For the third year in a row, U.S. President Joe Biden's most important annual speech to Congress and the American people — the State of the Union address — included privacy as a top legislative priority. And, for the third year in a row, youth safety was the focal point of Biden's support for a federal data privacy law.

As IAPP President and CEO J. Trevor Hughes, CIPP, wrote last year, many U.S. presidents have mentioned privacy in their annual address. But it is a sign of the times that the current president finds himself repeating nearly the same talking point across three years.

The trendline through these three major speeches also reflects the vanishing hope in Washington that a federal comprehensive consumer privacy law could pass.

In 2022, Biden included a statement of support for general privacy legislation, before quickly pivoting to children: "It's time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children."

With the 2023 address, when the prospects of passing the proposed American Data Privacy and Protection Act faded while hope remained for similar legislation to be introduced in the new congressional term, Biden flipped the script. He led with young people before pivoting to general protections: "It's time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us."

This year there was no hedging or uncertainty, and no more mention of a comprehensive consumer privacy law. Calling on Congress to finish passing his "Unity Agenda," Biden mentioned four priorities: fentanyl, privacy, artificial intelligence and military servicemembers.

Cutting his call for a privacy law to its most essential message, Biden simply asked legislators to "pass bipartisan privacy legislation to protect our children online."

What this could mean in practice is anyone's guess. There is widespread support behind two major proposals in the Senate, the Kids Online Safety Act and the Children and Teen's Online Privacy Protection Act. Both have data privacy elements, although only the latter could be confidently described as a youth privacy law. Some advocacy groups remain concerned about KOSA, though others have switched to supporting the updated bill. Neither bill has been introduced in the House.

The widely publicized momentum behind these bills has led some legislators to reinforce their own related proposals. U.S. Sen. Brian Schatz, D-Hawaii, seized the opportunity to double down on support for his Protecting Kids on Social Media Act. He believes it could be merged into other legislation during the floor process, though it would need to first go through markup in the Commerce Committee.

Many other bipartisan proposals are in the works that do not touch on privacy at all but do attempt to, as Biden put it, "protect our children online." The Senate Committee on the Judiciary unanimously reported at least five kids' safety bills this term. Another bill, the Invest in Child Safety Act of 2024, was introduced in both chambers and would simply direct USD5 billion in mandatory funding to law enforcement activities related to CSAM.

As these bills wait in the wings, congressional staffers are already nervously counting the number of days remaining in the session before the 2024 election. At any time, the Senate could use its dwindling floor time to consider some package of kids' safety or privacy bills. But, depending on how the next weeks go, this could mean taking time away from other pressing work like confirming nominations, funding the government and debating issues of national concern like the border and foreign military aid.

It is also possible that some of these bills become attached to must-pass legislation, like government funding measures. But, given the current political uncertainty in D.C., it is equally likely that none of them become law, unity agenda or not.

Meanwhile, in the AI policy world, there will be plenty of noise made about the president's stated support for legislative action on AI. But his words in the State of the Union could be used to support almost any AI-focused legislative proposal, whether it is meant to "harness the promise of AI" or "protect us from its peril."

The only explicit AI policy goal endorsed in Biden's speech is to "ban A.I. voice impersonation." In the House, legislators have already introduced numerous proposals around AI voice impersonation and the use of AI in telemarketing. In the Senate, deepfakes are one of many top priorities that emerged from Sen. Chuck Schumer's, D-N.Y., engagement on AI policy. It will fall to the Senate Commerce Committee and its chair Maria Cantwell, D-Wash., to consider any legislation that would directly target this issue. Reportedly, there are efforts underway to do just that.

As Biden said in closing his speech last night, "There is nothing beyond our capacity when we act together!"

The only question for privacy and AI legislation remains, will we act together?

Here's what else I'm thinking about:

  • The Federal Trade Commission is back to full strength. Last night, the Senate confirmed the two Republican nominees to join the three current Democratic commissioners. Nearly eight months since their original nomination, and much longer since their seats became vacant, Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak are set to join as the two newest commissioners of the FTC. The Senate also approved Commissioner Rebecca Kelly Slaughter to serve another full term at the agency.
  • The U.S. is considering restricting bulk data sales to "countries of concern." A major executive order from the White House last week begins the process of restricting the sale of sensitive data to foreign adversaries of the United States. The multipart proposal would ban the sale of bulk datasets with sensitive personal data of U.S. persons, the sale of any amount of sensitive data on U.S. government personnel, and impose new requirements for contractual safeguards when such data is sold to any foreign person. I wrote an explanatory analysis of the Department of Justice's advance notice of proposed rulemaking, the first step in implementing the executive order. Public comments on the proposal are due 19 April.
  • The California Privacy Protection Agency could formally begin its pending rulemaking today. On the posted agenda for its bimonthly meeting, the agency included "discussion and possible action to advance draft regulations to formal rulemaking for automated decision-making technology, risk assessments, and updates to existing regulations." The meeting will also feature an annual report with an "update and priorities" from the enforcement and public affairs division of the agency.
  • Live free or delete your personal information. New Hampshire became the 14th state to enact a comprehensive consumer privacy law. New Hampshire's law, signed into law by Gov. Chris Sununu, R-N.H., this week, has the special distinction of covering the home state of IAPP. By the way, if you ever wondered what IAPP means when we call something a "comprehensive" privacy law, we've published a definitive explanation thanks to Westin Fellow Andrew Folks, CIPP/US.

Upcoming happenings:

  • 11 March: The deadline to submit comments for the FTC's COPPA rulemaking.
  • 26 March: The IAPP KnowledgeNet chapters in the DMV region jointly host a discussion about reauthorization of Section 702 of the Foreign Intelligence Surveillance Act at the Conference Center at the Row on 19th.
  • 3-4 April: The IAPP hosts its Global Privacy Summit 2024.

Please send feedback, updates and peril protections to cobun@iapp.org.