In the wake of the U.S. Supreme Court\u2019s decision overturning Roe v. Wade, which will expose pregnant people in over half of U.S. states to a digital law enforcement surveillance environment, the Biden administration and Congress have kicked into gear to address a spate of privacy and digital protection threats that substantially broaden the scope of privacy and data security protections.As each week passes, additional government efforts to address access to sensitive data by police, prosecutors, and the private sector continue to unfold and progress rapidly. These actions have significant implications for how IT, security, and privacy operations within organizations must manage the personal data collected and stored within their organizations and the policies under which the data can be shared.American Data Privacy and Protection ActThe House Energy and Commerce Committee passed a bipartisan version of a landmark privacy bill, the American Data Privacy and Protection Act (ADPPA), a historic feat considered virtually impossible a few months ago.\u00a0The ADPPA sets clear limits on how companies can collect and use data by setting data minimization rules, making privacy the default posture.As currently amended, the bill establishes substantial restrictions on the collection and use of sensitive data, including precise geolocation, biometric, and health information, as well as data identifying an individual\u2019s online activities over time and across third-party websites and online services. It also extends civil rights protections online, requires algorithmic impact assessments, and gives users the right to access, correct, and delete data collected about them. The ADPPA would also give all Americans the right to opt out of targeted advertising globally.FTC commits to prosecuting companies that violate data protection lawsEarlier this month, the Federal Trade Commission (FTC) reiterated its commitment to using the full scope of its legal authorities to protect consumers\u2019 privacy. \u201cWe will vigorously enforce the law if we uncover illegal conduct that exploits Americans\u2019 location, health, or other sensitive data,\u201d Kristin Cohen, acting associate director, FTC Division of Privacy & Identity Protection, said in a statement.She stressed that companies must consider several factors when collecting confidential consumer information, including location and health data. Among these factors are existing state and federal laws protecting sensitive data and the likelihood that the FTC will view any claims of \u201canonymized\u201d data skeptically. Most importantly, companies that over-collect, indefinitely retain, or misuse consumer data will likely face legal action by the Commission.Lawmakers seek to extend HIPAA privacy ruleOn July 1, Senators Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) urged the Department of Health and Human Services (HHS) \u201cto protect the privacy of Americans receiving reproductive health care services by updating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule following the Supreme Court\u2019s decision in Dobbs v. Jackson Women\u2019s Health Organization (Dobbs).\u201dThey urged HHS to \u201cclarify that this information cannot be shared with law enforcement agencies who target individuals who have an abortion.\u201d Moreover, they want HHS to determine that so-called pregnancy care centers (also known as crisis pregnancy centers) must follow the Privacy Rule requirements. Abortion advocates maintain that these centers are merely deceptive front operations run by anti-choice advocates to dissuade pregnant people from seeking abortions and are likely to turn over sensitive health and location data to authorities to prosecute people in states where abortion is outlawed.FCC collects data on mobile data retention and privacy policiesThe Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel wrote to the top 15 mobile providers requesting information about their data retention, privacy policies, and general practices. In the letter, she asks about their policies around geolocation data, including how long it is retained and why, and the current safeguards to protect this sensitive information.She also asked the carriers to explain their processes for sharing subscriber geolocation data with law enforcement and other third parties\u2019 data sharing agreements and whether and how consumers are notified when their geolocation information is shared with third parties. Rosenworcel said, \u201cMobile internet service providers are uniquely situated to capture a trove of data about their subscribers, including the subscriber\u2019s identity and personal characteristics, geolocation data, app usage, and web browsing data and habits.\u201d Mobile providers have until August 3, 2022, to reply and provide a response.Digital dragnet bill gains a hearingLast year, lawmakers in the House and Senate introduced a bill called the Fourth Amendment is Not for Sale Act (H.R. 2738 and S.1265) that prevents the government from purchasing data from third parties that it would otherwise need a warrant to obtain under the Fourth Amendment. The Fourth Amendment protects American from unreasonable searches and seizures by the government, although how it operates in the digital era is still an evolving question.Earlier this week, in support of the legislation, the House Judiciary Committee held a hearing on \u201cdigital dragnets,\u201d namely the increasing reliance of law enforcement on massive data sets produced by private third parties with little consideration for due process under the Fourth Amendment.Committee Chairman Jerry Nadler (D-NY) made clear the nexus between the Supreme Court\u2019s recent decision and the revived momentum of this legislation. \u201cIn the states where abortion is now a crime, law enforcement can use available data to keep track of who searches online for the words, miscarriage or abortion,\u201d he said.\u201cThey can purchase geolocation data to monitor which phones travel out of state to go to a medical provider. They can access the data from tracking apps or purchase integrated data profiles to see, or even predict if and when a woman may be pregnant or may be likely to seek an abortion.\u201d The result of the federal government\u2019s use of private third-party data, which goes largely unmonitored, \u201cis that just by going about your daily life, your data may be swept up in and make you the subject of criminal investigations,\u201d Nadler said.Bob Goodlatte, senior policy advisor, Project for Privacy & Surveillance Accountability, and former chairman of the House Judiciary Committee, said as a witness at the hearing that the solution for the government overreach is the Fourth Amendment is Not for Sale Act. \u201cThis bill would close the loopholes in the law. It would forbid government agencies from buying personal data it would otherwise need a warrant or subpoena to obtain it. When the Fourth Amendment is Not for Sale Act passes, U.S. law enforcement and intelligence agencies will still have powerful legal tools at their fingertips with which to follow leads that can catch terrorists, spies, and dangerous criminals.\u201dImpact on organizations\u2019 data management policiesAlthough the dust hasn\u2019t settled on any of these rapidly emerging developments, it\u2019s clear that IT, security, and privacy operations within organizations will have to quickly revamp how they collect, share and store data. John Wills, field CTO at Alation, tells CSO in an email that the string of recent efforts to protect individuals\u2019 data privacy could majorly impact businesses.Among the significant impacts, according to Wills, are:Increasingly complex rules, sometimes split across various jurisdictions, requiring additional investments to stay compliantAn increased need for data cataloging and management software to help companies maintain accurate data logsChanges to customer loyalty plans and other data-intensive company programsA need for more advanced artificial intelligence and machine learning systems to help gather, sort, use, and report dataCorporate law firm Balch and Bingham produced a breakdown of the ADPPA, at least, and how it would impact businesses. The bill places \u201csignificant obligations on businesses, particularly those that are not currently subject to European privacy law or state comprehensive privacy laws such as the California Consumer Privacy Act, or CCPA, and the California Privacy Rights Act, or those soon to be in effect in states such as Colorado, Connecticut, Virginia, and Utah,\u201d according to Balch\u2019s attorneys.Even those subject to these laws may have to add critical aspects to their privacy policies and procedures, such as requirements to publish annual impact assessments disclosing methods taken to minimize data risks, appoint a data security or privacy officer, modify privacy policies to ensure required information is disclosed and conduct audits to ensure reasonable internal controls related to individual\u2019s data and compliance with the Act.