This quarterly update summarizes key legislative and regulatory developments in the second quarter of 2023 related to key technologies and related topics, including Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), data privacy and cybersecurity, and online teen safety.
AI continued to be an area of significant interest of both lawmakers and regulators throughout the second quarter of 2023. Members of Congress continue to grapple with ways to address risks posed by AI and have held hearings, made public statements, and introduced legislation to regulate AI. Notably, Senator Chuck Schumer (D-NY) revealed his “SAFE Innovation framework” for AI legislation. The framework reflects five principles for AI – security, accountability, foundations, explainability, and innovation – and is summarized here. There were also a number of AI legislative proposals introduced this quarter. Some proposals, like the National AI Commission Act (H.R. 4223) and Digital Platform Commission Act (S. 1671), propose the creation of an agency or commission to review and regulate AI tools and systems. Other proposals focus on mandating disclosures of AI systems. For example, the AI Disclosure Act of 2023 (H.R. 3831) would require generative AI systems to include a specific disclaimer on any outputs generated, and the REAL Political Advertisements Act (S. 1596) would require political advertisements to include a statement within the contents of the advertisement if generative AI was used to generate any image or video footage. Additionally, Congress convened hearings to explore AI regulation this quarter, including a Senate Judiciary Committee Hearing in May titled “Oversight of A.I.: Rules for Artificial Intelligence.”
There also were several federal Executive Branch and regulatory developments focused on AI in the second quarter of 2023, including, for example:
- White House: The White House issued a number of updates on AI this quarter, including the Office of Science and Technology Policy’s strategic plan focused on federal AI research and development, discussed in greater detail here. The White House also requested comments on the use of automated tools in the workplace, including a request for feedback on tools to surveil, monitor, evaluate, and manage workers, described here.
- CFPB: The Consumer Financial Protection Bureau (“CFPB”) issued a spotlight on the adoption and use of chatbots by financial institutions.
- FTC: The Federal Trade Commission (“FTC”) continued to issue guidance on AI, such as guidance expressing the FTC’s view that dark patterns extend to AI, that generative AI poses competition concerns, and that tools claiming to spot AI-generated content must make accurate disclosures of their abilities and limitations.
- HHS Office of National Coordinator for Health IT: This quarter, the Department of Health and Human Services (“HHS”) released a proposed rule related to certified health IT that enables or interfaces with “predictive decision support interventions” (“DSIs”) that incorporate AI and machine learning technologies. The proposed rule would require the disclosure of certain information about predictive DSIs to enable users to evaluate DSI quality and whether and how to rely on the DSI recommendations, including a description of the development and validation of the DSI. Developers of certified health IT would also be required to implement risk management practices for predictive DSIs and make summary information about these practices publicly available.
Internet of Things
IoT developments in the second quarter of 2023 focused on children. For example, Representation Kathy Castor (D-FL-14) introduced the Kids PRIVACY Act (H.R. 2801), which would amend the Children’s Online Privacy Protection Act (“COPPA”) to update and expand its coverage to encompass internet connected devices, including by requiring that entities subject to COPPA maintain appropriate safeguards for internet connected devices.
Connected and Automated Vehicles
The National Highway Traffic Safety Administration (“NHTSA”) had a busy quarter. On April 6, 2023, NHTSA published a notice and request for comments on its intention to request approval from the Office of Management and Budget for an extension of its information collection efforts under its Automated Vehicle Transparency Engagement for Safe Testing (“AV TEST”) Initiative, which involves the voluntary collection of information from entities testing vehicles equipped with automated driving systems (“ADS”) and from states and local authorities involved in the regulation of ADS testing. The request is to extend information collection efforts under the AV TEST Initiative for three additional years (beginning from the date of approval). The comment period closed on June 5, 2023. Additionally, on June 13, 2023, NHTSA issued a notice of proposed rulemaking proposing to adopt a new Federal Motor Vehicle Safety Standard to require automatic emergency braking (“AEB”), including pedestrian AEB, systems on light vehicles. This proposal would require that AEB requirements be phased in within four years of publication of a final rule. Comments are due on or before August 14, 2023.
