Springtime in Washington means it’s time for another round of federal privacy legislation | Brookings

The U.S. House of Representatives operates on a biennial basis. True to this calendar, the House Committee on Energy and Commerce (E&C) has made comprehensive information privacy bills a springtime ritual in recent election years. Now, a task force of committee Republicans has produced a “discussion draft” privacy bill. It’s entitled the SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act) and, in its main provisions on the obligations of companies, rights of individuals, and enforcement, the draft bill is a composite of state privacy laws—maybe not the lowest common denominator but close to it—accompanied by broad preemption of state laws that relate “to the provisions of this Act.”

In a significant new development, the House E&C committee is releasing the bill in coordination with another from Republican leaders on the House Financial Services Committee, the GUARD Financial Data Act (Guidelines for Use, Access, and Responsible Disclosure of Financial Data). Republicans on the House Financial Services Committee describe the GUARD Financial Data Act as intended to modernize the 1999 Gramm-Leach-Bliley Act by applying rights and obligations like those in the House E&C draft bill. This analysis is based on review of the House E&C text but not the Financial Services version.

This latest House E&C bill follows failed attempts in 2022 and 2024. The 2022 bill—the American Data Privacy and Protection Act (ADPPA)—came the closest. It was the bipartisan product of what started as “four corners” negotiations among the chairs and ranking members of the House E&C committee and its Senate counterpart, respectively Reps. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash.) and Sens. Maria Cantwell (D-Wash.) and Roger Wicker (R- Miss.), seeking to break an over two-year stalemate on privacy. The ADPPA emerged as a “three corners” bill without Cantwell and went on to be reported out by the House Subcommittee on Consumer Protection and Commerce and, on July 20, by the full committee by a 53-2 vote. It never went further, though, because then-Speaker Nancy Pelosi (D-Calif.) declined to bring it to the floor, acceding to California leaders who objected to the bill’s partial preemption of state laws. “All politics is local,” Pelosi’s legendary predecessor Tip O’Neill said, and Pelosi provided a case in point.

The 2024 effort collapsed before coming up for a full committee vote. After Republicans took control of the House in fall 2022, McMorris Rodgers and Pallone switched leadership roles on the House Energy and Commerce Committee. On the Senate side, Cantwell kept the gavel, and Sen. Ted Cruz (R-Texas) took the place of Wicker. Quite suddenly, the two Democrat Washington legislators produced a new iteration of the ADPPA dubbed the American Privacy Rights Act (APRA). This “two corners” bill was reported out of the Innovation, Data, and Commerce Subcommittee on May 23, 2024, and then scheduled for a full committee markup on June 27, 2024. The bill faced a series of hurdles: A civil rights provision provoked opposition in some Republican quarters, which prompted McMorris Rodgers to drop the provision, thereby draining support from Democrats and civil society supporters; Cruz opposed allowing private suits; and word came out that Republican leadership would not take up the bill.

In the current Congress, with Republicans in full control of both chambers and Brett Guthrie (R-Ky.) as a new chair, House E&C Republicans have taken a different tack. In place of previous bipartisan efforts, they formed a majority working group in the Subcommittee on Commerce, Manufacturing, and Trade, and wrote a new bill rather than work from previous models. The task force launched its work in February 2025 with a request for comments on approaches to privacy legislation and, since then, has been gathering input from member and stakeholders to write the discussion draft and cooperate with Republicans on the House Financial Services committee and some in the Senate.

The Republican discussion draft begins a new debate and establishes a maximal starting position. The committees will hold hearings on the bills and seek to move to subcommittee and full committee markups.

By tailoring the discussion draft to existing state laws, the task force follows a well-trodden path. As an excellent analysis of state laws by Jordan Francis of the Future of Privacy Forum points out, all of these laws except for California’s follow the structure, definitions, and many of the general substance (which he terms “the WPA framework” after the Washington Privacy Act, a bill that was not adopted in Washington but provided a template for legislation now passed in 19 states, starting with Virginia in 2021). This template includes a set of definitions that spell out in particular what data is protected, what businesses are included or excluded, what obligations those businesses have, what rights individuals enjoy, and how the statute will be enforced. Each uses much of the same language even where they vary in substance. So although the task force did not take the ADPPA and APRA as starting text, those bills also contained similar structure and language, so the debate will begin on familiar ground.

The discussion draft departs from its predecessors in leaving out a civil rights provision providing explicit protection against discrimination in the use of personal data. It does include separate provisions banning discrimination in pricing or service quality and discrimination that violates federal civil rights laws but bars the Federal Trade Commission (FTC) from enforcing the latter provision. The civil rights provision in the ADPPA—which also appeared in a House Republican staff draft earlier in 2022—was pivotal in the privacy debate. It helped build a coalition of 48 groups advocating for privacy, consumer protection, children, and civil rights groups, among other issues, to call on Speaker Pelosi to bring the ADPPA to the House floor in 2022. The APRA initially included a substantially similar provision but, when McMorris Rodgers dropped that provision in her proposed substitute for markup, many groups withdrew their support of the bill. Neither they nor congressional Democrats are likely to support the discussion draft without such a civil rights provision.

The discussion draft also contains no version of a private right of action, even subject to limits on scope and procedural checks of the ADPPA and APRA. Instead, enforcement would rest exclusively with the FTC (except as to civil rights) and state attorneys general. This enforcement framework too will disappoint Democrats and privacy, civil rights, and consumer advocates.

Another key issue in the wake of prior federal models and emerging state laws is the scope of data collection, use, and sharing. As the privacy debate has unfolded since 2018, a system of notice-and-choice and pop-up consent forms has attracted widespread criticism, including from influential legislators. Both the ADPPA and APRA bounded minimization of collection, use, and sharing of the information necessary to provide a product or service, accompanied by a catalogue of permitted uses, such as protecting data security or providing customer service. State laws from Maryland and Connecticut as well as some pending state bills have adopted this normative model. Yet the majority of state laws frame data minimization on the basis of what companies disclose in published privacy policies, leaving notice-and-choice in place.

