Last week, Chairwoman Jessica Rosenworcel of the Federal Communications Commission (FCC) announced that she expects to circulate a proposal shortly that will authorize the FCC and/or certain national security agencies to periodically evaluate the foreign ownership of FCC licensees in light of national security considerations.  She made this announcement in a speech that focused on security at the Center for Strategic and International Studies in Washington, D.C. 

Today, the FCC and a group of national security agencies review the foreign ownership of FCC licensees only when licenses are first sought, or when transfers of control or assignments of those licenses are proposed.  The perceived shortcomings of this approach arose recently in connection with the FCC’s review of certain China state-owned enterprise Section 214 licensees.  That review, which was initiated in 2019, ultimately resulted in the revocation of those licenses.  But, notably, most of the licensees involved in that action did not have a license transaction or application pending before the agency, and the FCC lacked clear procedures for evaluating foreign ownership and national security considerations outside of those contexts.  Chairwoman Rosenworcel’s proposal presumably is intended to address this.

What Chairwoman Rosenworcel will propose is notable because it could affect an existing licensee’s ability to bring on foreign investors that do not otherwise trigger a transfer of control.  It also could subject licensees to evolving thinking by national security agencies about which foreign owners and investors will trigger national security concerns – thinking that the agencies presumably will be able to act on more quickly under new rules. 

Although Chairwoman Rosenworcel made her proposal in the context of Section 214 licensees, it is not clear whether her proposal will be limited to on these types of licensees or whether it will extend to other types of licensees, too, such as wireless and subsea cable licensees.  It also is not clear whether the proposal will be in the form of a Notice of Proposed Rulemaking or Notice of Inquiry, which could affect the timing of any new rules.

This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.

Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Fourth Quarter 2022

Kathi Vidal was sworn in as the Under Secretary of Commerce for Intellectual Property and Director of the United States Patent and Trademark Office (“USPTO”) on April 13, 2022. In the months since then, she has begun to make a significant mark on the agency, particularly at the Patent Trial and Appeal Board (“PTAB”). Highlights of some of the most significant changes under Director Vidal’s leadership include: 

  1. Director review.

The USPTO put in place a relatively new program called “Director review” shortly after the Supreme Court issued its decision in United States v. Arthrex, Inc., 141 S. Ct. 1970 (2021). Arthrex held that the Director must have the authority to review final written decisions in PTAB trials to ensure that PTAB judges did not have more authority than the Constitution permits, based on how PTAB judges are appointed. Under the Director review program, a dissatisfied party in a PTAB trial may request Director review of the final written decision in the trial. The Director may also decide to review any PTAB decision herself, even without a request from a party.

Drew Hirshfeld, then-Commissioner for Patents, was performing the functions and duties of the Director when the USPTO put the Director review program in place, so he issued the first Director review decisions. (The Federal Circuit has twice determined that he appropriately exercised that power as delegated to him, even though his appointment was similar to that of PTAB judges.) Director Vidal has used the process much more aggressively, though, using it to implement her policy preferences. Her Director review matters include:

