Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. US legislators have periodically introduced bills that would establish a federal data privacy law, but none have been put into action. The American Data Privacy Protection Act, introduced in May 2022, is the latest attempt to establish a federal privacy law while providing for limited preemption of state privacy laws. The measure has enough bipartisan support to make it out of committee, but chances for passage are unclear, as it appears to lack key support to move further. Nonetheless, 2023 promises to continue the trend of increased attention on data privacy and security by the US Congress and federal agencies.
We expect the FCC to continue its focus on enforcement this year, particularly with respect to recipients of federal funds like the Universal Service Fund and other loan and grant programs that the agency administers. Policy initiatives will continue to focus narrowly on national security, consumer protection issues like preventing robocalling, data security, and privacy investigations, at least while the FCC remains deadlocked with two Republican and two Democratic commissioners.
Calls to reform Section 230 of the Communications Decency Act have increased, with criticism from both sides of the political aisle. With uncertainty on the scope of the FCC’s authority to interpret Section 230, the agency likely will continue to defer to Congress. The US Supreme Court recently resolved a pair of cases testing Section 230 liability protections for online platform providers, with the online platforms prevailing.
The FTC first addressed artificial intelligence (AI) in 2016, but the agency’s pace in addressing AI-related issues increased markedly over the last year. On August 11, 2022, the FTC released an advance notice of proposed rulemaking (ANPRM) seeking preliminary comments relating to commercial surveillance and data security—one of the agency’s most comprehensive and ambitious rulings.
The ANPRM’s sweeping scope seeks public comment on a wide range of issues including protection of minors, data privacy, data security, algorithmic discrimination, and AI-related concerns. The ANPRM is one step in a lengthy process, and the deadline for public comment closed on November 21, 2022.
The CFAA is one of the few statutes addressing privacy and data protection at the federal level, where it imposes criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” Website owners have used the CFAA as a method to prohibit unauthorized data collection from their websites, a practice referred to as “data scraping.” A recent court decision narrowed the CFAA’s scope, finding that, under certain circumstances, the act is inapplicable to situations where users with legitimate access misuse such access. Separately, another recent decision rejected CFAA-based claims where a website operator made certain information public but attempted to restrict a particular company's access to said information. In these instances, other causes of action may still apply, such as common law claims of trespass, copyright infringement, breach of contract, unjust enrichment, conversion, or claims under state-specific statutes.
The following privacy-related legislation has been recently introduced in Congress.
If you are interested in Hot Privacy and Data Security Issues on the Hill and at the FCC and FTC, as part of Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas