Every August since the 1970s, the U.S. Congress embarks on a five-week recess, during which time no floor activity occurs. It is hardly a break for most legislators, as they continue to work on everything else — from responding to constituents to negotiating bill text to fundraising. But for most, it presents a welcome opportunity to leave the sweltering D.C. swamp during the hottest part of the summer. 

In modern times, as brinksmanship increasingly defines the pace of progress on Capitol Hill, the August recess also serves as a looming deadline. Sorting through priorities for the dwindling number of floor sessions remaining before the break is a major strategic consideration for both parties.

A large portion of Congress's collective attention is currently focused on passing this year's National Defense Authorization Act. Always considered a "must pass" piece of legislation, the NDAA has, in recent years, become a vehicle for legislators to jockey for the inclusion of individual top-priority amendments. This year is a little different. The bill has also become a vehicle for the two parties to accuse each other of politicizing military policy, adding "culture war" amendments that have prohibited bipartisan agreement on the spending bill. The House barely passed its own version of the bill last week, largely along party lines.

Now, as the Senate takes its turn, the final package is likely to differ greatly from the House proposal. And the proposed amendments continue to flow in. With AI and other pressing tech issues on the mind of many a tech-minded policymakers this year, it looks like some tech policy issues could make their way into the NDAA.

The Washington Post's Cristiano Lima undertook the Sisyphean task of sorting through hundreds of proposed NDAA amendments looking for tech policy proposals. He reports that Majority Leader Chuck Schumer, D-N.Y., has "touted the inclusion of several AI provisions in his manager's amendment, which is more likely to become law than most of the changes lawmakers have proposed." These amendments are focused on rules governing transparency, risk analysis and coordination of AI policy for U.S. federal agencies. Other proposals focus on inserting existing social media and content moderation bills into the legislation. 

The only privacy-relevant proposal Lima uncovered is that from Sens. Ted Cruz, R-Texas, and Maria Cantwell, D-Wash., who together head the Senate's Committee on Commerce, Science and Transportation. They are pushing for the inclusion of their bipartisan bill, the Informing Consumers about Smart Devices Act, which would require the Federal Trade Commission to create reasonable disclosure guidelines for consumer products that include cameras and microphones.

Congressional activities are heating up across the board. Sen. Cantwell scheduled a markup for next week of the Kids Online Safety Act (S-3663) and the Children and Teens' Online Privacy Protection Act (S-1628). To catch up on the most recent version of KOSA, you can review my collaborative redline produced with the Future of Privacy Program's U.S. Legislation team. The other bill, known to wonks as COPPA 2.0, is a little harder to show changes for, as it consists of line-by-line adjustments to the original Children's Online Privacy Protection Act. Nevertheless, we will be watching closely next week to see how Senate conversations have evolved around both bills, which are likely to be voted out of committee, as they were last year. Neither bill has been introduced in the House.

Speaking of the House, there is no real word yet on when the bill to replace the American Data Privacy and Protection Act will be introduced, but if it is not released before the August recess, it is unlikely to be seen as priority legislation. Multiple reports have indicated that House Energy and Commerce Committee Chair Cathy McMorris-Rodgers, R-Wash., has been working with Republican colleagues to adjust last year's bill to be more palatable to Republican leadership. Taking the time to get this right is important, as too much deviation from last year's delicate agreement could re-open old debates around private rights of action and preemption of state laws.

If it does return, ADPPA's replacement will be entering a different political environment than last year — and a reality where the number of states with comprehensive consumer privacy laws has more than doubled. At the same time, many of ADPPA's innovations remain highly relevant to the major policy issues of the 118th Congress, not just around privacy but also around guardrails for AI-powered systems.

Meanwhile, the House Judiciary Committee voted to advance the bipartisan Fourth Amendment is Not for Sale Act (H.R. 4639) out of committee. The legislation would restrict government acquisitions of data from data brokers, an issue which has become a sticking point in the Energy and Commerce committee. Original sponsor Sen. Ron Wyden, D-Ore., hinted that he would be including the bill's language in a more comprehensive surveillance reform bill in the coming weeks.

Lawmaker activity seems to track the weather patterns. As things heat up, it is good to keep a cool head.

Here's what else I'm thinking about:

  • The White House announced that leading AI companies have committed to a set of high-level goals for reducing the risk of AI. Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI committed to prioritize safety, security and trust. The general principles include a commitment to prioritize "research on the societal risks that AI systems can pose, including on avoiding harmful bias and discrimination, and protecting privacy." More acutely, they include a commitment to develop "robust technical mechanisms to ensure that users know when content is AI generated, such as a watermarking system."
  • Another warning about using online tracking technologies in the context of health-related data. The U.S. Federal Trade Commission and the U.S. Department of Health and Human Services Office for Civil Rights sent joint letters to 130 companies warning them about the risks of disclosing personal health information to third parties via improperly customized third-party integrations. This follows HHS's guidance for HIPAA-covered entities last year, though the new warnings and the FTC's recent case law make clear that similar restrictions could extend to any company that touches health-related data. For more about where law and policy is headed around tracking technologies, see the recent article on the half-baked future of cookies by Westin Research Fellow Anokhy Desai, CIPP/US, CIPM, CIPT.
  • The FTC will consider approving a new method of verified parental consent under COPPA. Commenters have approximately 30 days to weigh in on whether the FTC should grant the application from the Entertainment Software Rating Board, Yoti and SuperAwesome for approval of "privacy-protective facial age estimation" as a method of VPC under COPPA. Writing for Privacy Perspectives, ESRB's Stacy Feuer, CIPP/US, explained the reasoning behind the organization's application.
  • More summer reading. Here's a quick roundup of some more great new work: The New York Times' Kashmir Hill covered concerns around the use of generative AI systems to identify faces. Keir Lamont wrote in his Patchwork Dispatch about the series of important takeaways from the California Privacy Protection Agency's most recent board meeting. The Bipartisan Policy Center released a report on the wide variety of legislative proposals that would impact algorithmically curated content systems. And the Data Transfer Initiative's Delara Derakhshani wrote about the importance of investing in data portability standards.

Upcoming happenings:

Please send feedback, updates and amendments to cobun@iapp.org