The debate over reauthorization of Section 702 of the Foreign Intelligence Surveillance Act will be a hot topic in privacy circles right up to the December 2023 deadline. On 28 Sept., U.S. Privacy and Civil Liberties Oversight Board stirred the pot with a new report on the foreign surveillance tool's effectiveness and recommendations to consider in 702's reauthorization discussion. The report was approved by a 3-2 vote that was split along party lines with Republican board members dissenting. T... Read More

U.S. Rep. Nancy Mace, R-S.C., chair of the House Oversight Committee's Cybersecurity, Information Technology, and Government Innovation Committee, proposed the Federal Cybersecurity Vulnerability Reduction Act, The Record reports. The proposed legislation would require federal contractors to enact policies consistent with National Institute of Standards and Technology guidelines. Mace said the proposal would "ensure a proactive approach to cybersecurity, enabling contractors to identify and addr... Read More

A poll of 1,001 registered U.S. voters conducted by the Artificial Intelligence Policy Institute found the majority want federal regulation of AI, ZDNet reports. Fifty-six percent of those polled support federal regulation and 82% said they do not trust technology leaders to tackle regulation independently. Sixty-two percent reported concerns about AI, with 86% saying they believe it could "accidentally cause a catastrophic event." Editor's note: Explore the IAPP AI Governance Center and subscri... Read More

The U.S. Senate Committee on Commerce advanced two bipartisan bills to enhance protections for children online, in a move lawmakers called "critical" in addressing a "sobering" crisis. The committee voted favorably to move the Kids Online Safety Act and the Children and Teens' Online Privacy Protection Act, leaving both eligible for consideration by the full Senate. The approvals came days after U.S. President Joe Biden directly endorsed the bills and reiterated he is been calling for enhanced ... Read More

On 10 July, the two final pieces fell into place to create a new lawful basis for transferring personal data from the EU to the U.S., implementing the EU-U.S. Data Privacy Framework announced last October. U.S. Attorney General Merrick Garland designated the EU and the European Economic Area as "qualifying states" under President Joe Biden's Executive Order 14086.  That same day, the EU issued its final decision that the U.S. provides "adequate" protection of privacy, making it clearly lawful f... Read More

Even 10 years on, Edward Snowden's disclosures of U.S. government surveillance programs continue to make an impact on law and policy debates, particularly those involving privacy. His actions changed the coordinates of discussions not only about the balance between national security and privacy but about whistleblowing, journalism, trust in government and freedom of information. While the disclosures may have provided some answers, they generated at least as many new questions. Indeed, the pictu... Read More

U.S. Congress is prioritizing the establishment of rules for the deployment and use of artificial intelligence. While various proposals have begun to surface in recent weeks, Sen. Chuck Schumer, D-N.Y., has stepped up with arguably the most comprehensive plan yet. Speaking at the Center for Strategic and International Studies, Schumer unveiled a two-part strategy to "move us forward on AI" with "one part framework, one part process." The former component of the strategy is the "Securities, Acc... Read More

In 2012, Electronic Frontier Foundation co-founder and Grateful Dead lyricist John Perry Barlow spoke from the IAPP stage to warn about U.S. government surveillance. As a privacy reporter at the time, much of my writing focused on commercial aspects of privacy, particularly with regard to data breaches. Less than a year later, in June 2013, a series of high-profile disclosures rippled throughout the world and changed the calculus for the privacy profession.  Hard to believe it's now been 10 yea... Read More

As automated systems rapidly develop and embed themselves into modern life, policymakers around the world are taking note and, in some cases, stepping in. Earlier this year, the Biden administration took an early step by releasing a Blue Print for an AI Bill of Rights. Comprising five main principles, as well as what should be expected of automated systems, while offering a slate of real-world examples of the potential harms and benefits of artificial intelligence, the Blueprint is a must-read f... Read More

U.S. Sens. Bill Cassidy, R-La., and Ed Markey, D-Mass., reintroduced the Children and Teens' Online Privacy Protection Act 2.0, which they said updates online privacy protections for children and teens for the 21st century. The bill prohibits internet companies from collecting personal data of users aged 13-16 without consent, bans targeted advertising to children and teens, covers platforms "reasonably likely to be used" by children, and establishes a "Digital Marketing Bill of Rights for Teens... Read More

