This year, Congress is steadily progressing towards enacting meaningful legislation on artificial intelligence (AI) for the first time. At the end of 2023, Senate Majority Leader Chuck Schumer (D-NY) and his “Gang of Four” (Senators Todd Young (R-IN), Martin Heinrich (D-NM), and Mike Rounds (R-SD)) concluded their AI Insight Forums, a series of sessions where lawmakers discussed AI technology with industry leaders. Leader Schumer announced that senators are now beginning to work on AI legislation. He has reportedly empowered various Senate committee chairs to introduce legislation on topics within their jurisdiction related to AI and to begin the process of shaping those bills through their respective committees. For instance, it was reported by FedScoop that Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) is preparing to introduce a series of bills addressing AI issues, including deepfakes, jobs and training, algorithmic bias, digital privacy, national security, and innovation and competitiveness in the coming weeks and months. The initial focus of legislation may revolve around the clearest dangers posed by AI, including deepfakes and national security. Additionally, there is a growing interest in Congress regarding AI’s impact on elections, considering 2024 is an election year.

While the Senate initially led AI-related activity on Capitol Hill, the House of Representatives is now actively playing a more prominent role in the process. Last year, House committees held numerous hearings on the subject, led by House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA). Chair Rodgers is particularly focused on the intersection between data privacy and AI. She is reportedly working to update the bicameral, bipartisan consumer data privacy bill from the 117th Congress, the American Data Privacy and Protection Act (ADPPA). This year, the House Committee on Financial Services announced the formation of an AI working group to examine how AI is affecting the financial services and housing sectors, led by Reps. French Hill (R-AR) and Stephen Lynch (D-MA). Additionally, House Speaker Mike Johnson (R-LA) has expressed his interest in AI, and he met with OpenAI CEO Sam Altman last week to discuss opportunities and risks posed by AI. “The Speaker believes that Congress should encourage innovation, help maintain our competitive edge, and stay mindful of potential risks,” according to his office. It is likely the Speaker will increasingly exercise his new role to dictate House Republicans’ position on AI policy.

Overall, numerous bills have been introduced already this year, and committees have begun the year with AI-related hearings – with more to come. Meanwhile, the Biden Administration is in the process of carrying out the various mandates in President Biden’s Executive Order on AI.

Last week, the House of Representatives’ Committee on Energy and Commerce kicked off its first in a series of hearings surrounding the burgeoning topic of artificial intelligence (AI) with a hearing titled “Safeguarding Data and Innovation: Building the Foundation for the Use of Artificial Intelligence.”

While this was the first AI-focused Energy and Commerce hearing this year, Chair Cathy McMorris Rodgers (R-WA) noted it was the Committee’s seventh hearing focused on data privacy. Consumer data privacy is a major priority for Chair Rodgers. This first hearing demonstrated that she is keenly focused on the intersection between data privacy and the use of AI in the private sector. She emphasized the need for a national data privacy standard as a “first step towards a safe and prosperous AI future.” “Data is the lifeblood of artificial intelligence,” she said. “As we think about how to protect people’s data privacy, we need to be considering first and foremost how the data is collected and how it is meant to be used, and ensure that it is secured.”

Chair Rodgers is reportedly updating the bicameral, bipartisan consumer data privacy bill from last Congress, the American Data Privacy and Protection Act (ADPPA). While Representative Nancy Pelosi (D-CA) is no longer Speaker of the House and thus cannot block floor action to ensure California’s more stringent privacy standards are not eclipsed by federal action, the delay in selecting a new Speaker of the House and the likely backlog of other legislative action that will consume the House floor for the rest of the year suggests that the ongoing debate over technology policy will continue into next year.

Notably, the all-encompassing nature of AI technology means Energy and Commerce is not the only House committee examining AI-related issues under their jurisdiction. Last week, the House Committee on Science, Space, and Technology also held a hearing on risk management, and the House Committee on the Judiciary held a hearing on intellectual property.

