This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.

Artificial Intelligence

In the last quarter of 2022, the annual National Defense Authorization Act (“NDAA”), which contained AI-related provisions, was enacted into law.  The NDAA creates a pilot program to demonstrate use cases for AI in government. Specifically, the Director of the Office of Management and Budget (“Director of OMB”) must identify four new use cases for the application of AI-enabled systems to support modernization initiatives that require “linking multiple siloed internal and external data sources.” The pilot program is also meant to enable agencies to demonstrate the circumstances under which AI can be used to modernize agency operations and “leverage commercially available artificial intelligence technologies that (i) operate in secure cloud environments that can deploy rapidly without the need to replace operating systems; and (ii) do not require extensive staff or training to build.” Finally, the pilot program prioritizes use cases where AI can drive “agency productivity in predictive supply chain and logistics,” such as predictive food demand and optimized supply, predictive medical supplies and equipment demand, predictive logistics for disaster recovery, preparedness and response.

At the state level, in late 2022, there were also efforts to advance requirements for AI used to make certain types of decisions under comprehensive privacy frameworks.  The Colorado Privacy Act draft rules were updated to clarify the circumstances that require controllers to provide an opt-out right for the use of automated decision-making and requirements for assessments of profiling decisions.  In California, although the California Consumer Privacy Act draft regulations do not yet cover automated decision-making, the California Privacy Protection Agency rules subcommittee provided a sample list of related questions concerning this during its December 16, 2022 board meeting.

Internet of Things

Federal laws and regulations continued to address IoT policy issues in the last quarter of 2022.  Notably, on November 17, 2022, Senator Ted Cruz (R-TX) and Chair of the Senate Commerce, Science, and Transportation Committee Senator Maria Cantwell (D-WA) introduced the Informing Consumers about Smart Devices Act (S. 5127).  The bill, which is substantially similar to H.R. 4081 (which passed the House of Representatives on September 29, 2022), would require manufacturers of connected devices equipped with a camera or microphone to clearly and conspicuously disclose to consumers that a camera or microphone is part of the device prior to purchase.  The disclosure requirement does not apply to mobile phones, laptops, or other devices that consumers would reasonably expect to include a camera or microphone. Notably, Senator Cantwell remains the Chair of the Senate Commerce Committee and Senator Cruz has now become its Ranking Member, meaning that this piece of legislation deserves attention this Congress.

Federal regulatory efforts this quarter relating to IoT centered around cybersecurity.  The National Cybersecurity Center of Excellence (“NCCoE”) at the National Institute of Standards and Technology (“NIST”) continued to advance its private-public partnership on trusted IoT device network-layer onboarding and lifecycle management through the publication of a fact sheet and a preliminary draft of a Cybersecurity Practice Guide that will ultimately be published by NIST.  The public comment period for the draft practice guide is open until February 3, 2023.  In addition, the Government Accountability Office (“GAO”) on December 1, 2022, published a report on the increasing cybersecurity threats faced by the United States’ 16 critical infrastructure sectors that rely on internet-connected devices and systems.  The report provides recommendations to federal agencies for developing metrics to measure cybersecurity risks and the effectiveness of efforts to manage these risks.  Addressing the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 — which generally prohibits agencies, in the absence of a waiver, from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards — the GAO report recommends that the Office of Management and Budget take steps to establish a standardized waiver process, as mandated by the Act.

Connected and Autonomous Vehicles (“CAVs”)

Federal developments were slow in the last quarter of 2022, but states continued advancing the deployment of CAVs.  In November 2022, the California Public Utilities Commission (“CPUC”) authorized Waymo LLC to participate in California’s pilot program to provide “driverless” AV passenger service to the public.  Waymo joins Cruise, LLC as the second participant in CPUC’s Driverless Pilot program.  With this authorization, Waymo may offer driverless passenger service throughout San Francisco and portions of Daly City, as well as in portions of the cities of Los Altos, Los Altos Hills, Mountain View, Palo Alto, and Sunnyvale.  Waymo’s driverless test AVs may operate on public roadways with posted speed limits up to 65 miles per hour, at all times of day or night.  The CPUC’s press release stated that the driverless pilot program is “intended to allow AV companies to develop their technologies on a test basis, while providing for public safety and consumer protection in services offered by commercial operators within the CPUC’s jurisdiction.”  The CPUC intends to collect program data to monitor the safety, accessibility, equity, and environmental benefits of CAVs.

Data Privacy & Cybersecurity

Congress advanced a number of legislative proposals focused on establishing cybersecurity standards for government devices and networks.  For example, the NDAA included provisions to reform the Federal Risk and Authorization Program’s (“FedRAMP”) cybersecurity authorization process for cloud vendors—allowing federal agencies to use FedRAMP-authorized tools to authorize the use of cloud service providers, and conduct security assessments without further checks or additional oversight.  The FedRAMP certification is a certification that cloud service providers must receive prior to working with the U.S. government.  Additionally, Congress passed the Quantum Computing Cybersecurity Preparedness Act, discussed further here, that requires the Director of OMB to provide agencies with guidance to inventory technology used by the agency that is vulnerable to decryption by quantum computers and will require agencies to migrate those technologies to post-quantum computing standards following new guidance from NIST. 

