As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month. Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces. In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety. We are providing this year-end round up in four parts. In this post, we detail data privacy updates in Congress and federal agencies.
Part II: Data Privacy
Congress continued to introduce a broad range of data privacy bills this year, though Congress appears to be stalled by whether the legislation should include a private right of action. Additionally, in lieu of a comprehensive federal privacy law, the FTC has explored using its general rulemaking authority to advance data privacy regulation.
Although a number of data privacy bills have been introduced this year, lawmakers continue to disagree on whether legislation should include a private right of action for consumers. The Consumer Online Privacy Rights Act (S. 3195), introduced by Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, would prohibit deceptive or harmful data practices, require that users be able to view, access, transfer, correct, and delete their data, and would require new measures to safeguard the collection and storage of sensitive personal data. It grants enforcement authority to the FTC and state attorneys general and would provide consumers with a private right of action. Also, Senator Roger Wicker (R-MS), the Ranking Member of the Senate Committee on Commerce, Science, and Transportation, introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S. 2499), which would impose data minimization rules, require consent for processing and transferring sensitive data, and would provide for enforcement by the FTC. With Chairwoman Cantwell and Senator Wicker putting forth competing legislation, it is unclear what the two sides will need to find an accord, but that is a challenge that will continue into the new year.
In response to the increasing number of ransomware incidents, several bills created new breach notification obligations. The Cyber Incident Notification Act (S. 2407), introduced by Senator Mark Warner (D-VA), would require federal agencies and contractors as well as operators of critical infrastructure to report cybersecurity breach notification reports to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 24 hours of learning of an incident. Another notification proposal, the Cyber Incident Review and Reporting Act (S.2875), introduced by Senator Gary Peters (D-MI), the Chairman of the Senate Homeland Security and Governmental Affairs Committee, and the Committee’s Ranking Member, Senator Rob Portman (R-OH), would require owners and operators of critical infrastructure to report cybersecurity incidents within 72 hours.
With respect to FTC developments, an amendment to the Build Back Better Act (H.R.5376) includes a proposal that would allocate $1 billion over ten years to create a Privacy Bureau within the FTC, responsible for enforcing the FTC’s mandate with regards to privacy and data security. The FTC issued a report to Congress in September, noting that the agency’s most recent efforts have focused on addressing privacy concerns heightened by the pandemic, such as health apps, accuracy of data used for housing, employment, and credit decisions, and video conferencing, as well as the accuracy and fairness of algorithmic decision-making. At the same time, several Commissioners have expressed interest in using the FTC’s Section 18 rulemaking authority to develop a privacy rule, and several senators also wrote to FTC Chair Lina Khan, encouraging the FTC to begin a privacy rulemaking process.
We will continue to update you on meaningful developments in these updates and across our blogs. To learn more about our team and our work, please visit Covington’s Data Privacy and Cybersecurity website. For more information on developments related to AI and IoT, please visit our AI Toolkit and our Internet of Things website.