Also on June 13, NHTSA sent a letter to 22 automakers instructing them not to comply with a Right to Repair law recently enacted in Massachusetts, citing “significant safety concerns” such as vehicle crashes, injuries, or deaths. The law requires automakers to allow access to their vehicles’ data so owners can get their vehicles fixed by independent repairers (rather than dealership service centers) if they choose. The letter from NHTSA claims the Massachusetts law is in conflict with, and is therefore preempted by, the Motor Vehicle Safety Act. NHTSA alleges that “[o]pen access to vehicle manufacturers’ telematics offerings with the ability to remotely send commands allows for manipulation of systems on a vehicle, including safety-critical functions such as steering, acceleration or braking, as well as equipment required by Federal Motor Vehicle Safety Standards such as air bags and electronic stability control.”
There also were developments at the Federal Communications Commission (“FCC”) relating to Cellular Vehicle-to-Everything (“C-V2X”) technology. C-V2X technology is expected to increase safety and reduce traffic congestion by enabling vehicles to sense and communicate with each other and with other devices. In April, the FCC approved a joint waiver request that will allow certain entities to start deploying C-V2X technology.
Finally, building off of a 2022 Autonomous Vehicles Workshop, NIST announced that it will be holding a follow-on virtual workshop entitled “Standards and Performance Metrics for On-Road Automated Vehicles” from September 5-8, 2023. The purpose of this workshop is to update the CAV community on NIST’s recent work in the area, provide a forum to provide feedback, and set a path forward to ensure that NIST’s efforts in developing standards and performance metrics provide the greatest value to the community. Registration is free and now open.
Privacy & Cybersecurity
There continued to be minimal traction in Congress to advance a privacy framework in the second quarter of 2023. Despite various promises to reintroduce the American Data Privacy Protection Act (“ADPPA”), the ADPPA has yet to be reintroduced this Congress. Nevertheless, in late April, Representatives Anna Eshoo (D-CA-16) and Zoe Lofgren (D-CA-18) reintroduced the Online Privacy Act (H.R. 2701)—a comprehensive privacy bill that would create consumer rights, privacy notice requirements, information security requirements, and a digital privacy agency. Federal lawmakers continue to express interest in a children’s privacy framework, as Senator Ed Markey introduced (D-MA) the Children and Teens’ Online Privacy and Protection Act (“COPPA 2.0”) (S. 1418), though the bill has not advanced.
In contrast, there continued to be significant legislative focus on comprehensive privacy legislation at the state level. State legislatures have passed a number of comprehensive privacy frameworks this quarter, including in Oregon, Texas, Indiana, and Delaware. Washington and Nevada passed consumer health data privacy bills. Additionally, the Connecticut legislature passed amendments to the Connecticut Data Privacy Act, which add provisions related to health data and minors’ data.
Although Congress did not advance significant cybersecurity legislation this quarter, there was significant regulatory activity. The Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda, indicating that its previously-proposed cyber rules addressing disclosure requirements for incidents at publicly traded companies and registered investment advisors and funds may not be approved until October 2023. Additional detail on this update is available here. Additionally, the Cybersecurity and Infrastructure Security Agency released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers. The guidance was developed in coordination with the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.
Online Teen Safety
This quarter saw the introduction of a number of child and teen online safety bills at both the state and federal level. In particular, lawmakers focused on age verification, parental consent, and heightened obligations for social media platform with users under the age of 18. For example, in April 2023, Governor Huckabee Sanders (R-AR) signed into law the Social Media Safety Act. The bill’s passing made Arkansas the second state to enact broad restrictions on social media use of minors, following Utah’s passing of the Social Media Regulation Act in March 2023. The law, which takes effect on September 1, prohibits covered social media companies from permitting individuals under 18 from creating an account without the express consent of their parent or legal guardian and requires covered social media companies to verify the age of new users. In Congress, a bi-partisan coalition led by Senator Brian Schatz (D-HI), introduced the Protecting Kids on Social Media Act (S. 1291), which would require social media platforms to verify the age of their users, mandate parental consent for under 18 users, and prohibit the use of algorithmic recommendation systems on individuals under 18.