Although Congress did not pass federal privacy legislation in the last quarter of 2022, there were multiple attempts to include privacy provisions in larger legislative packages, such as the NDAA or the omnibus spending bill in the lame duck sessions. Specifically, Senators Markey (D-MA), Blumenthal (D-CT), Cassidy (R-LA) and Lummis (R-WY) sought to include Senator Markey’s Children’s Online Privacy Protection Act (“COPPA”) legislation into the omnibus spending package.  Additionally, Senators Blumenthal and Blackburn (R-TN) also sought to include the Kids Online Safety Act (“KOSA”) within an end-of-year legislative vehicle.  Despite having broad bipartisan support, both efforts were inevitably left out of the larger legislative packages.  There was also an effort attach the American Data Privacy Protection Act (“ADPPA”), though this effort was not ultimately successful.

We will continue to update you on meaningful developments in these quarterly updates and across our blogs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Olivia Dworkin Olivia Dworkin

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance.

With a focus on cutting-edge…

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance.

With a focus on cutting-edge medical technologies and digital health products and services, Olivia regularly helps new and established companies navigate a variety of state and federal regulatory, legislative, and compliance matters throughout the total product lifecycle. She has experience counseling clients on the development, FDA regulatory classification, and commercialization of digital health tools, including clinical decision support software, mobile medical applications, general wellness products, medical device data systems, administrative support software, and products that incorporate artificial intelligence, machine learning, and other emerging technologies.

Olivia also assists clients in advocating for legislative and regulatory policies that will support innovation and the safe deployment of digital health tools, including by drafting comments on proposed legislation, frameworks, whitepapers, and guidance documents. Olivia keeps close to the evolving regulatory landscape and is a frequent contributor to Covington’s Digital Health blog. Her work also has been featured in the Journal of Robotics, Artificial Intelligence & Law, Law360, and the Michigan Journal of Law and Mobility.

Prior to joining Covington, Olivia was a fellow at the University of Michigan Veterans Legal Clinic, where she gained valuable experience as the lead attorney successfully representing clients at case evaluations, mediations, and motion hearings. At Michigan Law, Olivia served as Online Editor of the Michigan Journal of Gender and Law, president of the Trial Advocacy Society, and president of the Michigan Law Mock Trial Team. She excelled in national mock trial competitions, earning two Medals for Excellence in Advocacy from the American College of Trial Lawyers and being selected as one of the top sixteen advocates in the country for an elite, invitation-only mock trial tournament.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Nicholas Xenakis Nicholas Xenakis

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal…

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal justice.

Nick joined the firm’s Public Policy practice after serving most recently as Chief Counsel for Senator Dianne Feinstein (D-CA) and Staff Director of the Senate Judiciary Committee’s Human Rights and the Law Subcommittee, where he was responsible for managing the subcommittee and Senator Feinstein’s Judiciary staff. He also advised the Senator on all nominations, legislation, and oversight matters before the committee.

Previously, Nick was the General Counsel for the Senate Judiciary Committee, where he managed committee staff and directed legislative and policy efforts on all issues in the Committee’s jurisdiction. He also participated in key judicial and Cabinet confirmations, including of an Attorney General and two Supreme Court Justices. Nick was also responsible for managing a broad range of committee equities in larger legislation, including appropriations, COVID-relief packages, and the National Defense Authorization Act.

Before his time on Capitol Hill, Nick served as an attorney with the Federal Public Defender’s Office for the Eastern District of Virginia. There he represented indigent clients charged with misdemeanor, felony, and capital offenses in federal court throughout all stages of litigation, including trial and appeal. He also coordinated district-wide habeas litigation following the Supreme Court’s decision in Johnson v. United States (invalidating the residual clause of the Armed Career Criminal Act).

Photo of Hensey A. Fenton III Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.

Photo of Madeline Salinas Madeline Salinas

Madeline counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in designing…

Madeline counsels national and multinational companies across industries on data privacy, content moderation, and advertising issues.

Madeline advises clients on compliance with federal and state privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. She regularly assists clients in designing cutting-edge products and services, developing privacy notices and consent forms, strategically engaging with state legislatures, and participating in rulemaking proceedings of state and federal agencies. In particular, Madeline has experience advising clients on compliance with laws implicating children’s privacy.

Madeline also partners with clients in developing content moderation policies and designing products and services that facilitate sharing of user-generated content, analyzing the evolving legal landscape and public policy considerations related to content moderation.

As part of her practice, Madeline represents clients in consumer protection enforcement actions brought by the Federal Trade Commission on topics related to data privacy and advertising.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.