Could Congress pass comprehensive federal data privacy legislation in 2023? If not, could another government agency step into the breach?

Experts believe there are several possibilities.

At the federal level, the regulation most likely to be enacted in 2023 with an impact on data privacy won’t come from Congress or the Federal Trade Commission (FTC) but could instead be contained within a cybersecurity rule under consideration by the Securities and Exchange Commission (SEC), said Vivek Mohan, partner at Gibson Dunn and former senior global privacy law and policy attorney at Apple.

“With the gridlock in Congress, I don’t see a change in circumstances” that would lead to passage of a federal data privacy law, he said.

The SEC’s proposed cybersecurity rule would require companies to report material cybersecurity incidents no later than four business days after they occur, including information about whether any data was stolen, steps taken to remediate the incident, and how operations were affected.

“There is always an overlap between privacy and cybersecurity,” Mohan said.

The rule would require public companies to disclose cybersecurity procedures in the event of a data breach, including whether the breach exposed cracks in the company’s risk management practices. Companies would be mandated to describe activities undertaken to “prevent, detect, and minimize effects of cybersecurity incidents”; policies and procedures for preventing data breaches; and management’s oversight of such procedures.

The rule is expected to be finalized by the SEC later this year.

What about Congress?

There is a chance, of course, a split Congress will agree on a bipartisan data privacy bill in 2023.

In his State of the Union speech delivered Feb. 7, President Joe Biden encouraged lawmakers to do so, saying, “[I]t’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.”

Data privacy legislation in Congress came farther along than ever before in 2022. The American Data Privacy and Protection Act (ADPPA) was reported out of the House Committee on Energy and Commerce but never taken up for vote by the full chamber. The bipartisan bill proposed requiring businesses to limit their collection of personal data and implement certain security practices, in addition to providing consumers the right to access, correct, and delete personal data and opt out of targeted advertising.

“There does seem to be some momentum to get something done,” said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals. “Many in Congress want to build on the hard work they already put into the ADPPA.”

“With a split Congress, it is going to be difficult to pass anything. But there are rays of hope. The avalanche of bills at the state level will continue putting pressure on Congress to act, especially if they start to diverge.”

Cobun Zweifel-Keegan, Managing Director, International Association of Privacy Professionals

Congress’s inability to come to consensus on a national data breach notification standard shows it is unlikely lawmakers will find agreement on the much more complicated topic of comprehensive data privacy legislation, Mohan said.

One new political argument by Republicans in favor of passing privacy legislation has been closing the competitive gap between the United States and other regions, namely China and the European Union, that already have such laws in place.

“With a split Congress, it is going to be difficult to pass anything. But there are rays of hope,” Zweifel-Keegan said. “The avalanche of bills at the state level will continue putting pressure on Congress to act, especially if they start to diverge.”

On Jan. 1, the California Privacy Rights Act took effect, which added further consumer privacy rights to the existing California Consumer Privacy Act and established the country’s first state data privacy regulator: the California Privacy Protection Agency. Virginia’s privacy law was also enacted Jan. 1 and will soon be followed by new laws in Colorado (July 1), Connecticut (July 1), and Utah (Dec. 31).

There are two disagreements on provisions that have largely doomed attempts at federal data privacy legislation so far: preemption of state data privacy laws, a provision favored by many Republicans, and the right to private action, which is favored by some Democrats. States like California are likely to strongly oppose a federal law that provides fewer consumer protections than their own law. And Republicans and the business community remain adamant allowing consumers to sue in federal court will hurt businesses large and small.

In lieu of a standalone bill, Congress could insert data privacy legislation within a larger bill, like the defense spending bill.

FTC to the rescue?

In August, the FTC issued an advance notice of proposed rulemaking seeking to penalize companies that suffer data breaches because of lax cybersecurity protocols and punish firms that engage in abusive commercial surveillance practices.

The FTC said the biggest harm is from companies that collect personal data from their customers, which can include user geolocation or facial recognition images, dates of birth, Social Security numbers, and buying patterns, and leave it vulnerable to be stolen by hackers.

Christopher Leach, partner at Mayer Brown and a former attorney in the FTC’s Division of Financial Practices, noted the agency is “still a ways away from a rule.” Even once a rule is proposed, the process would likely last until the 2024 presidential election, he said.

“This process they’ve chosen goes well beyond the notice and comment rulemaking at other agencies,” he said. “They don’t have a concrete idea of everything they want to do. … They have to prioritize what it is they want to do.”

If Congress does pass a comprehensive data privacy law in 2023, it could give some rulemaking authority to the FTC. That would refocus the agency’s attention on the topic.