Welcome to State(s) of Play! Every two weeks, we publish a snapshot on what's moving at the U.S. state level when it comes to privacy bills, to help inform your own privacy project prioritization.

Federal Privacy Law Updates

US House subcommittee discusses national privacy law

On October 18, the US House Energy and Commerce Subcommittee on Innovation, Data, and Commerce held a hearing entitled, “Safeguarding Data and Innovation: Setting the Foundation for the use of Artificial Intelligence.” Witnesses included the Business Software Alliance CEO, Emerson Collective CTO, AI Now Institute, a SAG-AFTRA representative and a former chair of the FTC.

Discussion centered around the urgent need for a national privacy standard that includes data minimization and algorithmic accountability principles, and how such a standard would serve as the bedrock for any future AI regulation. Despite the rhetoric, it’s unlikely that Congress will move on any privacy legislation in the near-term. A full high-level summary of the hearing can be found here.

US senator probes 23andMe data breach

US Senator Bill Cassidy (R-LA) asked genealogy company 23andMe to provide details to the Senate Health Committee on how users’ personal information from its site allegedly ended up on the dark web. Data from approximately 5 million users was leaked over the past couple weeks.

FTC commissioner nominations approved by US senate committee

On October 18, the Senate Commerce Committee approved all three nominations for FTC Commissioners: Andrew Ferguson, Melissa Holyoak, and Rebecca Kelly Slaughter. The timing for a full vote by the Senate has yet to be announced. 

Federal agencies fall behind on achieving 2018 NIST privacy goals

In 2018, the National Institute of Standards and Technology (NIST) published a framework for how government agencies should incorporate privacy into their risk management tools. However, CyberScoop reports that several agencies including the State Department, NASA, the Department of Housing and Urban Development, the Interior Department and the Justice Department have still yet to meet these goals. 

Bloomberg reports on growing regulation and litigation regarding tracking pixels

On October 16, Bloomberg Law released this piece that provides a high-level summary of how companies are using tracking pixels and the wave of lawsuits and developing regulatory actions that are being taken in response to the software’s proliferation. The article touches on the FTC’s recent action against tax filing and health technology companies improperly using consumer data. 

COPPA serves as legal basis for Meta lawsuit

On October 24, a bipartisan group of 42 attorneys general sued Meta, saying that it collects children’s data in a way that violates the Children's Online Privacy Protection Act (COPPA), a federal privacy law. This serves as part of a broader legal complaint against the social media company that it purposefully builds addictive features into Facebook and Instagram.

Google releases legislative framework for ensuring childrens’ online safety

On October 17, Google released this document that outlines principles for policymakers and how to better protect childrens’ time spent online. Many of the proposals are founded on the premise of creating age-appropriate design features that are "designed with safety in mind.”

State Privacy Law Updates

New Hampshire

State lawmakers are preparing two privacy-related bills to be considered when the state legislature reconvenes in January. HB 314 and SB 255 are being debated in executive sessions over the coming weeks. SB 255 would give consumers rights over any data held by a business and allow the consumer to obtain a copy, correct inaccuracies, request that it be deleted, and more.

HB 314 bars governments from collecting personal information from third parties, with exceptions for information collected by state regulatory agencies; authorized warrants; emergencies with an immediate danger of death; and information given by individuals to governments for specific purposes. An official committee hearing on January 11 has been scheduled for HB 314.

DC Voter Roll Data Breach

On October 20, the District of Columbia Board of Elections issued a statement saying that a breach of Washington, DC voter data including Social Security numbers, drivers' license numbers or similar personally identifiable information may have been compromised. The local DC agency has hired a cybersecurity firm to look into the matter further.

California

On October 18, California Attorney General Rob Bonta announced that his office will appeal the US District Court for the Northern District of California’s interim injunction of the California Age-Appropriate Design Code Act, a first-in-the-nation children’s online safety law. The bill had been passed with bipartisan support and signed by Governor Newsom back in September 2022.

Utah

The Utah Department of Commerce’s Division of Consumer Protection initiated a public comment period for the Utah Social Media Regulation Act draft rules. The Act requires social media platforms to verify the ages of its users who have to obtain parental consent to use the service. There will be a public hearing on the draft rules on November 1 and the comment period will remain open until February 5, 2024.