Insight

US Data Privacy Legislation: Could a Federal Law Be on the Horizon?

July 31, 2023

Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. US legislators have periodically introduced bills that would establish a federal data privacy law, but none have been put into action. The American Data Privacy Protection Act, introduced in May 2022, is the latest attempt to establish a federal privacy law while providing for limited preemption of state privacy laws. The measure has enough bipartisan support to make it out of committee, but chances for passage are unclear, as it appears to lack key support to move further. Nonetheless, 2023 promises to continue the trend of increased attention on data privacy and security by the US Congress and federal agencies.

Federal Communications Commission (FCC)

We expect the FCC to continue its focus on enforcement this year, particularly with respect to recipients of federal funds like the Universal Service Fund and other loan and grant programs that the agency administers. Policy initiatives will continue to focus narrowly on national security, consumer protection issues like preventing robocalling, data security, and privacy investigations, at least while the FCC remains deadlocked with two Republican and two Democratic commissioners.

Calls to reform Section 230 of the Communications Decency Act have increased, with criticism from both sides of the political aisle. With uncertainty on the scope of the FCC’s authority to interpret Section 230, the agency likely will continue to defer to Congress. The US Supreme Court recently resolved a pair of cases testing Section 230 liability protections for online platform providers, with the online platforms prevailing.

Federal Trade Commission (FTC)

The FTC first addressed artificial intelligence (AI) in 2016, but the agency’s pace in addressing AI-related issues increased markedly over the last year. On August 11, 2022, the FTC released an advance notice of proposed rulemaking (ANPRM) seeking preliminary comments relating to commercial surveillance and data security—one of the agency’s most comprehensive and ambitious rulings.

The ANPRM’s sweeping scope seeks public comment on a wide range of issues including protection of minors, data privacy, data security, algorithmic discrimination, and AI-related concerns. The ANPRM is one step in a lengthy process, and the deadline for public comment closed on November 21, 2022.

Computer Fraud and Abuse Act (CFAA)

The CFAA is one of the few statutes addressing privacy and data protection at the federal level, where it imposes criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Website owners have used the CFAA as a method to prohibit unauthorized data collection from their websites, a practice referred to as “data scraping.” A recent court decision narrowed the CFAA’s scope, finding that, under certain circumstances, the act is inapplicable to situations where users with legitimate access misuse such access. Separately, another recent decision rejected CFAA-based claims where a website operator made certain information public but attempted to restrict a particular company's access to said information. In these instances, other causes of action may still apply, such as common law claims of trespass, copyright infringement, breach of contract, unjust enrichment, conversion, or claims under state-specific statutes.

Congressional Activity Related to Privacy

The following privacy-related legislation has been recently introduced in Congress.

  • American Data Privacy and Protection Act: This passed the House of Representatives Energy and Commerce Committee in a 53–2 vote, with the intention to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The bill will require a reintroduction and restart to its legislative path in the House. On March 1, 2023, the House Subcommittee on Innovation, Data, and Commerce held a hearing to restart the process. The bill largely preempts state laws, but not all of them.
  • Data Privacy Act of 2023: This aims to modernize the Gramm-Leach-Bliley Act to better align with the evolving technological landscape. The bill addresses the privacy and security of personal information held by financial institutions, and expands the application of current protections, provides individuals with controls for limiting the collection of their information, and establishes data privacy standards nationwide.
  • Upholding Protections for Health and Online Location Data Privacy Act (UPHOLD): this act is designed to prevent the use of personally identifiable health data for commercial advertising. It would place additional disclosure restrictions on companies using personal health information without user consent and ban the sale of precise location data.

If you are interested in Hot Privacy and Data Security Issues on the Hill and at the FCC and FTC, as part of Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas