Plaintext: What’s Next in Privacy Legislation
Source: Hansjörg Keller (@kel_foto) via Unsplash

Plaintext: What’s Next in Privacy Legislation

Welcome to Dark Reading in Plaintext, brought to your inbox this week by SANS Institute. In this issue of Plaintext, we revisit the progress of data privacy legislation on both the state and federal level. We are also encouraged by the Diverse Cybersecurity Workforce Act of 2024 introduced in Congress this week. If you enjoy Plaintext, please share with friends and colleagues!

Progress on the Federal Privacy Law. A House Energy and Commerce subcommittee — the Innovation, Data and Commerce subcommittee — unanimously approved a revamped version of the American Privacy Rights Act this week. The American Privacy Rights Act would establish baseline data privacy protections around a wide swath of Americans’ personal data. Passage is far from certain, however, as the bill will still need to be approved by the full House Energy and Commerce Committee before it reaches floor vote in the House of Representatives and the Senate. Lawmakers believe there will be more modifications to the bill.

In its current form, the APRA would improve restrictions on how businesses can collect, retain, and use the data when sold to advertisers, or collected for purposes other than to provide a product or service. The bill currently has language around a broader “Delete My Data” mechanism requiring data brokers to delete all covered data when requested by a user. “At a high level, advertising definitions are revised in the draft to aim for a better balance between beneficial use of ads and consumer privacy,” wrote R Street’s Steven Ward and Brandon Pugh .

The United States still does not have a federal data privacy law —but there is a patchwork of state laws covering privacy, and state attorneys general are concerned about the fact that APRA has language to preempt existing state laws. Rob Bonta, the attorney general of California and 14 other state attorney generals sent a letter to Congress asking lawmakers to reconsider the language. For example, ARPA would override Illinois’s Biometric Information Privacy Act.

“A federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws.” Letter to Congress from 15 state attorneys general.  

This month, Maryland and Vermont this month became the 16th and 17th state to pass their own data privacy laws. Vermont’s comprehensive data privacy law is among the strongest to be passed and has language allowing individuals to sue companies for violating their privacy rights. California’s data privacy law also allows individuals to sue businesses, but CPRA applies only to data breaches and not broader privacy. Vermont’s law also includes data minimization requirements (companies are restricted on what personal data they are allowed to collect), bans companies from selling data, and limits how geolocation data can be used.


Dark Reading in Plaintext is brought to you by SANS Institute

Real-world Techniques to Combat the Latest Threats from SANS

The skills you need today to combat tomorrow’s cyber threats. SANS provides sound defenses & techniques to protect your organization from attacks. Find your course.


Diversifying the Workforce. Reps. Shontel Brown (D-Ohio) and Haley Stevens (D-Mich) introduced the Diverse Cybersecurity Workforce Act of 2024 this week. The bill calls for providing the Cybersecurity and Infrastructure Security Agency with $20 million annually to create a sub-program under its Cybersecurity Education and Training Assistance Program to promote cybersecurity jobs to members of disadvantaged communities. The bill includes groups such as women, racial and ethnic minorities, older individuals, veterans, and people with disabilities. People with nontraditional educational backgrounds and those who were formerly incarcerated are also included in the bill. According to the Aspen Institute, just 9% of cybersecurity professionals are Black, 4% are Hispanic, and 1% are Indigenous. Roughly a quarter of cybersecurity jobs are held by women.

“[Diversity] in the cybersecurity workforce is not possible without building a pipeline of diverse skill sets and talent, and that pipeline cannot be built without tapping into diverse, and often underrepresented, communities,” Lynn Dohm of Women in CyberSecurity (WiCyS) said in a statement. “A bill like the Diverse Cybersecurity Workforce Act will create a cycle to support these ongoing efforts through intentional resources and programming efforts meant to empower individuals to explore cybersecurity careers, find the hidden talent, create inclusive spaces for cybersecurity training, elevate those with aptitude, grit and determination, and offer all the wrap-around services to champion and support programming efforts such as incentives, mentoring, and career placement.”

What We Are Reading

What We Heard On-Air

Tune in to our on-demand webinar “Why Effective Asset Management is Critical to Enterprise Security” to learn about how organizations can shift left for better security.

“One thing I know is that underlying IT is asset management. IT is hard and IT asset management is hard but it's so critical to doing our job.” Hal Pomeranz , Adroitive Solutions

From Our Library

Check out some of the latest reports from our Dark Reading Library.

On That Note

What's happening here? Just a couple days left to submit your most creative cybersecurity caption for May's Name That Edge Toon contest. Deadline is May 29.

Name That Edge Toon Contest


Dark Reading in Plaintext is brought to you by SANS Institute


To view or add a comment, sign in

More articles by Dark Reading

Insights from the community

Others also viewed

Explore topics