State(s) of Play — Nov 15, 2023

Welcome to State(s) of Play! Every two weeks, we publish a snapshot on what's moving in the U.S. at the state and federal level when it comes to privacy legislation—giving you insight on what's coming down the pipe to help inform your own privacy project prioritization.

State Privacy Law Updates

Pennsylvania Privacy Bill

Pennsylvania is inching forward on enacting a statewide privacy law. On Wednesday, November 15, the House Commerce Committee will be holding a committee hearing, where a vote is likely to take place on HB 1201, The Consumer Data Privacy Act. If the bill is passed out of committee, the bill still resides in its originating chamber, so many hurdles will remain, including a full vote on the House floor.

The bill would require businesses in the Commonwealth to create a path for consumers to opt out of having some of their data processed. PA residents would also have the option to delete the personal data collected by a business and make complaints to the Attorney General, who is tasked with enforcement of the law. We’ll continue to monitor its progress and provide updates on the timing of when this could be brought to the full House floor.

December CPPA Board Meeting

The California Privacy Protection Agency (CPPA) announced the agenda of its next public meeting which will be held on December 8. The board will be providing updates on draft CPRA regulations pertaining to automated decision-making, risk assessments, and cybersecurity audits. The board is also slated to implement data broker registration fees pursuant to the recently passed DELETE Act. We’ll provide a recap of what's discussed and what to expect moving forward.

Federal Privacy Law Updates

US House Members Continue to Link AI and Privacy Legislation

On November 6, House Energy & Commerce Chair Cathy McMorris Rodgers (R-WA) and Rep. Jay Obernolte (R-CA) issued a joint op-ed in Bloomberg Law calling for the enactment of a federal privacy standard. The two lawmakers join a growing group of legislators that are linking privacy standards with AI regulations, calling a national privacy law "a critical first step toward achieving AI leadership" as "comprehensive protections on the collection, processing, transfer, and storage of our data" can be "foundational" for AI rules.

Sen. Schumer’s AI Insights Forum Focuses on Privacy

On November 8, Sen. Schumer continued with his series of AI Insights Forums, a bipartisan group of government, industry, non-profit and academia stakeholders focused on devising a roadmap for Congressional action and consensus on AI. The latest session’s focus was on how we should consider the collection, use, and retention of data, and on the liability front, the discussion will center on when AI companies may be liable for harms caused by their technologies. A full list of speakers and their statements can be found here.

Advertising Coalition Opposed to CFPB Financial Privacy Rulemaking

An advertising industry coalition, Privacy for America, noted its opposition by filing public comments to a Consumer Financial Protection Bureau rulemaking that could restrict data brokers' ability to sell certain types of financial information about consumers for ad targeting purposes.

Specifically, their concern is around a portion of the rulemaking that would “severely hinder small and start-up businesses’ ability to find new customers, diminish and damage market efficiencies that exist today, and harm consumers by causing prices to rise.” Members of the group include the American Association of Advertising Agencies, Association of National Advertisers, Digital Advertising Alliance, Interactive Advertising Bureau and Network Advertising Initiative.

FTC to Discuss Voice Cloning and Cloud Computing

The FTC released an agenda for its upcoming November 16 public meeting. The agency said it would be discussing how to protect consumers from AI-enabled voice cloning harms, such as fraud and the broader misuse of biometric data. The commission will consider public comments regarding its request for information on cloud-computing practices.