During the 36th hearing held in U.S. Congress on privacy and data security over the last five years, members of the House Energy and Commerce Committee's Subcommittee on Innovation, Data, and Commerce again heard calls for comprehensive privacy legislation, namely the American Data Privacy and Protection Act.   The hearing, held Thursday, 27 April, focused on the need for a federal law to fill what Subcommittee Chair Gus Bilirakis, R-Fla., called a "piecemeal sector-specific approach" with exis... Read More

U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., refiled the Online Privacy Act. The comprehensive federal privacy proposal offers user data rights, requires limitations and obligations on data practices and establishes a data protection authority. The bill also sets a legislative floor that allows state legislatures to go beyond OPA provisions as they see fit. Californian members of U.S. Congress, including Eshoo and Lofgren, are against the proposed American Data Privacy and Protect... Read More

Privacy regulators around the world are increasingly growing curious and skeptical about generative artificial intelligence deployments. U.S. Federal Trade Commissioner Alvaro Bedoya is not among those worried about a lack of regulation to address any privacy issues stemming from rampant use of the fast-growing technology. From the keynote stage at the IAPP Global Privacy Summit 2023 in Washington, D.C., Bedoya told privacy professionals existing U.S. statutes at a sectoral level do in fact cov... Read More

U.S. President Joe Biden announced the National Cybersecurity Strategy, which aims to "secure the full benefits of a safe and secure digital ecosystem for all Americans." Notably, the Biden administration's strategy seeks to "rebalance the responsibility to defend cyberspace" and place obligations on "the organizations that are most capable and best-positioned to reduce risks for all of us." Privacy and data security are mentioned under the strategy's intended approach to "shape market forces to... Read More

U.S. Congress made bipartisan progress on comprehensive federal privacy legislation last year, advancing the proposed American Data Privacy and Protection Act to the cusp of a U.S. House floor vote. The prioritization was no fluke and the 118th Congress is compelled to prove as much with eyes toward finalizing a national standard again this year. A step forward for 2023 federal privacy law prospects came with the latest Congressional hearing dedicated to privacy hosted by the House Committee on... Read More

The State of the Union address has a long history in the United States, going back to the Constitution and birth of the Republic, when President George Washington set the precedent by sharing his report on the country with both houses of Congress. That tradition did not last long, however, as less than a decade later, Thomas Jefferson, the nation’s third president, simply presented the legislature with a written report. Fast forward to the early 20th century and find that Woodrow Wilson revived... Read More

The U.S. Congressional Research Service issued a report on potential ways to update the Computer Matching and Privacy Protection Act, a law passed in 1988 to establish “procedures for agencies when they disclose and match data on individuals for certain purposes.” The report outlined changes such as “clarifying the scope of the CMPPA, developing an accurate accounting of matching programs … and assessing regulation and oversight of data matching.”Full Story... Read More

The wait for a finalized agreement to solidify EU-U.S. data flows is winding down. The latest step forward in the process came with U.S. President Joe Biden's long-awaited executive order mandating new legal safeguards over U.S. national security agencies' access and use of EU and U.S. personal data. The order comes more than six months after Biden and European Commission President Ursula von der Leyen announced an agreement in principle on the EU-U.S. Data Privacy Framework. Talks for that agr... Read More

The newly released White House executive order implementing the long-awaited EU-U.S. Data Privacy Framework clears a path for trans-Atlantic business and diplomacy alike. Since the Court of Justice of the EU’s “Schrems II” decision invalidated Privacy Shield more than two years ago, personal data flows from the EU to the U.S. have been legally questionable. Some might argue, data transfers were effectively banned. Enforcement actions have only trickled out, but their precedential and deterrent ... Read More

Twitter’s former head of security, Peiter Zatko, revealed his prior employer lagged a decade behind cybersecurity standards. This statement was one among several shocking disclosures he shared with members of the U.S. Senate Judiciary Committee during a hearing Sept. 13. Zatko, who worked at Twitter from November 2020 through January 2022, was called to testify to the committee after he filed a whistleblower complaint with the U.S. Federal Trade Commission and Securities and Exchange Commission... Read More