On the Senate side, the “Gang of Four” – consisting of Majority Leader Chuck Schumer (D-NY) and Senators Todd Young (R-IN), Martin Heinrich (D-NM), and Mike Rounds (R-SD) – is rushing to present a workable framework for AI-focused legislation. The gang hosted its first “Insight Forum” to examine AI technology with industry powerhouses in September, and it is expected to host additional topic-based forums in the weeks and months to come. The second one, held this week, focused on “Innovation,” including AI’s potential to unlock transformational innovation – from healthcare to food supply – and the need to ensure that innovation is sustainable.

In the weeks leading up to the New Year, many lawmakers are working to present draft legislation on AI. Congressional committees and leaders will examine a host of issues related to the technology, its potential impacts on society, and how Congress can best legislate against its most ominous capabilities. Members of Congress will also continue to introduce bills addressing more targeted AI-related issues, such as recent legislation related to “deepfake” content and political ads. Meanwhile, expect President Joe Biden to use the powers at his disposal, including by executive order, to begin to shape the federal government’s approach to AI development and regulation without Congress.

The U.S. House of Representatives’ Committee on Energy and Commerce has now completed the third of three scheduled hearings in advance of drafting comprehensive privacy legislation. During the hearing last month, lawmakers focused in particular on the urgent need to address the data sharing risks of wildly popular apps.

The hearing is just the latest indication that Congress is interested in this legislative effort. When President Joe Biden called on Congress during his State of the Union address “to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data that companies collect on all of us,” he received bipartisan applause. But the American Data Privacy and Protection Act (ADPPA) failed to advance to the House or Senate floors last Congress. What are the chances that it will advance further this year?

The new version of the ADPPA has yet to be introduced, though we expect it could be released shortly. Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) is reportedly updating the bill with significant changes. It remains to be seen if she will have bipartisan, bicameral cosponsors for the new language and how fast it could be approved by the Committee.

Congress is deadline driven, with lawmakers often accelerating work when an authorization or funding is set to end. While the privacy bill has no deadline, Congress’ to-do list is already filling up prior to the end of the fiscal year (September 30). Lawmakers could provide themselves an extension on addressing the debt ceiling, Fiscal Year 2024 appropriations, omnibus agriculture legislation, and the Federal Aviation Administration reauthorization, among other bills, but they are more likely to focus on these immediate needs than other initiatives in the immediate future. This is especially true in the current environment, where Democrats have a narrow majority in the Senate and Republicans have a narrow majority in the House; consensus is needed for successful votes, and negotiations take time.

As we noted in our prior post, Rep. Nancy Pelosi (D-CA) is no longer Speaker of the House and thus cannot block floor action to ensure California’s more stringent privacy standards are not eclipsed by federal action. Current Speaker Kevin McCarthy (R-CA) has expressed interest in privacy legislation in the past.

Sen. Maria Cantwell (D-WA), however, remains the chair of the Senate committee with jurisdiction over privacy policy. Last Congress, she did not support the ADPPA, favoring her own legislation. This Congress, when questioned on legislation that could target social media apps, she told reporters that her “primary concern” is passing a data privacy bill – though she did not indicate which one or when. Her new Republican counterpart on the Committee, Sen. Ted Cruz (R-TX), has remained noncommittal on a timeline for comprehensive legislation.

In Congress, if there is a will, there is a way. While the legislative deliberation phase may be lengthened based on the full Congressional agenda and lawmakers’ preferences, a comprehensive privacy and data security law appears more likely to pass than ever before.

On March 15, 2023, after five public input sessions, a rulemaking hearing, and over 130 written comments, the Colorado Privacy Act (“CPA”) rules were officially finalized when the Colorado Attorney General’s Office completed its review and submitted them to the Secretary of State. The final rules will be published later this month and go into effect on the same day as the statute, July 1, 2023. Continue Reading Colorado Privacy Act Rules Finalized; To Be in Effect July 1

Following up on his Wall Street Journal op-ed in January, President Joe Biden has now directly called on Congress to act on privacy legislation.  Last week, he bluntly told lawmakers in his State of the Union address: “[I]t’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data that companies collect on all of us.”  During a speech that at times provoked partisan outbursts and rowdy responses, this portion was applauded by both sides of the aisle, confirming that enactment of privacy legislation remains a bipartisan issue – and thus opening the door for legislative momentum in 2023.