  • OpenSky Industries, LLC v. VLSI Technology LLC, No. IPR2021-01064, and Patent Quality Assurance, LLC v. VLSI Technology LLC, No. IPR2021-01229. In these controversial cases, the Director has repeatedly granted Director review to evaluate the proceedings and to consider, and then to award, sanctions against petitioners OpenSky and Patent Quality Assurance (“PQA”).
  • VLSI sued Intel in the U.S. District Court for the Western District of Texas for patent infringement of two patents, and Intel responded by filing petitions for inter partes review (“IPR”) of those patents with the PTAB. The PTAB denied those petitions under the Board’s Fintiv doctrine, which permits the PTAB to deny petitions where the record indicates that a district court may reach a decision before the PTAB (more on the Fintiv doctrine below). The district court case went to trial, and the jury awarded VLSI $2.175 billion in damages.
  • Shortly after the jury verdict, OpenSky and PQA filed petitions for IPR challenging VLSI’s patents. The petitions were nearly identical to Intel’s petitions, and they relied on the same expert declarations. Because OpenSky and PQA had not been sued for infringement of the patents, the Fintiv doctrine did not bar their institution, and the PTAB determined that at least one petition challenging each patent satisfied the standard for granting institution of an IPR.
  • Both OpenSky and PQA appear to have engaged in discussions with VLSI and/or Intel seeking compensation in association with the pending IPRs. When this came to light, Senators Tillis and Hirono sent a letter to the Director alleging that the petitions were abusive. The Director agreed to review the institution decisions and ordered discovery from OpenSky and PQA about the allegations. Meanwhile, Intel filed its own IPR petitions (again), along with a motion to join the instituted proceedings, and the PTAB joined Intel to the pending proceedings.
  • On December 22, 2022, the Director issued decisions sanctioning both OpenSky and PQA for abusing the IPR system. She terminated both OpenSky and PQA from the IPRs, but she determined that the petitions presented “compelling merits” and therefore permitted Intel to remain as a petitioner in the IPRs. She ordered PQA to show cause as to why it should not have to pay monetary sanctions, and she left open the possibility of further sanctions against OpenSky. She also ordered VLSI to show cause as to why it should not be sanctioned for making misrepresentations of fact and law in support of its attempt to have Intel terminated from the OpenSky proceeding. The IPR proceedings, which had been stayed, will continue to final written decisions, likely with further review at that point.
  • Code 200, UAB v. Bright Data Ltd., Nos. IPR2022-00861, -00862. In another significant case, the Director overturned PTAB decisions denying institution of and joinder to IPRs where the petitioner had, like Intel, had previous petitions denied under the Fintiv doctrine. The Director focused on the Board’s mission to improve patent quality and concluded that the mission outweighed concerns about agency resources and fairness to patent owners, the latter of which had been the focus of former Director Iancu.
  • Nested Bean, Inc. v. Big Beings USA Pty Ltd., No. IPR2020-01234. The Director granted Director review in this case to resolve a question of first impression. Nested Bean filed a petition challenging claims 1-16 of Big Beings’ patent. The patent includes two independent claims (claims 1 and 2) and 14 multiple dependent claims (claims 3-16) that depend from either claim 1 or claim 2. The PTAB determined that Nested Bean had not proven claim 1 unpatentable, but that it had proven claim 2 unpatentable. The PTAB concluded that claims 3-16 were unpatentable because they depended from an unpatentable claim, even though they also depended from a patentable claim. The Director granted Director review to resolve whether such dependent claims should be patentable or unpatentable.
  • Boehringer Ingleheim Animal Health USA Inc. v. Kansas State University Research Foundation, No. PGR2022-00021. The Director granted Director review of this decision denying institution of a post-grant review (“PGR”) “because this case raises issues of particular importance to the Office and the patent community.” The PTAB denied the petition largely under 35 U.S.C. § 325(d), which permits the USPTO to deny a petition where “the same or substantially the same prior art or arguments previously were presented to the Office.” The petition challenged the patent on written description and enablement grounds under 35 U.S.C. § 112, as well as obviousness grounds under 35 U.S.C. § 103. The PTAB determined that the Examiner had made written description rejections during prosecution, but had not rejected the allowed claims. The PTAB also determined that the enablement ground was “largely redundant to” the written description ground. Therefore, the PTAB chose to use its discretion not to institute on those particular grounds. Finally, the PTAB determined that the obviousness ground did not meet the standard for institution of a PGR. The Director will address the merits of these determinations in the coming weeks.
  • NXP USA, Inc. v. Impinj, Inc., No. IPR2021-01566. The PTAB had denied institution of the IPR based on the Fintiv doctrine. After the denial, petitioner had offered a stipulation not to raise certain arguments in the district court if the PTAB granted institution of the IPR, which is a consideration in the Fintiv analysis. The PTAB panel determined that the offer of a stipulation had come too late  ̶  it must be offered before the decision on institution. The Director granted Director review to affirm that decision and make it precedent binding on the PTAB.

Director Vidal’s aggressive use of Director review may not continue, however. She has expressed interest in finding new avenues to address PTAB decisions that do not require her personal involvement, indicating that her current approach may not be “sustainable” in the long term. The USPTO is expected to engage in rulemaking to establish future review processes, including Director review.

2. Guidance memoranda.

Director Vidal has also used guidance memoranda to undo (at least in part) measures put in place by her predecessor, Director Iancu. These memoranda set forth policy positions that are binding on PTAB panels, much like precedential decisions, although they tend to be more broadly focused on policy instead of the facts of a particular case.

