While there is little sign that the American Data Privacy and Protection Act will be (re)introduced to Congress any time soon, 2023 has already been marked by both new and previously introduced federal privacy bills vying for lawmakers' attention, scrutiny and support. To further complicate matters, however, federal privacy discussions this year confront several additional entanglements. From the passage of new state privacy laws, to proposed legislation on artificial intelligence governance, to numerous efforts to reform U.S. surveillance law, multiple issues are intersecting with privacy lawmaking efforts at the federal level. Given these recent developments, it is worth examining in more detail the privacy-related legislation proposed within the current Congress to better understand where the federal privacy debate has been recently and where it may be headed.

Comprehensive consumer privacy bills

Within the 118th Congress, at least six bills related to consumer privacy have been introduced through the first half of 2023. Two of these, the Data Care Act of 2023 and the Online Privacy Act of 2023, fall into the omnibus or comprehensive category, establishing a broad range of business obligations and consumer rights. In addition, both bills are modified reintroductions of legislation that appeared in previous years.

Data Care Act

The Data Care Act of 2023, sponsored by Sen. Brian Schatz, D-Hawaii, imposes various duties — a duty of care, duty of loyalty and duty of confidentiality — on online service providers. The duty of care is essentially a cybersecurity provision, requiring online service providers to "reasonably secure individual identifying data from unauthorized access" and to inform users of any breaches of this duty. The duty of confidentiality places conditions on a service provider's disclosure or sale of individual identifying data. The duty of loyalty is perhaps the most novel of the three. It prohibits the use of consumer data in ways that "benefit the online service provider to the detriment of an end user."

Within U.S. privacy law, the duty of loyalty has gained attention over the years. In addition to Sen. Schatz's legislation, a duty of loyalty has also been included in a prior iteration of the New York Privacy Act, though the version from the current 2023-24 session includes only a duty of confidentiality. And, both the bipartisan ADPPA and the Consumer Online Privacy Rights Act, introduced in the prior Congress and sponsored by Sen. Maria Cantwell, D-Wash., include a duty of loyalty. Yet, while the duty of loyalty concept in privacy law has been articulated perhaps most eloquently by Professors Neil M. Richards and Woodrow Hartzog in "Duty of Loyalty for Privacy Law," each piece of privacy legislation interprets the duty of loyalty in a different way. Indeed, the contents of its provisions differ substantively from bill to bill.

Although the Data Care Act was previously introduced in the 115th, 116th and 117th Congresses, the current version secured more co-sponsors, with 19 in the Senate than any of its prior manifestations.

Online Privacy Act

The other comprehensive consumer privacy bill,  the Online Privacy Act of 2023, sponsored by Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif.,  is also a slightly modified version of previously introduced legislation as it first appeared in 2019 then again in 2021. While it resembles the basic framework of most other comprehensive privacy bills — providing rights to access, correction, deletion, portability, human review of automated decisions, etc., along with requirements for covered entities, including data minimization, prohibitions on disclosure of personal information, notice and consent processes, and privacy policies — it may be the only proposal to establish a new federal entity, the Digital Privacy Agency. The bill vests the agency with certain powers as well as transfers power from the Federal Trade Commission in prescribing rules, issuing guidelines and enforcing federal privacy laws, including the FTC Act, insofar as enforcement pertains to "unfair or deceptive acts or practices relating to privacy, information security, identity theft, data abuses, and related matters."

Narrow consumer privacy bills

The four other bills related to consumer privacy are more limited in scope. They each touch on issues that have defined the federal privacy debate and are worth considering as their provisions may reappear or shape a future compromise privacy bill.

Informing Consumers about Smart Devices Act

The Informing Consumers about Smart Devices Act is the only bipartisan, bicameral piece of consumer privacy legislation that has been introduced this session. The others are solely sponsored by Democrats. In the Senate, the act is cosponsored by Chair and Ranking Member of the Commerce, Science and Transportation Committee Sen. Ted Cruz, R-Texas, and Sen. Cantwell, while in the House of Representatives it is sponsored by Rep. John Curtis, R-Utah. Narrow in scope, the bill requires smart device makers to disclose that a camera or microphone is included in a device to consumers prior to purchase. It does not apply, however, to mobile phones, laptops or other devices that a reasonable consumer would expect to have a camera or microphone.

Yet, like the others, this is not a new piece of legislation. It was previously introduced in both the 117th and 116th Congresses—again, in the Senate by Cruz and in the House by Curtis.

