This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity. 

This quarter, Congress has continued to focus on the American Data Privacy Protection Act (“ADPPA”) (H.R. 8152), which would regulate the collection and use of personal information and includes specific requirements for AI systems.  Disagreements over the legislation’s preemption of state laws and creation of a private right of action continue to stall the its progress.  Separately, the Federal Trade Commission (“FTC”) announced an Advanced Notice of Proposed Rulemaking to solicit input on questions related to privacy and automated decision-making systems.  The notice cites to the FTC’s prior guidance related to IoT devices. 

Artificial Intelligence

Regulators and the White House have expressed increased interest in setting forth requirements and best practice expectations around the operation of AI systems.  For example, the FTC announced an Advanced Notice of Proposed Rulemaking in August that asks for comments on a number of topics related to automated decision-making systems.  In particular, the FTC is requesting comments on the prevalence of error in automated decision-making systems, discrimination based on protected categories facilitated by algorithmic decision-making systems (and whether the FTC should consider recognizing additional categories of protected classes), and how the FTC should address algorithmic discrimination that occurs through the use of proxies. 

In early October, the White House also released its Blueprint for an AI Bill of Rights.  Discussed in further detail here, the Blueprint outlines recommended best practices for entities using AI, which include measures to provide a safe and effective system, protections against algorithmic discrimination, attention to data privacy, notice and explanation, and the provision of human alternatives and consideration.

Congress continues to weigh into the discussion about regulation of AI systems.  The latest version of the ADPPA would require a covered entity or service provider who “knowingly develops” a covered algorithm that processes covered data “in furtherance of a consequential decision” must evaluate the design, structure, and inputs of the covered algorithm.  In addition, entities of a certain size, which the bill calls “large data holders,” must conduct an impact assessment that describes the design process and methodologies of the covered algorithm, an assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, and the steps the entity will take to mitigate the risk of harm.

Internet of Things

This quarter, federal lawmakers introduced and advanced several bills related to the Internet of Things (“IoT”), including two bills imposing requirements on manufacturers of devices with cameras or microphones.  One of these bills is the Earning Approval of Voice External Sound Databasing Retained on People (“EAVESDROP”) Act (H.R. 8543), introduced by Representative Steve Scalise (R-LA) in July.  The bill would require manufacturers of connected devices with microphones to provide notices to consumers regarding the devices’ collection of certain consumer information. Manufacturers would also have to provide an easy way for consumers to deactivate the ability of the device to collect information.  The EAVESDROP Act exempts devices solely marketed as microphones and provides a safe-harbor for manufacturers that comply with a set of self-regulatory guidelines to be developed by the FTC.  In contrast, the Informing Consumers about Smart Devices Act (H.R. 4081) would require manufacturers of connected devices equipped with a camera or microphone to disclose to consumers that a camera or microphone is part of the device, and would not apply to mobile phones, laptops, or other devices that consumers would reasonably expect to include a camera or microphone.  The Informing Consumers about Smart Devices Act is sponsored by Reps. John R. Curtis (R-UT) and Seth Moulton (D-MA) and was approved by the House of Representatives on September 29, 2022.

Additionally, on September 28, 2022, the Senate approved the Small Business Broadband and Emerging Information Technology Enhancement Act of 2022 (S. 3906).  As we noted in our Second Quarterly Legislative and Regulatory Update, this bipartisan bill, sponsored by Senators Jeanne Shaheen (D-NH) and John Kennedy (R-LA), aims to bolster IoT competencies at the Small Business Administration (“SBA”), including through the designation of a coordinator for emerging information technology (which includes IoT technology).

Federal regulatory efforts related to IoT this quarter largely centered on cybersecurity and consumer protections.  For instance, the National Institute of Standards and Technology (“NIST”) published the final version of its Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425), building on work undertaken pursuant to E.O. 14028.  The publication, which follows a public draft released in June 2022, describes NIST’s cybersecurity expectations for IoT products for home and personal use.  As we noted in our previous quarterly update, the NIST guidance is not legally binding, but it signals a best practice that may later be incorporated by lawmakers in legislation. 

NIST also published a report summarizing key takeaways from of its June 2022 IoT Cybersecurity workshop (NIST IR 8431), and a report with guidance for first responders on minimizing security vulnerabilities when using mobile and wearable devices (NIST IR 8235).  Other agency activities impacting IoT technology include the FTC’s publication of a business guidance blog post focused on the marketplace for sensitive consumer location and health information collected by connected devices, and highlighting FTC enforcement against misuse of consumer data and deceptive claims about data anonymization.  These developments signal a continued focus by federal regulators on IoT cybersecurity and the protection of consumer data collected by connected devices.

Connected and Autonomous Vehicles

On August 8, 2022, Reps. Debbie Dingell (D-MI) and Bob Latta (R-OH) launched the bipartisan Congressional Autonomous Vehicle Caucus.  The first of its kind, the purpose of this caucus is to educate Congressional Members and staff on autonomous vehicle technology that can improve the safety and accessibility of roadways.  Rep. Dingell stated that the caucus will help the United States stay at the “forefront of innovation, manufacturing, and safety” while “engaging all stakeholders, making bold investments, and working across the aisle to get the necessary policies right to support the safe deployment of autonomous vehicles.”  Industry should watch for developments here, as policy proposals and opportunities for engagement could be on the horizon.