Prospects for a landmark vote in the U.S. House on the proposed American Data Privacy and Protection Act boil down to House Speaker Nancy Pelosi, D-Calif., who decides when or if the comprehensive privacy bill's number will be considered on the House floor. Pelosi did not take a side upon the ADPPA becoming available for a floor vote just ahead of U.S. Congress' summer recess, leaving many wondering where the chips would fall when federal lawmakers returned to work Sept. 6. Following weeks of u... Read More

If businesses thought August would bring a lull from the breakneck pace of privacy policymaking — including a draft federal privacy law, five new state privacy laws and a dizzying array of global privacy regulations from the EU to China to Japan — the U.S. Federal Trade Commission had other plans. Announcing an ambitious Advance Notice of Proposed Rulemaking, the FTC has put in motion a process that privacy advocates have dreamt about for years, promulgating trade regulations in privacy and data... Read More

Many privacy regulations — such as the EU General Data Protection Regulation and the California Consumer Privacy Act — aim to protect consumers’ personally identifiable data from abuse, misuse and overuse. Yet personal data continues to be legally collected, aggregated, analyzed, packaged and resold. Information brokering has now become a revenue stream for many commercial organizations. The information broker industry has emerged to profit from brokering consumer data. Industry trade groups, l... Read More

Tuesday's much-anticipated federal privacy law hearing hosted by the U.S. House Energy and Commerce Committee's Subcommittee on Consumer Protection and Commerce had a different vibe than what onlookers have become accustomed to when Congress discusses privacy matters. Past hearings — they've come in waves at the same time of year over the last three-or-so years — brought clear divides, separate agendas and no consensus among lawmakers on how to arrive at a solution. The proposed American Data P... Read More

On Tuesday, June 14, the U.S. House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act discussion draft — a leading contender for a comprehensive federal privacy framework. The famed sticking points of individual redress mechanisms, preemption of state laws and the role of the U.S. Federal Trade Commission — the law’s likely federal enforcer — were among the slew of debated aspects. However, the cybersecurity provisions and data security requirements ... Read More

As the policy community takes time to absorb and reflect on the substantive provisions of the draft American Data Privacy and Protection Act, it is worth exploring the basic scope of application of the bill. What organizations would be expected to comply? How do obligations differ based on size or function in the data economy? The ADPPA presents a somewhat complex array of organizational roles, with different names than privacy professionals may be used to. For example, what’s the difference bet... Read More

Members of U.S. Congress appear to be full-steam ahead in their pursuit of finalizing comprehensive federal privacy legislation by year's end. A day after revelations of a draft bill circulating, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act for full public consumption. U.S. Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., and House Committee on Energy and Commerce's Frank Pal... Read More

Publicly released last Friday, the discussion draft of the American Data Privacy and Protection Act gave the privacy community plenty of food for thought for the weekend. Initial impressions and analyses of the text ranged from “very promising,” “a valuable first step,” and “hugely impactful” to “not bad.” Omer Tene perhaps described it most poetically as: “a tsunami that may yet make GDPR seem like a storm in a teacup.” Jim Steyer, founder and CEO of Common Sense Media, said that while the dra... Read More

People are justifiably excited about the American Data Privacy and Protection Act. It’s the most significant bipartisan privacy legislation introduced in more than a decade, and it represents a sincere attempt to move beyond the ineffective “notice and choice” approach to privacy that has been the hallmark of U.S. legislators since the days of dial-up modems. The ADPPA has many interesting parts, which have been well-explained by others. But possibly the most significant part of the bill—and the... Read More

The Supreme Court of the United States is front and center this week after Politico reported on a leaked initial draft majority opinion by Justice Samuel Alito on the 1973 Roe v. Wade decision. The Supreme Court Tuesday confirmed the leaked draft is authentic. However, Chief Justice John Roberts said the decision on the case is not yet final.  The draft opinion, in which Alito states that "Roe was egregiously wrong from the start," would repudiate the guarantee of federal constitutional protect... Read More

