Due to the absence of a comprehensive federal framework, privacy law in the U.S. is described as a patchwork where states, state-level enforcement and the California Privacy Protection Agency have taken leading roles. Despite several attempts in recent years, Congress has been unable to reach a consensus to enact a comprehensive federal privacy law, with all bills introduced, regardless of their chamber of origin or partisan or bipartisan nature, failing to obtain a full chamber vote.
Against this backdrop, the U.S. House of Representatives Committee on Energy and Commerce made moves earlier in the year that signaled its intent to introduce an updated federal privacy framework. First, on 12 Feb. 2025, Rep. Brett Guthrie, R-Ky., announced the creation of a privacy working group, led by Rep. John Joyce, R-Pa., with the objective of "bring[ing] members and stakeholders together to explore a framework for legislation that can get across the finish line." On 21 Feb., the group sent out a request for information, inviting stakeholders to provide written responses to essential questions regarding upcoming federal framework.
Multiple stakeholders — from trade associations to consumer and business advocacy groups, think tanks, state legislators and state enforcement agencies — heeded this call and presented public and private responses. These responses addressed issues such as preemption of state laws, data minimization standards, enforcement methods and regulation of AI, among others. This exercise brought many perspectives before the working group, helping those members of Congress that are part of the group consider the needs of states, industries and consumers as they work to craft legislation that satisfies stakeholders.
While there is an almost universal consensus around some topics — such as the need for consumer rights and the participation of the FTC in enforcement — some issues still linger as points of contention. Unresolved issues from previous iterations of proposed federal law that persist include federal preemption, the enactment of a private right of action and data minimization. Meanwhile, newer challenges have entered the fold, including the regulation of AI. It is valuable to analyze the topics that have captured the attention of Congress and interested stakeholders to understand how these issues may eventually reach resolution in a comprehensive federal privacy law.
To preempt or not to preempt: Ceiling vs. floor federal preemption and state laws
The relationship between state privacy laws and a federal framework is a point of contention from previous attempts to pass federal privacy legislation and one of the key issues stakeholders raised. The debate concerns the degree to which a federal framework should preempt present and future state laws — a question with significant implications for compliance costs, uniformity and consumer rights and protections. This issue has sparked disagreement even among those aligned on other aspects of a federal law.
The debate about preemption goes beyond the question of whether federal law should override the existing state rules. Proposals have also included a moratorium on future state laws that would enact greater protections for consumers or obligations for businesses than those adopted by a federal privacy law. The National Conference of State Legislatures points out that other federal sectoral privacy laws, like the Health Insurance Portability and Accountability Act or Children's Online Privacy Protection Act, have taken a floor preemption approach, preserving the ability of state legislators to enact laws with greater protections.
Additionally, NCSL explains that floor preemption would prevent a race to the bottom, as it would remove incentives for state legislatures to implement more undemanding statutes as a way to attract businesses to their state. Enforcers such as CalPrivacy and the New Jersey attorney general called upon the working group to not include full preemption, arguing that state legislatures are better equipped and can move faster than Congress to address evolving privacy challenges. They argued that preempting current state laws would upend protections for residents of more than 20 states. The Electronic Privacy Information Center noted that Congress has regularly allowed states to craft protections that exceed those established by federal law, which serve as a regulatory baseline. At least nine federal laws in the privacy sphere follow this model of floor preemption, meaning that the federal law establishes a minimum set of protections and the states are allowed to enact further rights or protections for individuals.
On the other end of the spectrum rests the idea of total preemption, a model that some argue would allow uniform application of the law, reduce compliance costs for small businesses and prevent confusion for consumers about their rights. The U.S. Chamber of Commerce, for example, suggests that Congress should embrace total preemption, arguing it would result in serious reductions of compliance costs that disproportionately impact small businesses and that a 50-state patchwork would cost the economy USD1 trillion. Similarly, the National Small Businesses Association, which also endorses total preemption, points out that a regulatory model based on state lines has become impractical due to an increasingly digital economy.
The issue of federal ceiling preemption still lingers based on language that has been considered in previous legislative attempts. A majority of public comments align with the Chamber, reflecting support for this approach and suggesting it would reduce compliance costs and eliminate the patchwork of state laws by creating a single privacy regime. Of the 45 public comments analyzed, 35 support the adoption of ceiling preemption in a federal framework, while nine called for floor preemption. Six either abstained from providing comments about preemption or did not endorse a specific model.
Data minimization and purpose limitation: Settled principles, unsettled limits
The adoption of data minimization and purpose limitation as core principles of a federal framework is uncontroversial. However, debate over the extent to which these principles should apply demonstrates the complex role they play within a federal framework.
The comments to the working group reveal that limiting businesses' access and control of data is controversial as those actions create compliance costs and potential lost opportunities. NetChoice points out the risks to innovation, product improvement and research and development that a broad data minimization regime could create. The Chamber argues that other standards could serve the purpose of safeguarding privacy without hampering innovation. It proposes Congress implement a lenient standard resembling what some state legislatures, such as those in Colorado, Kentucky and Texas, have done and allow companies to collect information for what is "adequate, relevant and reasonably necessary related to the disclosed or specified purpose."