  • Fintiv. Director Iancu’s most controversial act was designating as precedential the PTAB decision setting forth factors for the PTAB to consider before instituting an IPR or PGR when proceedings in other tribunals were scheduled to reach a result before the PTAB final written decision. Director Iancu reasoned that Congress intended IPR and PGR proceedings to be a faster, less expensive alternative to litigation in district courts and the International Trade Commission (“ITC”). Thus, Congress’s goal would not be reached if the other tribunal would reach a result before the PTAB.
  • Many disagreed with this reasoning, and several lawsuits were filed challenging the Fintiv doctrine. Shortly after assuming her new role, Director Vidal issued a memorandum reining in the doctrine, with four main features:
  • Regardless of the timing of the parallel litigation, the PTAB will institute an IPR or PGR where the petitioner presents “compelling evidence of unpatentability,” or what the Director has later referred to as “compelling merits.” This is a higher standard than the standard for institution of an IPR or PGR, but if the petitioner can satisfy it, the PTAB will go forward to address apparently strong arguments of unpatentability, in support of its role of ensuring patent quality.
  • The PTAB will no longer consider ITC proceedings under the Fintiv doctrine. ITC decisions regarding patent validity have no preclusive effect on the PTAB or district courts, while PTAB decisions regarding unpatentability result in canceling claims from the patent, so the PTAB will proceed to address patentability even if the ITC does so at the same time.
  • A stipulation by the petitioner that it will not challenge the patent using the same grounds raised in the IPR or PGR petition, or those that it could reasonably have raised in the petition, will avoid the Fintiv analysis completely. This is a so-called Sotera stipulation, based on the PTAB’s precedential decision holding that such a stipulation is an important factor in the Fintiv analysis. The memorandum makes it dispositive.
  • The PTAB will consider evidence beyond a district court’s scheduling order when determining whether the district court will reach a decision before the PTAB. Many criticized Fintiv for relying on trial dates set in a scheduling order, when such dates frequently are not met (including in the Fintiv case itself). Therefore, Director Vidal indicated that the PTAB should consider the median time-to-trial in the district, rather than just a date set in a scheduling order.
  • Applicant-admitted Prior Art (“AAPA”). Director Iancu issued guidance limiting the PTAB’s ability to rely on AAPA in IPRs in August of 2020, based on the statute’s requirement that an IPR petition be based “only on the basis of prior art consisting of patents or printed publications.” Qualcomm challenged the PTAB’s (pre-Iancu guidance) reliance on AAPA in a final written decision that it appealed to the Federal Circuit, and the Federal Circuit remanded the case for reconsideration of its approach to AAPA.
  • After the remand, Director Vidal issued a memorandum superseding Director Iancu’s guidance. In the guidance, she explained that AAPA must be used in conjunction with other prior art consisting of patents or printed publications, but she expressed her view that AAPA can otherwise be widely used:
  • It can be used to supply missing claim limitations.
  • It can be used to support a motivation to combine.
  • It can be used to demonstrate the knowledge of a person of ordinary skill in the art.

After this guidance, petitioners will have broad authority to use AAPA in support of their petitions.

3. Federal Register notices.

Director Vidal has issued two Federal Register notices, and she has indicated that she intends to engage in rulemaking in several areas. She has been slower than Director Iancu in the rulemaking process, as he rapidly changed the PTAB’s claim construction standard from the “broadest reasonable interpretation” standard to the standard used by district courts, but that seems ripe for change. Director Vidal has issued two Requests for Comments in the Federal Register:

  • PTAB Review Processes. Director Vidal asked for comments on the interim Director review process, the existing Precedential Opinion Panel (“POP”) process under the PTAB’s Standard Operating Procedure 2, and the PTAB’s processes regarding internal circulation and review of draft decisions. The last has been called into question by the Government Accountability Office (“GAO”), which has issued reports indicating that PTAB judges feel pressure from their supervisors to revise their decisions. The PTAB has announced certain changes to the internal review process, and the USPTO has indicated that it is reconsidering its interim approach to Director review and the necessity for the POP.
  • Robustness and Reliability of Patent Rights. The USPTO has received inquiries from the President and Members of Congress regarding patents covering pharmaceutical products. In response, the Director asked for comments broadly (not limited to pharmaceutical products) about the USPTO’s approach to examination, including:
  • Whether prior art searching by examiners should be enhanced.
  • Whether continuation applications in large families of patent applications should receive greater scrutiny under the written description and enablement requirements of 35 U.S.C. § 112.
  • Whether the USPTO should impose limitations on practice involving Requests for Continuing Examination.
  • Whether the USPTO should change its practices regarding obviousness-type double patenting, including its use of restriction requirements and patent applicants’ use of terminal disclaimers.

Director Vidal has shown great interest in reconsidering the USPTO’s policies in a wide range of areas. We expect further significant developments under her tutelage in the coming years. Stay tuned.

In the final days of 2022, President Biden signed into law the “Quantum Computing Cybersecurity Preparedness Act”.  The Act recognizes that current encryption protocols used by the federal government might one day be vulnerable to compromise as a result of quantum computing, which could allow adversaries of the United States to steal sensitive encrypted data.  To address these concerns, the Act will require an inventory and prioritization of vulnerable information technology in use by federal agencies; a plan to migrate existing information technology systems; and reports to Congress on the progress of the migration and funding required. 

Continue Reading President Biden Signs Quantum Computing Cybersecurity Preparedness Act

Last week, in remarks at an industry conference, Republican FCC Commissioner Nathan Simington proposed that the FCC consider requiring electronic device manufacturers to “take reasonable steps” to protect device security, including requiring them to issue software or firmware updates to patch security flaws and ensure that devices are designed to be easily patched.

His remarks came just a few weeks after the FCC effectively banned certain Chinese equipment and video surveillance devices from the U.S. market, showcasing an increasing appetite by the agency to use its authority over electronic equipment to regulate the market and safeguard national security interests.  For our previous report on that development, click here.  This new understanding of the purpose of the FCC’s equipment authorization rules is noteworthy.  The FCC previously relied on this authority solely to address technical matters associated with radiofrequency (RF) energy, such as prevention of interference and human safety.

According to Commissioner Simington, the FCC has the authority to impose such requirements under its Title III “power to protect signal security,” which provides the agency with “expansive authority to regulate RF emitting devices to make sure they don’t cause harmful interference.”  Commissioner Simington noted that millions of wireless devices are not secure largely because device manufacturers have not been incentivized to ensure their security.

According to Commissioner Simington, insecure RF devices pose not only data and privacy threats, but also the potential to cause harmful interference by significantly disrupting the operation of other, connected devices and services (e.g., rendering nearby Wi-Fi networks inoperable through a deauthentication attack with a single device or hijacking mobile phone basebands to attack wireless networks).  He went on to note that “[a]ny vulnerability in a phone operating system, in a smart thermostat firmware, in a 5G base station, is a threat to the security of our wireless networks from harmful interference.”

Given the complexity and associated challenges raised by his proposal, Commissioner Simington called on public and private stakeholders to engage with him to develop a “bipartisan, pro-innovation approach” that protects the public from insecure RF devices “while also making sure that industry is not bogged down with perpetual legal obligations to long-abandoned product lines.”

If you have any questions concerning the material discussed here, please contact the members of our Communications and Media practice.

On November 25, 2022, the FCC effectively banned certain Chinese telecom and video surveillance devices from the U.S. market – demonstrating the power of its authority over virtually all electronics equipment, which until last week’s decision had been exercised only to address technical, scientific and engineering concerns. With Congressional backing, the FCC now has established itself as a potent vehicle for excluding products from the U.S. market on national security concerns.

Specifically, the FCC released a Report and Order (“R&O”) and a Further Notice of Proposed Rulemaking (“FNPRM”) that changes the FCC’s device and equipment authorization rules to broadly prohibit the importation, marketing, and sale of radiofrequency (“RF”) devices and equipment by entities that the FCC has determined, based on input from the national security community, to pose a threat to the security of U.S. supply chains and networks. The FCC has published the list of such entities on its Covered List, and each of the equipment manufacturers on the list reportedly has some affiliation with the Chinese government. RF devices and equipment are those that generate and/or emit RF energy and thus effectively amount to all electronic devices. Going forward, all applicants for FCC device and equipment authorizations will be required to attest that they are not subject to this prohibition to secure their authorizations.

Of equal or greater noteworthiness, the FCC previewed potentially greater changes to its rules as part of its efforts to advance national security goals. For example, the FCC has asked for comment on whether and to what extent to revoke existing device and equipment authorizations held by covered entities, such that equipment already in the marketplace could be rendered unlawful. It also asked whether the new ban should extend to “components” made by covered entities but used by others in their own devices and equipment. How the FCC decides these and other issues presented in the FNPRM could have profound effects on the market for RF devices and equipment in the U.S.

I.       Background

By way of background, the Communications Act requires the FCC to issue authorizations for devices and equipment that generate and/or emit RF emissions before they can be imported, marketed, or sold in the U.S. Such authorizations are needed to ensure that devices and equipment do not exceed certain RF emissions thresholds, as exceeding such thresholds can cause harmful interference to other services and equipment or present health and safety risks.

For decades, the FCC generally has been expansive in issuing device and equipment authorizations, including to foreign-owned companies, provided they satisfied the RF emissions rules. But newly-enacted laws, resulting in part from increased strains in U.S.-China relations, have prompted the FCC to reconsider this approach.

Through the National Defense Authorization Act for Fiscal Year 2019, the SECURE Technology Act, and the Secure and Trusted Communications Networks Act of 2019 (“Secure Networks Act”), Congress limited the use of federal funds to procure equipment, services, or systems from certain foreign covered entities. The Secure Networks Act required that the FCC publish and periodically update the aforementioned Covered List. Last week’s R&O expanded these initiatives by adopting new rules that will prohibit certain RF devices and equipment from the U.S. market if they are deemed to be imported, marketed, or sold by an entity on the Covered List.

II.      The Report and Order

The R&O amended the FCC’s device and equipment authorization rules to prohibit the authorization of telecommunications and video surveillance equipment imported, marketed, or sold by an entity on the Covered List. Underscoring the impact of refusing equipment authorizations to these entities, FCC Chairwoman Rosenworcel explained in an accompanying statement:

The action we take today covers base station equipment that goes into our networks. It covers phones, cameras, and Wi-Fi routers that go into our homes. And it covers re-branded or “white label” equipment that is developed for the marketplace. In other words, this approach is comprehensive.

The FCC also took steps to close loopholes that might otherwise have enabled continued sales of equipment on the Covered List, e.g., by removing exemptions from the equipment authorization process for certain types of devices and emphasizing that the prohibition applies to “white label” equipment. Moreover, although the FCC declined to decide immediately whether existing authorizations for equipment by Covered List manufacturers should be revoked, it set the stage to do so in the future by concluding that the agency has authority to revoke, in the future, authorizations of equipment on the Covered List authorized before the Report and Order’s adoption on November 11, 2022.

III.    The Further Notice of Proposed Rulemaking

In the accompanying FNPRM, the FCC made clear that it may continue to use the equipment authorization rules as a lever to promote national security concerns. For example:

Revocation of existing authorizations for Covered List equipment. The ban adopted in the R&O is prospective and therefore doesn’t require removal of equipment manufactured by Covered List entities in the past. In the FNPRM, the FCC asks whether and under what circumstances it should apply the ban retroactively. Given that equipment on the Covered List remains in the telecommunications networks of many carriers, any retroactive ban could cause a meaningful financial impact. While Congress previously has appropriated funding for carriers to “rip and replace” such equipment from their networks, demand for the available funding far exceeds the appropriated amounts.

Component parts. The new rules do not require applicants for equipment authorizations to state whether any component part of the equipment to be authorized is comprised of covered equipment. In the FNPRM, the FCC recognizes that this may be a gap in the rules. The FCC accordingly has sought comment on the extent to which component equipment parts should be considered in the FCC’s prohibition on covered equipment and on a range of related issues, including what should be considered a “component part.”

Competitive bidding procedures. The FNPRM seeks comment on whether participants in competitive bidding procedures (e.g., for spectrum licenses) should be required to certify that bids do not rely on financial support from Covered List entities. While the FCC had previously sought input on this topic, it now asks for more precise information about the contours of any such requirement, such as the level of diligence required of a bidder to confirm that its financing is not ultimately sourced from an entity on the Covered List.

Agent for service of process. The FCC proposes to require that any application for equipment certification provide a “responsible party located in the United States” to respond to inquiries and remedy any violations of the FCC’s rules with respect to the equipment.

If you have any questions concerning the material discussed here, please contact the members of our Communications and Media practice.

On November 3, the FTC announced that it entered into a significant $100 million settlement with Vonage to resolve allegations relating to the internet phone service provider’s sales and autorenewal practices. The FTC alleged that Vonage violated both the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to provide a simple cancellation mechanism, failing to disclose material transaction terms prior to obtaining consumers’ billing information, and charging consumers without consent.

