2023: A Busy Year for U.S. Privacy Law
Table Of Contents:
Thanks to a divided House, the U.S. Congress might be in the middle of a dysfunctional malaise, but that didn’t stop representatives from introducing a flurry of privacy-related bills in 2023. According to the International Association of Privacy Professionals (IAPP), Congress introduced 27 privacy-related bills overall since it began in January, spanning a range of issues from workplace surveillance to AI and education. These bills reflect broad concerns over privacy across a broad spectrum of American life.
Privacy In A Post-Roe Era
Several bills sought to protect women’s privacy rights on reproductive health following the Supreme Court’s overturning of Roe v. Wade in June 2022. Lawmakers have expressed concern over the use of personal data to track the activities of pregnant women as state anti-abortion laws proliferate along with stories of privacy infractions. The UPHOLD Privacy Act, introduced On March 2, would prohibit the collection of location and health data for advertising, along with its sale to data brokers, while the My Body, My Data Act would minimise the collection of reproductive health data.
Some bills would create more cooperation between the Department of Health and Human Services (HHS) and the FTC to protect people from health data tracking. The HHS Reproductive and Sexual Health Ombudsman Act and the Protect Sexual and Reproductive Health Act would establish an ombudsman at the HHS to work with the FTC to address privacy concerns over reproductive health data.
Data Privacy In An Age Of AI
Algorithmic transparency was a big issue on the Hill as the threat of more pervasive AI grew. The Algorithmic Justice and Online Platform Transparency Act would make it unlawful for an online platform to use AI in a way that deprives someone of their civil rights. This includes discriminating against users. The No Robot Bosses Act would stop employers from relying solely on automated systems to make employment decisions in the workplace.
It remains to be seen how bills like these will sit alongside Sen. Chuck Schumer’s broader attempt to regulate AI in the U.S. In April, the Senate majority leader announced plans to create a legislative framework governing the responsible use of the technology.
Other notable federal workplace privacy bills included one to address unreasonable employee surveillance. The Stop Spying Bosses Act, a Senate bill, would prohibit or require the disclosure of certain types of data collection on employees, while the No Robot Bosses Act.
Curtailing Big Tech’s Use Of Our Data
The Algorithmic Justice and Online Platform Transparency Act is just one of several bills attempting to reign in the powers of big tech platforms. These included the Senate’s Platform Accountability and Transparency Act, which would mandate the FTC to regulate platforms’ reporting around content moderation and algorithms. Another, the Deceptive Experiences to Online Users Reduction Act, would address ‘dark patterns’; user interface tricks that online platforms use to squeeze personal information from users. The Banning Surveillance Advertising Act would prohibit targeted advertising by ad companies and their customers (but sadly, it would permit ads using contextual and location-based data).
Broader Consumer Privacy Protection Laws
There were also some attempts to pass the kinds of broader consumer privacy legislation that have emerged at the state level. The Data Care Act would impose a duty of care, loyalty, and confidentiality upon online service providers and allow the FTC to enforce them.
The Online Privacy Act would go further, creating a Digital Privacy Agency that would enforce privacy rights, including the ability for consumers to access, correct, delete or move their personal information. It also imposes data minimisation requirements on service providers in a strong law that looks a lot like California’s Consumer Privacy Act and its successor, the California Privacy Rights Act. Another Bill, the Data Elimination and Limiting Extensive Tracking and Exchange Act, would create a centralised registry allowing individuals to request that data brokers delete their personal information, which echoes California’s DELETE Act.
There has been one notable absence from the collection of broad consumer privacy protection laws this year: the American Data Privacy and Protection Act (ADPPA). This 2022 bill passed out of committee with a 53-2 vote but didn’t make it to the House floor. However, this May, the Innovation, Data, and Commerce Subcommittee of the House Committee on Energy and Commerce held a hearing that frequently referenced measures in the ADDPA. The bill has not been reintroduced, but the current Congress is still sitting for another year.
One of the ADPAA’s unique characteristics – other than that it is the only broad consumer privacy protection bill to make it out of committee – was its pre-emption of state law. That will likely anger some states, especially as so many more are busy proposing their own consumer privacy protection laws, joining the likes of California and Virginia. Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas passed legislation this year, while other states have bills currency under consideration. These include Main, Massachusetts (which has three in the works), Michigan, New Jersey, North Carolina, Ohio, Pennsylvania, and Wisconsin—more on all those here.
Preparing For Any Legislative Scenario
It’s easy to introduce a bill in the House. Getting it out of committee and through a floor vote to the Senate is far more complex. Plenty of bills never make it that far. With a new House speaker coming from left field who will significantly influence what legislation is genuinely considered, it remains to be seen which of these proposed laws will go anywhere.
In the meantime, businesses must ensure they’re prepared for any legal eventuality. With that in mind, security frameworks such as ISO 27001 0r 27701, or NIST’s Privacy Framework, provide the core fundamentals to help organisations prepare for compliance with whatever requirements come their way.
