Fighting for You: October 2022 Legislative and Regulatory Update - Articles

Articles

31Oct

Fighting for You: October 2022 Legislative and Regulatory Update

Consumer data privacy and security concerns, including progress towards a new trans-Atlantic data deal, a new law in California and proposed rules in California and at the FTC, were top of mind for the insights industry in October. In addition, concerns about draft U.S. Department of Labor regulations impacting research subjects’ status as independent contractors, and miscellaneous other new laws, remain salient.

Consumer privacy and data security

President Joe Biden signed an executive order on government surveillance that should pave the way to an an operable trans-Atlantic data transfer deal with the European Union (EU) by spring 2023. The prior deal, the U.S.-EU Privacy Shield, was struck down by a European court in March 2020 in the Schrems II case.

Insights and analytics companies that retained their self-certification, like through the Insights Association’s Privacy Shield program, should be able to transition quickly to the new data framework once it comes to fruition. The IA Privacy Shield Program is a benefit exclusive to company members and corporate research department members, since IA serves as an Independent Recourse Mechanism (IRM), a required component of the program.

As the Federal Trade Commission (FTC) charges ahead on extremely broad new privacy rules that could rope in most aspects of the insights industry’s work, the Insights Association joined nearly 20 other business groups asking for an additional two months to respond to the complicated proposal.

Meanwhile, Congressional Democrats urged the FTC to step up “efforts to implement strong privacy safeguards that effectively protect children and teens online, including fulfilling your obligation to update regulations under the Children’s Online Privacy Protection Act (COPPA).”

Elsewhere in Congress:

  • Kristen Gillibrand (D-NY) introduced the Data Protection Act, comprehensive privacy legislation that would create a new independent federal Data Protection Agency to regulate supposedly high-risk data practices and restrict the collection, processing and sharing of personal data.
  • Elizabeth Warren (D-MA) introduced the Health and Location Data Protection Act, legislation that would prohibit many (or even most) insights companies and organizations from selling, sharing, or transferring any health or location data.
  • The My Body, My Data Act would prohibit most collection and maintenance of personal information broadly related to reproductive or sexual health by entities outside of the HIPAA-regulated space. It would be enforced by the FTC and by private lawsuits.
  • The Protecting Consumer Information Act would require a reconsideration of financial privacy standards under the Gramm Leach Bliley Act.
  • Three bills from Rep. Stephen Lynch (D-MA) would further restrict financial privacy and data security and possibly newly cover a lot of insights companies under the Gramm Leach Bliley Act.

Artificial intelligence regulation has also been on the federal menu:

  • The Biden Administration released a “Blueprint for an AI Bill of Rights,” identifying “five principles that should guide the design, use, and deployment of automated systems to protect the American public in the age of artificial intelligence.” It shows where the feds are heading on a variety of regulatory areas impacting the insights industry.
  • A new Information Technology Industry Council (ITIC) report offered recommendations “on facilitating public trust in and understanding of” artificial intelligence (AI) systems.

At the state level:

  • Pennsylvania is considering the Data Broker Registration System Act, which would require data brokers to register and report details of their operations.
  • Out in the Golden State, a new draft of rules implementing the California Privacy Rights Act (CPRA) were just released. While the California Privacy Protection Agency blew past the legal July 1, 2022, deadline, it still hopes to have rules finalized by the time CPRA comes into effect on January 1, 2023.
  • Finally, the California Age-Appropriate Design Code Act, a new law in California, restricts the creation of goods, services, or product features likely to be accessed by anyone under 18 and restrict the collection or use of their data. It goes well beyond the federal Children’s Online Privacy Protection Act (COPPA) in definitions, scope, and application.

Research subjects = independent contractors

The U.S. Department of Labor, having yanked a Trump Administration regulation of independent contractors in early 2021, has come up with their own rules that would make it more likely for more people to be classified as employees instead, including research subjects receiving participant incentives.

Labor law treatment of independent contractor status is an issue of prime importance in the use of incentives for research subjects in the insights industry, as demonstrated in California in 2020-21 (until the Insights Association succeeded in fixing a state law that had required minimum wage for research subjects).

Miscellaneous new laws

Your support makes all the difference

As the general election nears, the Insights Association is still meeting with policymakers (and candidates) to advocate for the insights industry on these and other important public policy issues across the U.S. This would NOT be possible without YOUR membership and sponsorship!

We are always available to answer your questions on these and other legislative/regulatory/legal issues. Please stay in contact.

Finally, IA company/department members are welcome at our next General Counsel and Privacy Officer Forum on November 4, for candid discussion with peers and experts of legal, privacy, data security and compliance issues facing your insights organization. Participation in these off-the-record forums is a complimentary privilege exclusive to company and department members of IA.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.

About the Author

Howard Fienberg

Howard Fienberg

Based in Washington, DC, Howard is the Insights Association's lobbyist for the marketing research and data analytics industry, focusing primarily on consumer privacy and data security, the Telephone Consumer Protection Act (TCPA), tort reform, and the funding and integrity of the decennial Census and the American Community Survey (ACS). Howard has more than two decades of public policy experience. Before the Insights Association, he worked in Congress as senior legislative staffer for then-Representatives Christopher Cox (CA-48) and Cliff Stearns (FL-06). He also served more than four years with a science policy think tank, working to improve the understanding of scientific and social research and methodology among journalists and policymakers. Howard is also co-director of The Census Project, a 900+ member coalition in support of a fair and accurate Census and ACS. He has also served previously on the Board of Directors for the National Institute for Lobbying and Ethics and and the Association of Government Relations Professionals. Howard has an MA International Relations from the University of Essex in England and a BA Honors Political Studies from Trent University in Canada, and has obtained the Certified Association Executive (CAE), Professional Lobbying Certificate (PLC) and the Public Policy Certificate (PPC). When not running advocacy for the Insights Association, Howard enjoys hockey, NFL football, sci-fi and horror movies, playing with his dog, and spending time with family and friends.

Related

New York Child Data Protection Act is Taking Effect

New York Child Data Protection Act is Taking Effect

The New York Child Data Protection Act (NYCDPA), which would restrict the collection, use and sharin...

Read More >
Oregon Privacy Enforcement and Compliance Review

Oregon Privacy Enforcement and Compliance Review

The Oregon Attorney General (AG) released a report on enforcement of the state’s comprehensive priv...

Read More >
KOSA 2025 - Kids Online Safety Act - S. 1748

KOSA 2025 - Kids Online Safety Act - S. 1748

The Kids Online Safety Act (KOSA) (S.1748), which would restrict the design and operations of many f...

Read More >
Latest General Data Protection Regulation Enforcement Action: GDPR Compliance Tips for the Insights Industry

Latest General Data Protection Regulation Enforcement Action: GDPR Compliance Tips for the Insights Industry

In May 2025, the Romanian data protection authority, ANSPDCP, published a General Data Protection Re...

Read More >
Minnesota Consumer Data Privacy Act Now Law

Minnesota Consumer Data Privacy Act Now Law

A new comprehensive privacy law in Minnesota takes effect on July 31, 2025, covering for-profit comp...

Read More >
California Location Privacy Act Would Have Prohibited Location Data Sales - A.B. 1355

California Location Privacy Act Would Have Prohibited Location Data Sales - A.B. 1355

Recently defeated legislation would have set up another privacy regime in California specific to loc...

Read More >
Members only Article - Please login to view