As Judge Ketanji Brown Jackson is making headlines and history as the first Black woman confirmed to serve on the United States Supreme Court, the privacy community is exploring the related privacy law experience she brings to the Court and what her appointment could mean for future decisions. During nomination hearings in March, Jackson faced two days of questioning from members of the Senate Judiciary Committee on her qualifications, sentencing record as a U.S. District Court judge for the Di... Read More

United States National Cyber Director Chris Inglis said there is plenty of room for both the technology and privacy industries, and the intelligence gathering and national security arms of the federal government to coexist in cyberspace without their core missions colliding. Inglis laid out a vision for creation of what he called a new “social contract” between the technology and privacy industries, and U.S. national security cyber apparatuses during a discussion facilitated by Morrison & F... Read More

A day after Apple CEO Tim Cook called for a U.S. federal privacy law from the keynote stage at the IAPP Global Privacy Summit 2022, Microsoft President and Vice Chair Brad Smith took the urging up a notch in his own keynote address Wednesday. Smith not only made clear that Microsoft was in favor of U.S. Congress acting on federal privacy legislation, but went further with criticism regarding the lack of action on Capitol Hill. He noted that legislation is "not just needed, but long overdue" and... Read More

U.S. Federal Trade Commission Chair Lina Khan will make her first public address focused on privacy issues as chair during the upcoming IAPP Global Privacy Summit in Washington, D.C., an opportunity privacy leaders hope she takes to clearly articulate her privacy visions and plans for the agency. “This speech is an important occasion for Lina Khan — an opportunity to lay out a strong vision and engagement on privacy for a global audience,” said The Brookings Institution Ann R. & Andrew H. T... Read More

Short, strong and to the point. That's what U.S. President Joe Biden angled for with comments on improving children's privacy and online safety in his State of the Union Address Tuesday night. The White House tipped the public off to Biden's planned remarks, giving the privacy community something to look forward to with the address. While the president's words didn't stray from what was prepared, the message was crystal clear. "It's time to strengthen privacy protections, ban targeted advertis... Read More

A data minimization requirement, a mandate to use multi-factor authentication, direct notice to consumers with an admission of wrongdoing, monetary relief. There’s a lot to pay attention to in the U.S. Federal Trade Commission’s proposed settlement with the current and former owners of CafePress, announced March 15. IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, has done an excellent job of teasing out the privacy lessons hidden in what is, on its surface, a data ... Read More

From the harms caused by targeted advertising, to the importance of protecting children online, to the need for a comprehensive federal privacy law, a wide-ranging U.S. House committee hearing Tuesday explored legislative ways to protect online users. In its third hearing on the topic, the House Committee on Energy & Commerce’s Subcommittee on Consumer Protection and Commerce discussed the proposed Banning Surveillance Advertising Act of 2022, Algorithmic Accountability Act of 2022, Digital... Read More

As the debate rages on regarding whether the U.S. Federal Trade Commission should or could begin rulemaking on privacy, the commission has signaled it is not willing to wait for a consensus. On Dec. 10, the FTC filed an Advanced Notice of Proposed Rulemaking with the Office of Management and Budget that initiates consideration of a rulemaking process on privacy and artificial intelligence. The filing describes the FTC's intent as seeking to "curb lax security practices, limit privacy abuses, an... Read More

The U.S. Department of Justice announced the U.S. and Australia entered into a crime data sharing agreement under the Clarifying Lawful Overseas Use of Data Act. The DOJ said the agreement will allow law enforcement from both countries to trade electronic data in efforts to "prevent, detect, investigate and prosecute" a range of serious crimes, including ransomware attacks. The deal will be carried out with "strong protections for the rule of law, privacy and civil liberties," according to the D... Read More

During the first U.S. Senate privacy hearing of the year before the Committee on Commerce, Science, and Transportation Wednesday, former members of the Federal Trade Commission said the agency is lacking resources to handle the privacy and data protection challenges of today’s digital world, while Sen. Roger Wicker, R-Miss., called on the Biden administration to appoint a senior staffer to lead the charge on a federal privacy law. The former FTC officials urged enhanced enforcement authority fo... Read More

A study by the Associated Press-NORC Center for Public Affairs Research and MeriTalk found a majority of Americans believe the federal government can improve citizens’ online data security. More than 7 in 10 adults believe personal data security should be a national security issue, and national standards for the collection, processing and sharing of personal data should be established by the federal government. Sixty-one percent say the federal government should “devote a good deal of time to da... Read More

As the August recess commences, it seems an opportune moment to consider the legislative developments around privacy in the 117th U.S. Congress. More than halfway into 2021, dozens of privacy-related federal bills have been introduced that, if passed, would have a major impact on how organizations handle personal data and the rights afforded to individuals. Yet, these efforts in Congress toward passage of a new federal privacy law have received less attention as state-level privacy legislation ... Read More

In the U.S., class actions are a popular enforcement mechanism to compensate consumers, including for alleged violations of state and federal privacy laws and data breaches. While there is no federal comprehensive data privacy law in the U.S., there are a number of state and federal privacy-related laws, like Illinois’ Biometric Information Privacy Act, the California Consumer Privacy Act and the federal Fair Credit Reporting Act, that are frequently the basis for class action claims. While thes... Read More

Prospects for a federal privacy law in the U.S. ramped up in recent years, but nothing has come close passing even though data protection is a bipartisan issue. At the same time, U.S. state activity is swarming and many countries around the world are developing and implementing their own national privacy laws. So what’s it going to take for the U.S. to pass a federal law? Rep. Suzan DelBene, D-Wash., was the first congressional lawmaker to propose federal privacy legislation in 2021. Her bill re... Read More

U.S. government surveillance bubbled back up in headlines in recent weeks. Portugal's data protection authority, the National Data Protection Commission, halted transfers of data to the U.S. after complaints that census data were being sent back to the U.S. The same week, a U.S. Foreign Intelligence Surveillance Court decision was published, in which it renewed a U.S. surveillance program even though it found some Federal Bureau of Investigation employees illegally accessed email data. This come... Read More

How do the privacy protections in the Gramm-Leach-Bliley Act — the well-known banking law — help consumers? The short answer is that the GLBA does almost nothing to help consumer privacy. Understanding that the GLBA is essentially a privacy fraud is important because exemptions for the GLBA are features of some state and federal privacy bills. Let’s look at the provisions of the GLBA. The privacy part of the law provides two — and only two — provisions for consumers. First, each financial insti... Read More

Observers of the debate around the potential for a new federal data privacy law know that dozens of relevant bills have been introduced and debated in U.S. Congress over the past couple of legislative sessions. While they make for good reading and discussion material, do any of them have a realistic shot at survival? If so, which of them are the most likely to eventually make their way into law? As the IAPP continues to track these proposals, a very basic but important realization should come i... Read More

The attention of a U.S. privacy pro is divided pretty well these days. First and foremost, compliance efforts for the California Consumer Privacy Act are underway. But there's also other laws — both domestic and international — to consider, along with heightened focus on incident response and prevention. Regardless of how occupied privacy pros' minds are these days, there likely remains a space carved out for the unknown that is: a potential federal U.S. privacy law. Momentum for federal legisl... Read More

"I don't know what you mean by 'glory,'" Alice said.     Humpty Dumpty smiled contemptuously. "Of course you don't — till I tell you. I meant 'there's a nice knock-down argument for you!'"    "But 'glory' doesn't mean 'a nice knock-down argument,'" Alice objected.    "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean — neither more nor less."    "The question is," said Alice, "whether you can make words mean so many different things."   ... Read More

At a hearing at the U.S. Senate Committee on Commerce, Science, and Transportation June 25, lawmakers aimed to determine what kind of government intervention, if any, is necessary for artificial intelligence given that companies are competing for "optimal engagement" from internet users, something that is often achieved through user manipulation and without their knowledge.  "While there must be a healthy dose of personal responsibility when users participate in seemingly free online services, ... Read More

The U.S. Congress is currently considering a number of competing bills aimed at implementing a federal privacy law. Although the details of each proposal vary, such a law would have a profound effect on how an individual’s personal data may be used, shared and protected. Still, the specifics of a new federal privacy regime remain unclear. According to the Brookings Institution: “Many questions, such as the size and type of entities covered; individual rights of access, correction, and deletion;... Read More