Last year, a bipartisan group of three prominent lawmakers – Rep. Cathy McMorris Rodgers (R-WA), Rep. Frank Pallone (D-NJ), and Sen. Roger Wicker (R-MS) – released a comprehensive national data privacy and data security framework, the American Data Privacy and Protection Act (ADPPA).  The ADPPA included compromises on two major areas that had been elusive for at least a decade: federal preemption of state laws and a private right of action to enforce the law.  While the legislation garnered many key endorsements, it failed to come to a vote in the full House of Representatives or to reach the Senate floor.  Certain members of the House’s California delegation, including then-Speaker Nancy Pelosi (D-CA), sought to ensure their state’s more stringent standards were not eclipsed by federal action.  In the Senate, Sen. Maria Cantwell (D-WA) never signed on to the original draft; she favored her own legislation.  As chair of the Senate committee with jurisdiction over the ADPPA, her support would have been a prerequisite for the bill to reach the Senate floor for a full vote.

Members of the 118th Congress were sworn in last month.  As a result of the change of control in the House, the landscape has changed significantly.  Rep. Nancy Pelosi is no longer Speaker.  The gavel is now held by a Californian from a different party – Speaker Kevin McCarthy (R-CA).  Speaker McCarthy has expressed interest in privacy legislation in the past and is not beholden to Silicon Valley.

The lawmakers who championed the bill previously continue to push it forward this year.  In a recent hearing, House Committee on Energy and Commerce Chair McMorris Rodgers expressed a need “to cement America’s global technological leadership,” which should “start by passing comprehensive privacy and data security protections with one national standard.”  The Ranking Member of the Committee, Rep. Pallone, agreed: “We should act on the American Data Privacy and Protection Act, comprehensive privacy legislation I authored with Chair Rodgers. This crucial legislation ensures that consumers—wherever they reside in this country—will have meaningful control over their personal information, while providing clear and consistent rules of the road on privacy and data security to innovators, entrepreneurs, and small tech companies.”

Lawmakers have just begun their legislative activities this year, but the moves towards privacy legislation look promising.  Stakeholders interested in weighing in on the potential bill would be wise to voice their opinions soon, as all signs point to this bipartisan opportunity being pursued in short order.

2022 was another year of high activity and significant developments in the realm of artificial intelligence (“AI”) and biometric privacy related matters, including in regard to issues arising under the Illinois Biometric Information Privacy Act (“BIPA”) and others.  This continues to be one of the most frequently litigated areas of privacy law, with several notable rulings and emerging patterns of new activity by the plaintiffs’ bar.  Following up on Privacy World’s Q2 and Q3 2022 Artificial Intelligence & Biometric Privacy Quarterly Newsletters, be sure to read on for a recap of key developments and insight as to where 2023 may be headed.

Continue Reading Privacy World 2022 Year in Review: Biometrics and AI

CPW’s Kristin Bryan joins two of Squire Patton Boggs’ policy experts – Beth Goldstein and Jeffrey Turner – to discuss one of the most critical pieces of privacy legislation in years, the American Data Privacy and Protection Act (ADPPA), for Lexology’s Masterclass series. This game-changing privacy legislation not only has potential far-reaching impact, but it could also be in effect within the next year. Join us for an insightful look at what this legislation means for businesses and consumers.

Wednesday, December 7, 2022

11 a.m. ET

More details and registration

Key topics:

  • Current policy and political landscape in Congress and in state capitals
  • Main provisions of the ADPPA
  • Recent state legislative developments driving Congressional action
  • Limitations on the Federal Trade Commission’s power to regulate privacy in the absence of federal legislation
  • Ongoing litigation and future risks
  • Sovereigns vs. corporate distinctions

We hope you can join us on December 7!

Several developments this week underscored the continued importance of a bill that has been introduced to implement uniform privacy federal privacy standards.

Continue Reading Passage of Federal Privacy Bill Remains Possible This Year, Remains a Continued Priority

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”  Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.