Federal regulators remain active in this space, signaling an interest in funding and advancing the deployment of CAV technologies.  A recent stated priority for the Strengthening Mobility and Revolutionizing Transportation (“SMART”) Grants Program is to improve the integration of systems and promote connectivity of infrastructure, connected vehicles, pedestrians, and bicyclists, and the Department of Transportation (“DOT”) authorized and appropriated $100M for projects in this space for FY2022.  Additionally, the Federal Transit Administration (“FTA”) and DOT issued a Notice of Funding Opportunity to apply for funding for projects exploring the use of Advanced Driver Assistance Systems (“ADAS”) for transit buses to demonstrate transit bus automation technologies in real-world settings.  Finally, DOT issued a Request for Information seeking comments on the possibility of adapting existing and emerging automation technologies to accelerate the development of real-time roadway intersection safety and warning systems for drivers and vulnerable road users.

This quarter, the National Highway Traffic and Safety Administration (“NHTSA”) also released a final version of the Cybersecurity Best Practices for the Safety of Modern Vehicles guidance, an update to its 2016 edition.  While the edits were largely cosmetic, a few key changes potentially relevant to CAVs and in-vehicle software are below:

  • The final version clarifies that both suppliers and manufacturers should maintain a database of software components so that when vulnerabilities are identified in software, affected systems can be easily identified.
  • The final version adds a new best practice stating that manufacturers should employ measures to limit firmware version rollback attacks (i.e., when an attacker uses the software update mechanisms to place older, more vulnerable software on a targeted device).
  • The final version adds a new best practice stating that industry should collaborate to address “future risks” as they emerge.

Privacy and Cybersecurity

As described in further detail in our second quarterly update for 2022 and here, the ADPPA continues to be the prevailing data privacy framework in Congress.  The bill sets forth broad requirements around data collection and disclosures, though the likelihood of passage this Congress continues to decrease as lawmakers remain stalled over issues around preemption and a private right of action.  California’s principal privacy regulator – the California Privacy Protection Agency – convened a special meeting on July 28, 2022 to discuss the ADPPA and to express the Agency’s strong disagreement with the ADPPA’s preemption provision.

The FTC is also exploring privacy regulation, including through its Advanced Notice of Proposed Rulemaking, released in August.  Specifically, the notice broadly asks whether the agency “should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”  Notably, the FTC recently extended the deadline to receive comments on the notice to November 21, 2022.  Additionally, the FTC released its agenda for a workshop on children’s advertising that will be held on October 19, 2022, which will focus on whether children can distinguish ads from entertainment in digital media.

We will continue to update you on meaningful developments in these quarterly updates and across our blogs.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Nicholas Xenakis Nicholas Xenakis

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal…

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal justice.

Nick joined the firm’s Public Policy practice after serving most recently as Chief Counsel for Senator Dianne Feinstein (C-DA) and Staff Director of the Senate Judiciary Committee’s Human Rights and the Law Subcommittee, where he was responsible for managing the subcommittee and Senator Feinstein’s Judiciary staff. He also advised the Senator on all nominations, legislation, and oversight matters before the committee.

Previously, Nick was the General Counsel for the Senate Judiciary Committee, where he managed committee staff and directed legislative and policy efforts on all issues in the Committee’s jurisdiction. He also participated in key judicial and Cabinet confirmations, including of an Attorney General and two Supreme Court Justices. Nick was also responsible for managing a broad range of committee equities in larger legislation, including appropriations, COVID-relief packages, and the National Defense Authorization Act.

Before his time on Capitol Hill, Nick served as an attorney with the Federal Public Defender’s Office for the Eastern District of Virginia. There he represented indigent clients charged with misdemeanor, felony, and capital offenses in federal court throughout all stages of litigation, including trial and appeal. He also coordinated district-wide habeas litigation following the Supreme Court’s decision in Johnson v. United States (invalidating the residual clause of the Armed Career Criminal Act).

Photo of Olivia Dworkin Olivia Dworkin

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance. With a focus on cutting-edge…

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance. With a focus on cutting-edge medical technologies and digital health products and services, Olivia regularly helps new and established companies navigate a variety of state and federal regulatory, legislative, and compliance matters throughout the total product lifecycle. She has experience counseling clients on the development, FDA regulatory classification, and commercialization of digital health tools, including clinical decision support software, mobile medical applications, general wellness products, medical device data systems, administrative support software, and products that incorporate artificial intelligence, machine learning, and other emerging technologies.

Olivia also assists clients in advocating for legislative and regulatory policies that will support innovation and the safe deployment of digital health tools, including by drafting comments on proposed legislation, frameworks, whitepapers, and guidance documents. Olivia keeps close to the evolving regulatory landscape and is a frequent contributor to Covington’s Digital Health blog. Her work also has been featured in the Journal of Robotics, Artificial Intelligence & Law, Law360, and the Michigan Journal of Law and Mobility.