The Role of Practitioners in Legislation and Regulation and a 2023 Outlook

By Brandon J. Pugh, Director, Cybersecurity and Emerging Threats, R Street Institute

As a cyber, privacy, or compliance professional, following the happenings in Washington D.C. or in state houses across the United States might be low on your priority list. However, this is exactly where legislative and regulatory developments that will impact your work and your company take place. These developments cover many areas, but one stands out: data privacy and security. This year is poised to be one of the most active on data privacy and security, and it is critical to not tune it out.

Reasons to pay attention. There are multiple reasons to not wait until a law or regulation is finalized before paying attention to it, or worse, until it is effective. By then, you have missed many opportunities. It is important to be proactive and plan ahead for new or changed requirements that might come about to avoid having insufficient time or resources to implement them. Many of these can have large impacts on your company, including changing internal processes or dealing with new compliance rules. Likewise, a regulation or law might not impact  your company, but it might be wise to still follow all or part of it. For example, following privacy practices, even if not mandated, can be a differentiator for your business and an important signal for consumers. Action in other jurisdictions can also signal what might come and allow for proactive measures.

In addition, the policymaking process too infrequently involves those directly impacted with subject matter expertise. From submitting comments during a rulemaking process to weighing in on proposed legislation, you have the unique ability to share your experience and offer a perspective that might otherwise not be heard. This could be done in conjunction with an internal governmental affairs team, or even individually.

Looking ahead. There are several actions to flag that might impact you in 2023 and provide an opportunity for you to engage with or prepare for.

Federal Legislative Developments. Despite attempts over the years, there is still no comprehensive data privacy and security law in the United States. Yet many countries have moved ahead, including the European Union with its General Data Protection Regulation (GDPR). A federal law could offer benefits to consumers by having rights and protections no matter what state they live in, to industry by having one framework to follow instead of a growing patchwork, and to security by establishing minimum security requirements and protections.

The introduction of and action around the American Data Privacy and Protection Act (ADPPA) in 2022 was the most Congress has gotten done on a comprehensive data and privacy law to-date. It ultimately did not pass, but it had overwhelming bipartisan support and made key progress. One outstanding area that impacts your work is the issue of preemption. Specifically, whether a federal law would override existing state laws to have one standard, or whether state laws could simultaneously stand. While a compromise for stronger preemption was achieved in the ADPPA, some stakeholders expressed a desire for the federal law to set a baseline standard to allow for potentially stricter state laws or exempt certain state laws fully.

President Biden recently called for action on privacy, and other leaders have as well, including Congresswoman Cathy McMorris Rodgers, the chairwoman of the House Energy and Commerce Committee. It is likely that there will be a renewed effort in 2023 to pass a bill like the ADPPA.

Federal Regulatory Developments. The Federal Trade Commission (FTC) began a rulemaking process in 2022 to regulate “commercial surveillance and data security.” There is still a long road ahead to finalize this, but new rules have the potential to reshape many areas without further congressional action, including in areas such as data security practices and advertising. There was already an opportunity to submit comments, and there will be another if this moves ahead.

Additionally, the National Telecommunications and Information Administration (NTIA) began a request for comment to address “issues at the intersection of privacy, equity, and civil rights.” The aim is to produce a report on how commercial data practices can lead to disparate impacts for marginalized or disadvantaged communities.

State Developments. Since the United States does not have a comprehensive federal privacy law, states have picked up the slack. In fact, at least 39 states have considered privacy laws since 2018, with 29 in 2022 alone. Five state-level frameworks begin or update this year: California and Virginia on January 1st, Colorado and Connecticut on July 1st, and Utah on December 31st.

The momentum on state laws is already continuing in 2023 with comprehensive legislation and more tailored bills like those that focus on kids’ privacy. There are key differences between these state laws, which makes compliance tricky.

Other areas. There are also additional matters with the potential to advance at the state and federal levels. These include action on more narrow privacy laws like those that impact children and updates to existing laws, changes to sectoral privacy laws like the financial sector’s Gramm-Leach-Bliley Act (GLBA), addressing specific types of data like biometrics, and changes to data breach and cyber incident reporting regulations and laws.

While legislative and regulatory work is likely not part of your job description, it will almost certainly impact you in some form. Keeping an eye on the broader landscape will allow both you and your company to be prepared for what is to come, or even be part of the solution.

Brandon J. Pugh is the director of the cybersecurity and emerging threats team at the R Street Institute, where he focuses heavily on data privacy and security.

Hot Topics

Related Articles