Welcome to State(s) of Play! Every two weeks, we publish a snapshot on what's moving in the U.S. at the state and federal level when it comes to privacy legislation—giving you insight on what's coming down the pipe to help inform your own privacy project prioritization.

CPPA December Board Meeting

On December 8, the California Privacy Protection Agency (CPPA) held a public board meeting which covered a wide range of topics and lasted nearly the entire day. The board considered updates to the California Consumer Privacy Act (CCPA) including increasing the applicability thresholds and potential fines, while also updating provisions on dark patterns and obligations regarding data subject rights.

Most notably, the board voted to advance a legislative proposal to require browser vendors to include a feature that allows users to exercise their rights through opt-out preference signals.The board also published proposed rules for its data broker registry under the Delete Act. 

On the subject of ADMT and risk assessments, the board decided that the draft regulations were not ready for formal rulemaking. The board directed staff to revise the subcommittee drafts and come back during the next meeting with revised versions to consider.

Most of the board's concern and focus dealt with the scope of ADMT and the opt out right. Some board members thought the definitions were overly broad and presented the technology in too negative of a light. They went on to say that the proposed regs could burden the industry with unnecessary impact assessments, which could inadvertently harm small businesses with limited resources.

Additional conversation was held on ADMT in the employment context and behavioral advertising. The CPPA hasn’t provided notice of when it will hold its next board meeting, but it will likely be in late January or early February.

Federal Privacy Law Updates

HHS Continues Focus on Enhancing Healthcare Cybersecurity

The Department of Health and Human Services (HHS) called for hospitals to meet voluntary cybersecurity goals and to work with Congress to develop incentives for hospitals to improve their security in a new concept paper. The agency said it saw a 93% increase in large breaches from 2018-2022, leading to care disruptions and delayed medical procedures, which put patients at risk.

Adtech Industry Group Focuses on Privacy Compliance Measures

The American Advertising Federation announced it has joined the "Responsible Privacy in Advertising Initiative." The strategy, led by the Association of National Advertisers and the American Association of Advertising Agencies, aims to develop "guidance and tools to drive compliance with data privacy laws and industry standards."

Federal Legislation Introduced to Ban TSA Use of Facial Recognition

On November 29, Senators Jeff Merkely (D-OR) and John Kennedy (R-LA) introduced the Travelers’ Privacy Protection Act, a bill that if passed would repeal the authorization of the Transportation Security Administration (TSA) to use facial recognition screening at airports. The proposed bill would require the agency to receive congressional authorization to use the technology in the future and would also require the TSA to dispose of the facial biometrics.

Senator Wyden Claims Citizens are Being Monitored through Push Notifications

US Senator Ron Wyden (D-OR) issued a letter to the Department of Justice claiming that unspecified foreign governments are able to monitor citizens through push notifications on their mobile devices. Apple responded by saying that they are currently restricted by the US federal government to disclose how push notification data is processed. 

FISA Section 702 Temporary Extension Agreement is Reached

As part of the negotiations over the defense spending bill, federal lawmakers have reached a potential agreement regarding the extension of the Foreign Intelligence Surveillance Act (FISA) through April of 2024. There has been much debate over Section 702, which is the method US intelligence agencies use to review data from phones, emails and other messages of foreign people abroad. Text of the extension needs to be finalized and agreed upon by both chambers, which is likely to take place at some point this week before Congress adjourns for the holidays.

FCC Privacy and Data Protection Task Force Partners with Four States

On December 6, the Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel issued a press release announcing that the agency’s Privacy and Data Protection Task Force has signed MOU’s with Connecticut, Illinois, New York and Pennsylvania Attorneys General “to share expertise, resources, and coordinated efforts in conducting privacy, data protection, and cybersecurity-related investigations to protect consumers.” Since the Task Force was created in June 2023, this is another sign that the agency is taking an assertive approach to matters related to privacy and data security.

US Senator Markey Questions US Automakers’ Privacy Practices 

US Senator Ed Markey (D-MA) sent official letters to 14 automakers questioning the companies' privacy notices. The letters asked automakers how consumer data is processed and if any data obtained by vehicles has been shared with law enforcement. Markey said consumers "should not be subject to a massive data collection apparatus" and vehicles "should not - and cannot - become yet another venue where privacy takes a backseat."

Senators Criticize Meta over Alleged Childrens’ Privacy Violations

US Senators. Ed Markey (D-MA) and Bill Cassidy (R-LA) sent a letter to Meta CEO Mark Zuckerberg stating if allegations the company collected personal data from users under age 13 are proven to be correct then it would show "callous disregard" for the Children's Online Privacy Protection Act (COPPA).