Data privacy is a bipartisan issue. We see this on display constantly through legislative proposals, investigations and hearings led by members of both parties. At the federal level, we continue to see bipartisan cooperation on multiple streams of data privacy legislation. Though Republican and Democratic approaches differ, both sides agree setting rules for the processing of consumer data and information about minors is a high priority.
With that background, the clear political trend in successful data privacy laws at the state level this year is remarkable. We are nearing a total of five new comprehensive consumer privacy laws in 2023. Every single one of these has been passed in states where both legislative houses and the executive are controlled by the Republican party.
From Iowa to Indiana, Tennessee to Montana, and with Texas not far behind, the trend gets clearer every week: 2023 is bringing a red wave of state privacy laws.
This trend is also remarkable for the lack of uniformity in the new laws. Though you might say all U.S. state privacy laws share a basic policy genome, Montana is as different from Iowa as Connecticut was from Utah. In fact, Connecticut's law, passed in a fully Democrat-controlled state, seems to be serving as a model for a number of state privacy proposals this year, including the law awaiting the Montana governor's signature.
Florida, too, is joining the red wave, though the laser-targeted scope of the consumer privacy aspects of Florida's SB 262 render it ineligible for IAPP's resource tracking comprehensive state privacy bills. Admittedly, our tracker was born during a simpler time, when the concept of a "comprehensive" consumer privacy law had not been stretched and tested by holistic-but-targeted frameworks like Florida, or ostensibly sectoral-but-broad rules like Washington state's My Health My Data Act. IAPP's label of a data privacy bill as comprehensive is not meant to be an indication of the law's strength or operational impact, but rather as an antonym for a sectoral privacy law.
Comprehensive laws are technology neutral, apply across industries and cover all types of consumers, rather than certain age or demographic groups. The utility of this rubric is being repeatedly challenged in 2023.
Once we step beyond the comprehensive limits, the political trend gets messier. Both red and blue states are interested in passing laws similar to California's Age-Appropriate Design Code. In fact, the final version of Florida's bill was merged with an AADC framework, which covers a wider range of entities than the rest of the bill. At the same time, more prescriptive social media bans for minors have been passed in red Utah and Arkansas. But Connecticut is close to passing an amendment to its privacy law, SB 3, that would incorporate an AADC framework among other tweaks.
Health data is another focus of Connecticut's proposal. In fact, health-related protections seem to be the domain with the strongest focus from Democrat-controlled states this year, a logical outcome of widespread post-Dobbs interest in filling gaps in health data protections. Connecticut's law would copy Washington's MHMDA in banning certain geofencing practices related to health-related locations, while expanding restrictions for health-related data.
This all serves as backdrop to the ongoing federal conversation, where Republicans now hold the pen within the House Energy and Commerce Committee as they work to fine-tune language for the committee's next major comprehensive privacy proposal to replace last term's American Data Privacy and Protection Act. This week, committee leaders sent letters to 22 companies asking them for "information pertinent to helping the Committee understand how data brokers purchase, collect, use, license, and sell Americans' data." The letters repeatedly cite the recent report by Joanne Kim at Duke's Sanford School of Public Policy on "Data Brokers and the Sale of Americans' Health Data."
The House Committee on Energy and Commerce inquiry letters reveal a strong interest in better understanding how personal data spreads to, pools around and flows from third-party intermediaries. They also reflect special scrutiny over the same types of data protected by state-level codes, including location, health, and information about children and teens, though there are also targeted questions about other types of data, including purchase history and "phone data, such as data on any apps downloaded."
Unlike the states, where all but a handful of governments are entirely controlled by a single party, federal policymakers will only be able to move forward by embracing bipartisanship. In doing so, they will likely draw from ideas put forward by both red and blue states.
Here's what else I'm thinking about
- The U.S. Federal Trade Commission is thinking about biometrics and health data. In its notice of next week's open meeting, the commission indicated it will approve a new policy statement listing some practices it "will scrutinize in determining whether companies collecting and/or using or marketing biometric information technologies are complying with Section 5 of the FTC Act." In addition, commissioners will vote to issue a notice of proposed rulemaking that would amend the Health Breach Notification Rule to "clarify technologies and entities covered by the Rule, facilitate greater electronic breach notices to consumers, and expand the required content of the notices, among other changes." The HBNR was most recently deployed to obtain the financial component of the FTC's settlement with GoodRx.
- The U.S. Equal Employment Opportunity Commission is training its staff on enforcing algorithmic bias in hiring. Building on the agency's strong indicators of interest in applying hiring discrimination rules to automated systems, Bloomberg Law reports an internal training scheduled for next week will include information about artificial intelligence "in the employment context, how our front line staff can identify AI-related issues in our enforcement work, and what to do when you identify an AI-related issue in your work"”
- Automated law enforcement platforms are spreading beyond big cities. A new report in the online magazine Context highlights the spread of "a police technology platform that merges public and private cameras with predictive policing and other surveillance tools" and the debate this technology is sparking in small cities and towns across the United States.
- The reference model for the human genome got more equitable and valid. Researchers announced that they have supplemented the human genome project by building a "pangenome" incorporating the genetic data of more than 300 people from disparate communities around the globe.
Upcoming happenings
- 16 May at 10:00 EDT, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will host a hearing titled "Oversight of AI: Rules for Artificial Intelligence" (Dirksen 226).
- 16 May, BBB National Programs will host CARU 2023, the Children's Advertising Review Unit Annual Conference (Arlington).
- 18 May at 11:00 EDT, the FTC will host an open meeting (virtual).
Please send feedback, updates and partisan privacy proposals to cobun@iapp.org.