Could a Federal Law Be on the Horizon?

Ronald Del Sesto, Jr., Gregory Parks
Morgan Lewis
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis

Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. US legislators have periodically introduced bills that would establish a federal data privacy law, but none have been put into action. The American Data Privacy Protection Act, introduced in May 2022, is the latest attempt to establish a federal privacy law while providing for limited preemption of state privacy laws. The measure has enough bipartisan support to make it out of committee, but chances for passage are unclear, as it appears to lack key support to move further. Nonetheless, 2023 promises to continue the trend of increased attention on data privacy and security by the US Congress and federal agencies.

FEDERAL COMMUNICATIONS COMMISSION (FCC)

We expect the FCC to continue its focus on enforcement this year, particularly with respect to recipients of federal funds like the Universal Service Fund and other loan and grant programs that the agency administers. Policy initiatives will continue to focus narrowly on national security, consumer protection issues like preventing robocalling, data security, and privacy investigations, at least while the FCC remains deadlocked with two Republican and two Democratic commissioners.

Calls to reform Section 230 of the Communications Decency Act have increased, with criticism from both sides of the political aisle. With uncertainty on the scope of the FCC’s authority to interpret Section 230, the agency likely will continue to defer to Congress. The US Supreme Court recently resolved a pair of cases testing Section 230 liability protections for online platform providers, with the online platforms prevailing.

FEDERAL TRADE COMMISSION (FTC)

The FTC first addressed artificial intelligence (AI) in 2016, but the agency’s pace in addressing AI-related issues increased markedly over the last year. On August 11, 2022, the FTC released an advance notice of proposed rulemaking (ANPRM) seeking preliminary comments relating to commercial surveillance and data security—one of the agency’s most comprehensive and ambitious rulings.

The ANPRM’s sweeping scope seeks public comment on a wide range of issues including protection of minors, data privacy, data security, algorithmic discrimination, and AI-related concerns. The ANPRM is one step in a lengthy process, and the deadline for public comment closed on November 21, 2022.

COMPUTER FRAUD AND ABUSE ACT (CFAA)

The CFAA is one of the few statutes addressing privacy and data protection at the federal level, where it imposes criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Website owners have used the CFAA as a method to prohibit unauthorized data collection from their websites, a practice referred to as “data scraping.” A recent court decision narrowed the CFAA’s scope, finding that, under certain circumstances, the act is inapplicable to situations where users with legitimate access misuse such access. Separately, another recent decision rejected CFAA-based claims where a website operator made certain information public but attempted to restrict a particular company's access to said information. In these instances, other causes of action may still apply, such as common law claims of trespass, copyright infringement, breach of contract, unjust enrichment, conversion, or claims under state-specific statutes.

CONGRESSIONAL ACTIVITY RELATED TO PRIVACY

The following privacy-related legislation has been recently introduced in Congress.

  • American Data Privacy and Protection Act: This passed the House of Representatives Energy and Commerce Committee in a 53–2 vote, with the intention to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The bill will require a reintroduction and restart to its legislative path in the House. On March 1, 2023, the House Subcommittee on Innovation, Data, and Commerce held a hearing to restart the process. The bill largely preempts state laws, but not all of them.
  • Data Privacy Act of 2023: This aims to modernize the Gramm-Leach-Bliley Act to better align with the evolving technological landscape. The bill addresses the privacy and security of personal information held by financial institutions, and expands the application of current protections, provides individuals with controls for limiting the collection of their information, and establishes data privacy standards nationwide.
  • Upholding Protections for Health and Online Location Data Privacy Act (UPHOLD): this act is designed to prevent the use of personally identifiable health data for commercial advertising. It would place additional disclosure restrictions on companies using personal health information without user consent and ban the sale of precise location data.

Learn more in our Technology Marathon presentation, Hot Privacy and Data Security Issues on the Hill and at the FCC and FTC, where we cover recent privacy and data security developments on Capitol Hill and with federal agencies.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide