to Judge J. Clifford Wallace on the U.S. Court of Appeals for the Ninth Circuit and Judge Barbara M.G. Lynn on the U.S. District Court for the Northern District of Texas.

James is a member of the Bar of California. District of Columbia bar application pending; supervised by principals of the firm.

Photo of Nira Pandya Nira Pandya

Nira Pandya advises private and public companies on venture capital financings, mergers and acquisitions, joint ventures, strategic investments, and other corporate transactions. She also represents emerging companies in general corporate matters, including entity formation, corporate governance, and securities law compliance.