To add to the growing list of federal privacy frameworks introduced this year, Senator Amy Klobuchar (D-MN) has re-introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667).  Senator Klobuchar introduced the bill originally in 2018 and 2019, although it did not advance to committee in either instance.  Senators Kennedy (R-LA), Burr (R-NC), and Manchin (D-WV) have co-sponsored the bill.

Key provisions in this bill include:
Continue Reading New Privacy Bill Provides Opt-Out Rights and New Data Security Requirements

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General

On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data.  The bill would also provide the FTC with rulemaking authority and the ability to levy substantial civil penalties for noncompliance with its provisions.

This bill comes on the heels of Senator Ron Wyden’s release of a draft “Consumer Data Protection Act,” which also expanded FTC authority and created significant civil fines.  (See analysis of Senator Wyden’s bill here, and related coverage on the Senate’s approach to data privacy here and here.)  Several other privacy frameworks have already been introduced this year by both Democratic and Republican lawmakers, and additional bills may be introduced in 2019.


Continue Reading Democratic Senators Introduce Privacy Bill Seeking to Impose “Fiduciary” Duties on Online Providers

On Tuesday, Joseph Simons was sworn in as the new Chairman of the Federal Trade Commission.  The five-member Commission will soon be at full strength, as Simons is set to be joined by four other new FTC Commissioners, each of which were confirmed for seven-year terms by the Senate on April 26: Democrats Rebecca Kelly Slaughter and Rohit Chopra, and Republicans Noah Phillips and Christine Wilson.  Slaughter, Chopra, and Phillips are each expected to be sworn in this week, although Wilson will not take office until the Senate confirms Commissioner Ohlhausen’s nomination as a judge on the U.S. Court of Federal Claims.

The new Commissioners, with the exception of Slaughter, have backgrounds focusing more on competition and antitrust matters, as opposed to privacy and consumer protection.  As such, we will have to wait and see as to their views on privacy issues, and the FTC’s resulting priorities.
Continue Reading Changes Are Underway at the FTC As New Commissioners Are Sworn In

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government.  As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding for cybersecurity initiatives in fiscal year 2017, an increase of 35% over the previous year’s request.  The CNAP includes a mixture of near-term measures and long-term objectives, with the ultimate goal of enhancing the federal government’s cybersecurity posture while encouraging private citizens and businesses to do the same.  Some of the most significant aspects of the CNAP, discussed further below, include:

  • The launch of a cybersecurity awareness campaign to promote the use of multi-factor authentication;
  • A “systematic” review by the White House to identify areas where the federal government can reduce the use of Social Security Numbers as individual identifiers;
  • Plans for the development of a Cybersecurity Assurance Program to test and certify connected devices against certain security standards;
  • The creation of a Chief Information Security Officer (CISO) position within the federal government, coupled with a $3.1 billion initiative to modernize federal agencies’ IT systems and applications;
  • The establishment of a commission of private sector cybersecurity experts to offer recommendations on cybersecurity initiatives; and
  • The establishment of a Federal Privacy Council, composed of representatives from various key federal agencies, to coordinate guidelines for the federal government’s collection and storage of data.


Continue Reading White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial

Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee,