top of page

Where federal privacy legislation attempts in the United States stand in 2023

Is it possible for Congress to approve comprehensive federal data privacy laws by 2023? If not, may another government agency fill the void?

Experts feel there are various options.

At the federal level, the regulation most likely to be enacted in 2023 with an impact on data privacy won't come from Congress or the Federal Trade Commission (FTC) but could instead be contained within a cybersecurity rule under consideration by the Securities and Exchange Commission (SEC), said Vivek Mohan, partner at Gibson Dunn and former senior global privacy law and policy attorney at Apple.

“With the gridlock in Congress, I don’t see a change in circumstances” that would lead to passage of a federal data privacy law, he said.

According to the SEC's proposed cybersecurity rule, corporations must report material cybersecurity incidents no later than four business days after they occur, including information on whether any data was stolen, steps taken to remedy the incident, and how operations were impacted.

“There is always an overlap between privacy and cybersecurity,” Mohan said.

The rule would force public firms to report their cybersecurity protocols in the case of a data breach, as well as whether the breach revealed flaws in the company's risk management methods. The answer is simple: don't do it. The question is, should you do it?

The SEC is scheduled to finalise the regulation later this year.

What about the United States Congress?

Of course, there is a chance that a divided Congress will agree on a bipartisan data privacy bill in 2023.

President Joe Biden encouraged lawmakers to do so in his State of the Union address on Feb. 7, saying, “[I]t’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.”

In 2022, data privacy legislation in Congress advanced further than ever before. The House Committee on Energy and Commerce reported the American Data Privacy and Protection Act (ADPPA), but it was never brought up for a vote by the full chamber. The bipartisan initiative proposes mandating firms to limit personal data collecting and apply specified security procedures, as well as giving consumers the ability to access, modify, and delete personal data and opt out of targeted advertising.

“There does seem to be some momentum to get something done,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals. “Many in Congress want to build on the hard work they already put into the ADPPA.”

The inability of Congress to reach a deal on a national data breach notification standard indicates that lawmakers are unlikely to reach an agreement on the far more challenging matter of comprehensive data privacy legislation, according to Mohan.

One new political justification by Republicans in support of implementing privacy legislation has been decreasing the competitive gap between the United States and other nations, especially China and the European Union, that already have such laws in place.

"With a divided Congress, it will be tough to pass anything. But there are rays of hope," Zweifel-Keegan remarked. "The onslaught of state measures will continue to put pressure on Congress to act, especially if they begin to differ."

The California Privacy Rights Act went into effect on January 1, adding to the existing California Consumer Privacy Act and establishing the country's first state data privacy agency, the California Privacy Protection Agency. Virginia's privacy law went into effect on January 1st, and it will be followed by new regulations in Colorado (July 1), Connecticut (July 1), and Utah (July 1). (Dec. 31).

There are two points of contention about features that have essentially failed previous attempts at federal data privacy legislation: preemption of state data privacy laws, which is supported by many Republicans, and the right to private action, which is supported by some Democrats. States like California are likely to vigorously reject a federal measure that provides fewer consumer safeguards than their own statute. Yet Republicans and the business sector are sure that enabling consumers to sue in federal court will harm both large and small enterprises.

Instead of a separate law, Congress may include data privacy legislation in a larger one, such as the Pentagon funding bill.

The FTC comes to the rescue?

The FTC released an advance notice of proposed rulemaking in August, intending to penalise companies that suffer data breaches due to insufficient cybersecurity safeguards, as well as firms that engage in abusive commercial surveillance techniques.

According to the FTC, the greatest risk comes from organisations that collect personal data from their consumers, such as user geolocation or facial recognition photos, dates of birth, Social Security numbers, and purchasing histories, and then leave it exposed to theft by hackers.

Mayer Brown lawyer Christopher Leach, a former solicitor in the FTC's Division of Financial Practices, emphasised that the agency is "still a long way from a rule." Even if a rule is proposed, he believes the process will endure until the 2024 presidential election.

“This process they’ve chosen goes well beyond the notice and comment rulemaking at other agencies,” he said. “They don’t have a concrete idea of everything they want to do. … They have to prioritize what it is they want to do.”

If Congress passes a comprehensive data privacy bill in 2023, the FTC may be given some rulemaking authority. That would refocus the agency's attention on the subject.



bottom of page