Continue Reading FTC Flexes ROSCA Muscle with $100 Million “Dark Patterns” Settlement with Vonage

Last week, Federal Communications Commission (“FCC”) Chairwoman Jessica Rosenworcel announced plans to reorganize the agency’s International Bureau by creating a new Space Bureau and a standalone Office of International Affairs.  The announcement, which marks the latest in a string of space-focused actions over the last several months, is a further indication of the FCC’s commitment to leadership in the growing space economy.

Continue Reading FCC Positions Itself for Expanding Space Industry

This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity. 

This quarter, Congress has continued to focus on the American Data Privacy Protection Act (“ADPPA”) (H.R. 8152), which would regulate the collection and use of personal information and includes specific requirements for AI systems.  Disagreements over the legislation’s preemption of state laws and creation of a private right of action continue to stall the its progress.  Separately, the Federal Trade Commission (“FTC”) announced an Advanced Notice of Proposed Rulemaking to solicit input on questions related to privacy and automated decision-making systems.  The notice cites to the FTC’s prior guidance related to IoT devices. 

Artificial Intelligence

Regulators and the White House have expressed increased interest in setting forth requirements and best practice expectations around the operation of AI systems.  For example, the FTC announced an Advanced Notice of Proposed Rulemaking in August that asks for comments on a number of topics related to automated decision-making systems.  In particular, the FTC is requesting comments on the prevalence of error in automated decision-making systems, discrimination based on protected categories facilitated by algorithmic decision-making systems (and whether the FTC should consider recognizing additional categories of protected classes), and how the FTC should address algorithmic discrimination that occurs through the use of proxies. 

In early October, the White House also released its Blueprint for an AI Bill of Rights.  Discussed in further detail here, the Blueprint outlines recommended best practices for entities using AI, which include measures to provide a safe and effective system, protections against algorithmic discrimination, attention to data privacy, notice and explanation, and the provision of human alternatives and consideration.

Congress continues to weigh into the discussion about regulation of AI systems.  The latest version of the ADPPA would require a covered entity or service provider who “knowingly develops” a covered algorithm that processes covered data “in furtherance of a consequential decision” must evaluate the design, structure, and inputs of the covered algorithm.  In addition, entities of a certain size, which the bill calls “large data holders,” must conduct an impact assessment that describes the design process and methodologies of the covered algorithm, an assessment of the necessity and proportionality of the algorithm in relation to its stated purpose, and the steps the entity will take to mitigate the risk of harm.

Internet of Things

This quarter, federal lawmakers introduced and advanced several bills related to the Internet of Things (“IoT”), including two bills imposing requirements on manufacturers of devices with cameras or microphones.  One of these bills is the Earning Approval of Voice External Sound Databasing Retained on People (“EAVESDROP”) Act (H.R. 8543), introduced by Representative Steve Scalise (R-LA) in July.  The bill would require manufacturers of connected devices with microphones to provide notices to consumers regarding the devices’ collection of certain consumer information. Manufacturers would also have to provide an easy way for consumers to deactivate the ability of the device to collect information.  The EAVESDROP Act exempts devices solely marketed as microphones and provides a safe-harbor for manufacturers that comply with a set of self-regulatory guidelines to be developed by the FTC.  In contrast, the Informing Consumers about Smart Devices Act (H.R. 4081) would require manufacturers of connected devices equipped with a camera or microphone to disclose to consumers that a camera or microphone is part of the device, and would not apply to mobile phones, laptops, or other devices that consumers would reasonably expect to include a camera or microphone.  The Informing Consumers about Smart Devices Act is sponsored by Reps. John R. Curtis (R-UT) and Seth Moulton (D-MA) and was approved by the House of Representatives on September 29, 2022.

Additionally, on September 28, 2022, the Senate approved the Small Business Broadband and Emerging Information Technology Enhancement Act of 2022 (S. 3906).  As we noted in our Second Quarterly Legislative and Regulatory Update, this bipartisan bill, sponsored by Senators Jeanne Shaheen (D-NH) and John Kennedy (R-LA), aims to bolster IoT competencies at the Small Business Administration (“SBA”), including through the designation of a coordinator for emerging information technology (which includes IoT technology).