The discussion draft does just that, limiting collection to what is relevant to each purpose for processing “as disclosed to the consumer.” This would allow companies to determine the scope of data they collect, use, and share with the sort of catchall disclosures that make up boilerplate privacy policies. The bill would provide individuals an opportunity to limit such use by opting out of targeted advertising, sale of personal information, and use of personal data for “profiling to make a decision that has a legal or similarly significant effect on the consumer,” but the burden would be on them to exercise this right. Businesses would also have to seek consent to process sensitive information. In an era of constant digital interactions, reliance on pop-ups and check boxes is thin protection.

Avoiding reliance on consent can offer benefits to both individuals and companies by reducing friction and compliance costs while providing individuals with a concrete basis to trust that information about them will be used in ways consistent with their interests. Analysts at the Future of Privacy Forum have proposed ways that the prevailing state models could balance effective data minimization with flexibility, and I have also explored ways to protect individual interests while allowing for beneficial uses of personal data.

The House E&C discussion draft contains a pair of novel provisions of particular personal interest to me. It carries forward a proposal that originated in the Obama administration’s Consumer Privacy Bill of Rights to allow for consensus-based codes of conduct that, after a public process of approval, would become legally binding ways to establish compliance with privacy law. The ADPPA and APRA both enabled such codes of conduct. The discussion draft does so as well, allowing for codes developed by “independent organizations,” which are undefined but presumably includes groups like the National Advertising Initiative or Better Business Bureau that have worked on privacy frameworks. Rather than lodging approval with the FTC like previous bills, the draft places it at the Department of Commerce; that department does not engage in regulation except in the specialized areas of export controls and fisheries, so this would expand Commerce’s longstanding role in privacy and data flows broadly.

The draft also formalizes the role that Commerce has played in mechanisms for cross-border data flows by giving the secretary explicit authority to enter into executive agreements, which are international agreements—such as the EU-U.S. Data Privacy Framework—that have force of law but don’t have the status of treaties. The bill also specifies that the Cross-Border Privacy Rules framework that emerged from the Asia-Pacific Economic Cooperation group could be used as code of conduct under the law.

In 2019, after numerous congressional hearings, private conversations and meetings with stakeholders, and comparison of privacy bills, I classified the key issues into a matrix based on their substantive complexity on one axis and degree of agreement on the other. It described the quadrants of this matrix as:

• Implementation issues: Issues for which the substantive contours are well understood and not significantly divided.
• Solvable issues: More complex issues where specific legislative language is more sensitive but there is also considerable consensus.
• Hard issues: Issues with significant impact on the scope of privacy protection and on existing business practices, hence both complex and highly contested.
• Endgame issues: Issues for which there are numerous templates for solutions in existing legislation but highly contested, so their resolution depends fundamentally on political choices once other issues are largely resolved.

The figure below shows how the matrix placed the key issues involved in privacy legislation.

This classification of issues underlay the legislative compromises outlined in our 2020 Brookings report, “Bridging the gaps: A path forward to federal privacy legislation,” a form of grand bargain that trades off significant federal preemption of state comprehensive privacy laws in exchange for strong privacy protections, including some right to form of redress for substantial injury to individual privacy. Both the ADPPA and the APRA as originally introduced reflected this kind of grand bargain. There is little chance any comprehensive privacy bill can become federal law without one. The broad-brush preemption in the discussion draft makes another such bargain harder.

Of course, preemption and private lawsuits were classified as “endgame” issues, and they proved to be the end of the game for both the ADPPA and the APRA. This year’s Republican task force discussion draft is just an opening gambit, so additional moves may reveal a workable bargain. When it comes to the endgame and hard issues, the gaps are much greater than those described in our 2020 report, so there is much more to bridge.

In 2022, it was California’s privacy laws that prompted opposition to federal preemption. Since then, 20 states have enacted comprehensive privacy laws, with Colorado’s regarded as one of the most protective of privacy. The prime mover behind that law, Democratic Attorney General Phil Weiser (now running for governor), was willing to support a preemptive federal law if it provided protections at least as strong as Colorado’s, and I spoke with influential California representatives who were willing to buck Pelosi’s opposition had the ADPPA come to a House floor vote. Now, with more state laws affected, more legislators and state officials will be unlikely to support reducing their constituents’ privacy protections.

The record from this Congress and the key players for reaching this kind of accommodation is not promising. After all, Congress has yet to end the longest-ever shutdown of a federal agency, and Speaker Mike Johnson (R-La.) has had frequent troubles aligning his slim majority. Both Johnson and House Majority Leader Steve Scalise (R-La.) are reported to have warned then-Chair McMorris Rodgers not to bring APRA to committee markup, and her successor Guthrie was also reported to oppose that bill. On the Senate side, Commerce, Science and Transportation Chair Cruz expressed his opposition to APRA’s private right of action and, in the context of artificial intelligence, proposed a blanket 10-year moratorium on any state legislation. Meanwhile, Cantwell was unable to reach agreement on privacy legislation with the other, more aligned parts of the “four corners.”

Given the wide gap between the E&C discussion draft and the middle ground, it is not clear where the political will can emerge for the compromises necessary to pass a comprehensive privacy federal bill. That will require bipartisan support. Lame-duck sessions have a way of forcing compromise, especially when changes of party control are in the offing, so maybe a change in the control of Congress this November could induce Republicans to settle for what they can get while the certainty of another two years of presidential veto power might bring Democrats to the table. But similar incentives did not change the previous biennial outcomes.