As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail data privacy updates in Congress and federal agencies.

Part II:  Data Privacy

Congress continued to introduce a broad range of data privacy bills this year, though Congress appears to be stalled by whether the legislation should include a private right of action.  Additionally, in lieu of a comprehensive federal privacy law, the FTC has explored using its general rulemaking authority to advance data privacy regulation.

Although a number of data privacy bills have been introduced this year, lawmakers continue to disagree on whether legislation should include a private right of action for consumers.  The Consumer Online Privacy Rights Act (S. 3195), introduced by Senator Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, would prohibit deceptive or harmful data practices; require that users be able to view, access, transfer, correct, and delete their data; and would require new measures to safeguard the collection and storage of sensitive personal data.  It grants enforcement authority to the FTC and state attorneys general and would provide consumers with a private right of action.  Also, Senator Roger Wicker (R-MS), the Ranking Member of the Senate Committee on Commerce, Science, and Transportation, introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S. 2499), which would impose data minimization rules, require consent for processing and transferring sensitive data, and would provide for enforcement by the FTC.  With Chairwoman Cantwell and Senator Wicker putting forth competing legislation, it is unclear what the two sides will need to find an accord, but that is a challenge that will continue into the new year.

In response to the increasing number of ransomware incidents, several bills create new breach notification obligations.  The Cyber Incident Notification Act (S. 2407), introduced by Senator Mark Warner (D-VA), would require federal agencies and contractors as well as operators of critical infrastructure to report cybersecurity breach notification reports to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 24 hours of learning of an incident.  Another notification proposal, the Cyber Incident Review and Reporting Act (S.2875), introduced by Senator Gary Peters (D-MI), the Chairman of the Senate Homeland Security and Governmental Affairs Committee, and the Committee’s Ranking Member, Senator Rob Portman (R-OH), would require owners and operators of critical infrastructure to report cybersecurity incidents within 72 hours.

With respect to FTC developments, an amendment to the Build Back Better Act (H.R.5376) includes a proposal that would allocate $1 billion over ten years to create a Privacy Bureau within the FTC, responsible for enforcing the FTC’s mandate with regards to privacy and data security.  The FTC issued a report to Congress in September, noting that the agency’s most recent efforts have focused on addressing privacy concerns heightened by the pandemic, such as health apps, accuracy of data used for housing, employment, and credit decisions, and video conferencing, as well as the accuracy and fairness of algorithmic decision-making.  At the same time, several Commissioners have expressed interest in using the FTC’s Section 18 rulemaking authority to develop a privacy rule, and several senators also wrote to FTC Chair Lina Khan, encouraging the FTC to begin a privacy rulemaking process.

We will continue to update you on meaningful developments in these updates and across our blogs.  To learn more about our team and our work, please visit Covington’s Data Privacy and Cybersecurity website.  For more information on developments related to AI and IoT, please visit our AI Toolkit and our Internet of Things website.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Lindsay Brewer Lindsay Brewer

Lindsay advises clients on environmental, human rights, product safety, and public policy matters.

She counsels clients seeking to set sustainability goals; track their progress on environmental, social, and governance topics; and communicate their achievements to external stakeholders in a manner that mitigates legal…

Lindsay advises clients on environmental, human rights, product safety, and public policy matters.

She counsels clients seeking to set sustainability goals; track their progress on environmental, social, and governance topics; and communicate their achievements to external stakeholders in a manner that mitigates legal risk. She also advises clients seeking to engage with regulators and policymakers on environmental policy. Lindsay has extensive experience advising clients on making environmental disclosures and public marketing claims related to their products and services, including under the FTC’s Green Guides and state consumer protection laws.

Lindsay’s legal and regulatory advice spans a range of topics, including climate, air, water, human rights, environmental justice, and product safety and stewardship. She has experience with a wide range of environmental and safety regimes, including the Federal Trade Commission Act, the Clean Air Act, the Consumer Product Safety Act, the Federal Motor Vehicle Safety Standards, and the Occupational Safety and Health Act. Lindsay works with companies of various sizes and across multiple sectors, including technology, energy, financial services, and consumer products.

Photo of Nira Pandya Nira Pandya

Nira Pandya is a member of the firm’s Technology and IP Transactions Practice Group in Boston.

With a broad practice that spans a variety of industries, Nira routinely advises clients with their most complex commercial transactions and strategic collaborations involving technology, intellectual property…

Nira Pandya is a member of the firm’s Technology and IP Transactions Practice Group in Boston.

With a broad practice that spans a variety of industries, Nira routinely advises clients with their most complex commercial transactions and strategic collaborations involving technology, intellectual property, and data, with a focus on issues around IP ownership and licensing, artificial intelligence, software development, and information technology services.

As a member of the firm’s Digital Health Initiative, Nira counsels pharmaceutical, medical device, healthcare, and technology clients on commercial and intellectual property considerations that arise in partnerships and collaborations at the intersection of life sciences and technology.

Nira leverages in-house experience gained during her secondment to a leading technology company, where she partnered with business clients and translated legal advice into practical solutions. Prior to joining the firm’s Technology and IP Transactions practice group, Nira advised private and public companies on mergers and acquisitions, joint ventures, strategic investments, and other corporate transactions.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state…

Andrew Longhi advises national and multinational companies across industries on a wide range of regulatory, compliance, and enforcement matters involving data privacy, telecommunications, and emerging technologies.

Andrew’s practice focuses on advising clients on how to navigate the rapidly evolving legal landscape of state, federal, and international data protection laws. He proactively counsels clients on the substantive requirements introduced by new laws and shifting enforcement priorities. In particular, Andrew routinely supports clients in their efforts to launch new products and services that implicate the laws governing the use of data, connected devices, biometrics, and telephone and email marketing.

Andrew assesses privacy and cybersecurity risk as a part of diligence in complex corporate transactions where personal data is a key asset or data processing issues are otherwise material. He also provides guidance on generative AI issues, including privacy, Section 230, age-gating, product liability, and litigation risk, and has drafted standards and guidelines for large-language machine-learning models to follow. Andrew focuses on providing risk-based guidance that can keep pace with evolving legal frameworks.