Federal regulatory efforts related to IoT this quarter largely centered on cybersecurity and consumer protections.  For instance, the National Institute of Standards and Technology (“NIST”) published the final version of its Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425), building on work undertaken pursuant to E.O. 14028.  The publication, which follows a public draft released in June 2022, describes NIST’s cybersecurity expectations for IoT products for home and personal use.  As we noted in our previous quarterly update, the NIST guidance is not legally binding, but it signals a best practice that may later be incorporated by lawmakers in legislation. 

NIST also published a report summarizing key takeaways from of its June 2022 IoT Cybersecurity workshop (NIST IR 8431), and a report with guidance for first responders on minimizing security vulnerabilities when using mobile and wearable devices (NIST IR 8235).  Other agency activities impacting IoT technology include the FTC’s publication of a business guidance blog post focused on the marketplace for sensitive consumer location and health information collected by connected devices, and highlighting FTC enforcement against misuse of consumer data and deceptive claims about data anonymization.  These developments signal a continued focus by federal regulators on IoT cybersecurity and the protection of consumer data collected by connected devices.

Connected and Autonomous Vehicles

On August 8, 2022, Reps. Debbie Dingell (D-MI) and Bob Latta (R-OH) launched the bipartisan Congressional Autonomous Vehicle Caucus.  The first of its kind, the purpose of this caucus is to educate Congressional Members and staff on autonomous vehicle technology that can improve the safety and accessibility of roadways.  Rep. Dingell stated that the caucus will help the United States stay at the “forefront of innovation, manufacturing, and safety” while “engaging all stakeholders, making bold investments, and working across the aisle to get the necessary policies right to support the safe deployment of autonomous vehicles.”  Industry should watch for developments here, as policy proposals and opportunities for engagement could be on the horizon.

Federal regulators remain active in this space, signaling an interest in funding and advancing the deployment of CAV technologies.  A recent stated priority for the Strengthening Mobility and Revolutionizing Transportation (“SMART”) Grants Program is to improve the integration of systems and promote connectivity of infrastructure, connected vehicles, pedestrians, and bicyclists, and the Department of Transportation (“DOT”) authorized and appropriated $100M for projects in this space for FY2022.  Additionally, the Federal Transit Administration (“FTA”) and DOT issued a Notice of Funding Opportunity to apply for funding for projects exploring the use of Advanced Driver Assistance Systems (“ADAS”) for transit buses to demonstrate transit bus automation technologies in real-world settings.  Finally, DOT issued a Request for Information seeking comments on the possibility of adapting existing and emerging automation technologies to accelerate the development of real-time roadway intersection safety and warning systems for drivers and vulnerable road users.

This quarter, the National Highway Traffic and Safety Administration (“NHTSA”) also released a final version of the Cybersecurity Best Practices for the Safety of Modern Vehicles guidance, an update to its 2016 edition.  While the edits were largely cosmetic, a few key changes potentially relevant to CAVs and in-vehicle software are below:

  • The final version clarifies that both suppliers and manufacturers should maintain a database of software components so that when vulnerabilities are identified in software, affected systems can be easily identified.
  • The final version adds a new best practice stating that manufacturers should employ measures to limit firmware version rollback attacks (i.e., when an attacker uses the software update mechanisms to place older, more vulnerable software on a targeted device).
  • The final version adds a new best practice stating that industry should collaborate to address “future risks” as they emerge.

Privacy and Cybersecurity

As described in further detail in our second quarterly update for 2022 and here, the ADPPA continues to be the prevailing data privacy framework in Congress.  The bill sets forth broad requirements around data collection and disclosures, though the likelihood of passage this Congress continues to decrease as lawmakers remain stalled over issues around preemption and a private right of action.  California’s principal privacy regulator – the California Privacy Protection Agency – convened a special meeting on July 28, 2022 to discuss the ADPPA and to express the Agency’s strong disagreement with the ADPPA’s preemption provision.

The FTC is also exploring privacy regulation, including through its Advanced Notice of Proposed Rulemaking, released in August.  Specifically, the notice broadly asks whether the agency “should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”  Notably, the FTC recently extended the deadline to receive comments on the notice to November 21, 2022.  Additionally, the FTC released its agenda for a workshop on children’s advertising that will be held on October 19, 2022, which will focus on whether children can distinguish ads from entertainment in digital media.

We will continue to update you on meaningful developments in these quarterly updates and across our blogs.