Biden targets "Big Tech" in 2023 State of the Union - will it stick this time?
A State of the Union address, in modern times, is not a stream of consciousness exercise. It has a detailed agenda behind it and will be fiercely debated. Privacy and tech legislation rarely make the cut. But this is the second year in a row that U.S. President Joe Biden has addressed privacy and tech legislation, and even on its own, that is worth noting. Is this the year that federal privacy legislation and antitrust reforms, specifically targeting tech companies, comes to fruition?
Last year, Francis Haugen, the Facebook whistleblower, sat in the gallery of the House of Representatives as President Biden set out his plans to “strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children” in his first State of the Union address. But, the three pieces of federal legislation aimed at accomplishing these plans - the American Innovation and Choice Online Act (AICOA), the Open App Markets Act (OAMA) and American Data Privacy Protection Act (ADPPA) - did not pass. The antitrust legislation died on the vine when Senate Majority leader Chuck Schumer, despite bipartisan support in committee, refused to bring the package to a vote, claiming that the votes were not there. The bipartisan ADPPA made it into committee but did not make it out of the previous, 117th, Congress.
This year, President Biden's refrain was “Let’s finish the job”. It’s not quite “yes we can”, but if you think you heard the distant sound of a starting gun for the upcoming presidential election being fired, your senses are probably not deceiving you.
On privacy, President Biden said, “We must finally hold social media companies accountable for the experiment they are running on our children for profit” and “it’s time to pass bipartisan legislation to stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.” On antitrust, he called on Congress to pass “bipartisan legislation to strengthen antitrust enforcement and prevent big online platforms from giving their own products an unfair advantage.”
Antitrust legislation may be the bigger challenge. Similar to its failure in the Senate last year, this year, it is unlikely to get through the House. The new head of the subcommittee on antitrust, Kentucky Republican Thomas Massie, appears unlikely to move any new antitrust bills forward.
Federal privacy legislation on targeted advertising, collecting data on children and online harms may have a better chance of making progress.
First, states are increasingly taking the law into their own hands. California, Utah, Colorado, Virginia and Connecticut have all enacted comprehensive privacy laws that have already come into effect or will come into effect in 2023. Meanwhile, other states such as Hawaii, Iowa, Indiana, Kentucky, Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Oklahoma, Oregon, Tennessee, Vermont and Washington all have bills introduced or in committee related to data privacy.
Second, a significant amount of work went into the ADPPA during the previous Congress. The ADPPA had bipartisan support, and passed out of the House Energy and Commerce Committee with 52-3 votes in favor. Polls suggest that voters strongly support federal privacy legislation.
Third, Artificial Intelligence will continue to make big strides in 2023. The salience and visibility of perceived threats to privacy with increasingly sophisticated and prevalent automated decision making, will continue to increase, which will, logically, increase the focus on data privacy and emerging technology regulations.
Fourth, the consumers may be reaching the end of their rope on the incessant breaches of their personal information. The Identity Theft Resource Center (ITRC) revealed that 2022 saw a "near record" number of data events in the U.S., "only 60 events short of 2021’s all-time high in compromises." 2021 saw 1,862 events, 2022 saw 1,806. The ITRC reported that the first half of 2022 saw a plateau of data events, with the previous upward trend returning in the second half of the year.
You can read a more detailed breakdown of what was in the draft ADPPA as released in June 2022 in our article US Lawmakers Release Draft of Comprehensive Federal Data Privacy Bill. The ADPPA was closely aligned with the European Union's General Data Protection Legislation. It also clarified that many state data protection laws would not be preempted, including facial recognition laws, Illinois's Biometric Information Privacy Act, the California Consumer Privacy Act's private right of action, civil rights laws, employee and student privacy protections, data breach notification laws, contract and tort laws, and others.
Could it all happen this year?
The ADPPA or a similar law is likely to be reintroduced in Congress. It is clearly a priority for the Biden administration based on his recent remarks, as he looks to be shifting into campaign mode. It would be a sea-change in terms of privacy protections in the U.S., including with respect to class actions. Any private right of action that accompanies a federal privacy law will likely spur a new wave of private enforcement efforts. The antitrust proposals will likely face a challenge, but again, the bipartisan support for action is unusual and notable.
The 118th Congress has already started trying to tackle these issues. The House Innovation, Data, and Commerce subcommittee has just considered three bipartisan bills focused on tech - the CAUTION Act of 2023, the Internet Application Integrity and Disclosure Act, and the Telling Everyone the Location of Data Leaving the U.S. Act. These bills focus on educating consumers, but lawmakers are continuing to call for more privacy legislation, including prohibiting applications such as TikTok due to national security concerns.
So what does this mean for you?
If you are leveraging tech or data (which is pretty much every company), it is important to monitor these developments closely and (1) consider them when designing, maintaining, or updating your data privacy compliance programs, (2) perform assessments on the potential impact of the proposed legislation on new technology initiatives (e.g., implementing more AI tools), and (3) consider the intent of the potential antirust legislation when developing marketing strategies for your own products or services. You can keep track of developments by signing up to our global tech policy horizon scanner newsletter.
Devika Kornbacher is a partner at Clifford Chance based in New York, and co-head of the firm's global Tech Group. Ricky Legg is an associate at Clifford Chance based in Washington and is part of the Tech // Digital team.