The UPHOLD Privacy Act

The Upholding Protections for Health and Online Location Data Privacy Act, sponsored by Sen. Amy Klobuchar, D-Minn., establishes protections for personally identifiable health and location data. This is one of several bills proposed in the wake of the Dobbs decision overturning Roe v. Wade, aimed at preventing the collection and sale of health and location data "that could be used to identify women seeking reproductive health care services." These bills align with President Joe Biden's July 2022 executive order intended to protect the privacy of abortion-related data, which also prompted the Department of Health and Human Services and the FTC to "use their statutory authorities to protect this data."

In terms of its main provisions, the UPHOLD Privacy Act:

  • Prohibits the use of health data in commercial advertising.
  • Establishes minimization requirements for the collection, retention, use, disclosure and employee access to data.
  • Prohibits sale of location data to and from data brokers.
  • Establishes rights of access and deletion.

Exceptions to the bill include "publication of newsworthy information of legitimate public concern," issuance of public health campaigns and compliance with the Health Insurance Portability and Accountability Act. Violations would be enforced jointly by the FTC, under its Section 5 authority, and through an individual private right of action. It would preserve, rather than preempt, state laws that provide greater protection.

The DELETE Act

The Data Elimination and Limiting Extensive Tracking and Exchange Act is another previously introduced bill  that reappeared in the 118th Congress. First proposed in both the House and the Senate last year, the bipartisan, bicameral DELETE Act would direct the FTC to establish a centralized system allowing individuals to request deletion of their personal information from data brokers. Data brokers, defined in the bill as entities that knowingly collect or obtain the personal information of individuals with whom the entity does not have a "direct relationship," would have to register annually with the FTC.

A similar bill, SB 362, the Delete Act, was also recently approved by the California Senate. Mirroring the federal bill, SB 362 would require data brokers to register with the California Privacy Protection Agency and provide a centralized system for Californians to freely request any personal information held by data brokers to be deleted. The so-called "data brokerage ecosystem" that would be regulated by these bills was also the subject of the "Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy" hearing by the House Energy and Commerce Oversight and Investigations Subcommittee in April. In her testimony urging Congress to act, Georgetown University Law Center Professor Laura Moy argued "people are not okay with the status quo" and they "overwhelmingly express dissatisfaction regarding this lack of control" of the information data brokers hold about them. She also explained how the "booming" data broker industry "does real harm to real people in a multitude of ways"” such as by fueling scammers, enabling predatory marketing, facilitating stalking and harassment, helping law enforcement agencies circumvent constitutional protections, disseminating inaccurate information, increasing data breach vulnerabilities, and putting minors at risk.

Stop Spying Bosses Act

Lastly, the Stop Spying Bosses Act, as its name implies, focuses on providing workplace privacy for individuals. This bill would require any employer who engages in surveillance of, or data collection about, its employees or applicants to disclose:

  • What data is collected.
  • How it is used.
  • How such surveillance affects workers' performance assessments.

Certain types of employee workplace surveillance are also prohibited by the bill, including monitoring activities related to labor organizations, collecting health information unrelated to job duties, monitoring off-duty workers and using of automated decision-making, including machine learning or AI techniques, to predict the behavior of workers unrelated to their jobs. The bill would also establish a new Privacy and Technology Division within the Department of Labor to enforce the law, in conjunction with state attorneys general and individuals via a private right of action.

What next?

While other pieces of U.S. federal privacy legislation have been introduced in the 118th Congress, the above represent only the consumer-centric privacy bills. Although many such bills will be introduced this session, the ones proposed so far have unique provisions, from the Data Care Act establishing a "duty of care" to The Online Privacy Act overhauling the FTC’s privacy enforcement authority to the DELETE Act bringing regulation to an industry that has mostly been operating without oversight.

Paradoxically, the increasing number of comprehensive state privacy laws may be both a cause and an effect of the absence of federal legislation. As Joe Duball explains in his state privacy dispatch, one of the biggest reasons more state legislators are working on privacy legislation is lack of such movement in Congress. The effect of the continued passage of comprehensive state privacy laws on the prospects for a federal comprehensive privacy law remains a key question.

The partisan dynamics around state-level privacy lawmaking, highlighted by Cobun Zweifel-Keegan, as well as the interplay between the federal and state levels are fascinating. Yet the scenario in which companies must comply with 50 different U.S. privacy standards does not seem to be materializing. This is, at least in part, due to the way state lawmakers have communicated with their counterparts in other states to ensure some consistency across the state privacy laws and avoid the emergence of a "patchwork" of legislation.

Discussions around federal privacy continue to be shaped by numerous competing priorities and agendas. Ongoing legislative and executive focus on issues such as children's privacy and reproductive health privacy, for example, may tip the scales in favor of a narrower privacy bill over a comprehensive or omnibus one passing at the federal level. Were any one of these bills — whether comprehensive or narrow — to become law, it would have a significant impact on U.S. privacy rights in the and the future trajectory of such right.