LAS VEGAS, January 12, 2024 – Industry stakeholders called for federal data privacy legislation at CES on Thursday.

“I think oftentimes companies can be in the position of opposing additional regulation at the federal level,” said Melanie Tiano, director of federal regulatory affairs at T-Mobile. “But this is probably one of those areas where that’s not the case, in part because of the flurry of activity going on at the state level, which makes compliance in the U.S. marketplace extraordinarily confusing and difficult.”

The New Jersey legislature cleared one such bill on Monday. If that’s signed into law by the state’s governor, it would bring the number up to 13. Federal efforts, notably the American Data Privacy and Protection Act, have stalled in recent years.

“We will continue to be seriously committed to getting legislation done in a bipartisan way. That’s not always easy right now, but we’re continuing to work on that” said Tim Kurth, chief counsel for the House Innovation, Data and Commerce Subcommittee.

Simone Hall Wood, privacy and public policy manager at Meta, said “privacy regulation should not inhibit beneficial uses of data.” The company has argued it has a legitimate interest in data use practices that the European Union has found to be out of compliance with its data privacy law, the GDPR.

Industry groups, including the Consumer Technology Association, which runs the CES conference, have advocated for a light-touch privacy law in the United States, in contrast with the more comprehensive European standard.

Kurth had similar thoughts Thursday, saying the GDPR “really hurt startups and really hurt innovations.”

Still, Woods said establishing a uniform standard is something the law does well.

“It sets certainty across the marketplace for what privacy protections look like for consumers. And so that aspect of it is positive,” she said.

LAS VEGAS, January 11, 2024 – The United States has entered an agreement with the European Union on a “joint roadmap” for standardized cybersecurity labels, a Biden Administration official announced at CES on Thursday.

“We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies. “They can sell in Paris, Texas, or Paris, France.”

Neuberger said the White House is aiming to get its U.S. Cyber Trust Mark, a voluntary certification for internet of things devices, on consumer products by the end of the year. The effort to mark products like routers, baby monitors, and thermostats as safe from hacking was first announced in October 2022.

The Federal Communications Commission voted in August to seek comment on how to implement various parts of the program, including how to develop and ensure compliance with its cybersecurity standards.

What exactly those standards will be is not yet decided, but the Commission has said it will base the program on criteria developed by the National Institute of Standards and Technology. Those  include encrypting both stored and communicated data and the ability to receive software updates.

The measure is not on the FCC’s tentative January meeting agenda, but Neuberger said the agency is “working toward next steps.”

LAS VEGAS, January 10, 2024 – Members of the telecom industry and the Federal Communications Commission emphasized the need for industry and government entities to collaborate in combating scam calls and texts at CES on Tuesday.

“Collaboration is key here,” said Amanda Potter, assistant vice president and senior legal counsel for AT&T.

Current measures

Alejandro Roark, chief of the FCC’s Consumer and Government Affairs Bureau, noted Federal Trade Commission data showing American consumers reported losing $790 million to scam calls and another $396 million to scam texts in 2022.

The Commission took action on preventing both in 2023, expanding its STIR/SHAKEN regime – a set of measures to confirm caller identities – to all providers who handle call traffic, moving to block call traffic from non compliant providers, and issuing multiple fines in the hundreds of millions. Almost every state has entered an agreement with the agency to collaborate on robocall investigations.

In addition, the FCC adopted its first robotext rules and moved to tighten those rules in December, closing the “lead generator loophole” by requiring affirmative consent for companies to send consumers marketing messages. Comments are being accepted on a proposal to institute a text authentication scheme.

For AT&T’s part, Potter said the company has instituted network filters to block messages that are likely to be illegal.

“We’re not going to claim success by any means, but when we have these robust network defenses, that does a lot,” she said, citing a total of 1 billion blocked texts on the company’s networks in July 2023.

AT&T also worked with manufacturers on features allowing consumers to report text as junk when deleting messages, which Potter said has provided extra data to tune spam filters.

What’s next

“We start from a standpoint of maximum flexibility when it comes to messaging,” Potter said, in contrast to voice calls, which are more tightly regulated and required FCC intervention for providers to block. 

“I’m concerned about that being taken away, or perhaps regulation being something of a distraction,” she said.

Roark agreed on flexibility being superior to regulation, although the Commission is moving forward with its proceeding on more expansive text authentication rules. The proposed rules include requiring more providers on the traffic chain to block texts from numbers flagged as scammers by the FCC and requiring measurers to verify the identity of texters, similar to the STIR/SHAKEN system for caller authentication.

The FCC is also taking comments on how AI factors into robocalls and robotexts, both how it’s used to perpetrate them and how the Commission might use AI tools to combat them.

At a House oversight hearing in November, FCC Chairwoman Jessica Rosenworcel asked Congress for the authority to collect the fines the Commission imposes – a job currently left to the DOJ – and access to more financial information to help the agency’s robocall prevention efforts.