Similarly, the Network Advertising Initiative praises the standard adopted by Texas as an example of balancing data minimization, consumer control and transparency while preventing onerous restrictions that could block processing for beneficial purposes. Additionally, the Chamber points out that stricter data minimization and purpose limitation standards would narrow the reasons for which businesses can collect, process and transfer data — potentially preventing them from using data for altruistic intentions such as fraud prevention. It could also obstruct the ability of companies to comply with state-level cybersecurity and AI laws as they would not have access to required information.
Privacy advocacy groups explain that implementing data minimization and purpose limitation helps prevent privacy harms that users may face when the data is misused, accessed or disclosed downstream as non-authorized uses would be strictly prohibited by law.
The Center for Democracy and Technology highlights a key trade-off: While limiting businesses' ability to collect more data than is strictly necessary for delivering the expected product or service gives consumers more control over their information, it also creates challenges for advertising and providing more personalized services.
EPIC explains that one of the biggest weaknesses the current state-level laws have is the absence of a meaningful data minimization and purpose limitation standard. The gap allows companies to collect, keep and use vast amounts of data in an unjustified manner, reinforcing the model of "notice and choice." EPIC argues that a stricter standard, like Maryland has adopted, would not only provide meaningful protections to the consumer, but would also require businesses to engage in a greater evaluation of their privacy and data practices.
Consumer Reports calls on Congress to base any privacy legislation on the principle of data minimization as a tool that allows consumers to constrain businesses against the use of their data for secondary purposes that do not provide a direct benefit to the consumer and can even potentially be used to undermine their interests.
As previously mentioned, the broad agreement around the need for at least a basic level of data minimization and purpose limitation shows the value of this foundational principle. This common ground has been reinforced by the language adopted by the American Data Privacy and Protection Act of 2022 that tied the amount of data collected to the product or service to be provided to the consumer for personal information and a strictly necessary standard for sensitive information. States have followed this lead by introducing similar or strengthened standards when enacting new sectoral and comprehensive privacy legislation.
This trend is likely to continue as well at the federal level, as reflected in the bipartisan American Privacy Rights Act of 2024. That proposal adopted a lenient data minimization standard for personal information that is processed for altruistic purposes while keeping a strict standard to process sensitive information. However, a stricter standard for all personal data does not have broad support, as only 20% of respondents expressed the need for this level of data minimization.
Enforcement: The FTC, state agencies and attorneys general, and private right of action
The issue of who should be the enforcer of privacy is one that has permeated both state and federal levels. At the state level, legislators have introduced bills with private rights of action while others provide for exclusive enforcement by state actors, resulting in a range of solutions being adopted. An outlier, California created a new agency, CalPrivacy, with rulemaking power and concurrent enforcement authority with the state attorney general. The state also enacted a private right of action for consumers who were victims of data breaches. Yet, all other states have granted exclusive enforcement power to their attorney general's office.
The Federal Trade Commission is seen as the de facto federal privacy enforcer by most stakeholders. Under its Section 5 authority, the agency has created a level of expertise and standards that are accepted by market participants. Most stakeholders agree the FTC should maintain its role as chief privacy enforcer with carve outs for agencies that enforce sectoral laws such as the Gramm-Leach-Bliley Act, HIPAA and the Fair Credit Reporting Act. Approximately 82% of stakeholders call for the FTC to be either the main or concurrent enforcer of the federal framework.
The Business Roundtable explains that empowering a single agency as enforcer would create consistency in enforcement actions. Similarly, the Center for Democracy and Technology draws special attention to the nature of the FTC as an independent agency with bipartisan leadership, subject-matter expertise and regulatory experience — factors that bolster its position as the main enforcer. Some comments focus on the need for an increased investment in the agency and the implementation of dedicated teams that focus on privacy enforcement to create needed expertise. Other comments emphasize the need to clarify the rulemaking authority that the agency currently holds and welcome the construction of a self-regulatory scheme by businesses.
One major concern comes from Consumer Reports, which endorses the FTC as the enforcement authority but argues that a federal framework should restore the commission's ability to obtain refunds on behalf of consumers, a power lost after the U.S. Supreme Court's decision in AMG Capital Management v. FTC.
Most comments emphasize preserving the role and expertise of the offices of state attorneys general while ensuring collaboration with the FTC to prevent duplication of efforts or conflicting mandates. Having state attorneys general as co-enforcers would add enforcement capabilities the FTC may not be able to satisfy and would incentivize the use of multistate enforcement and coordination when similar misconducts occur in multiple jurisdictions.
The Chamber suggests that this concurrent role for state attorneys general with the FTC is ideal as it would allow law enforcement to be guided by "experts" and likely prevent dissimilar decisions. Additionally, the NCSL advocates that states retain their own legal rights of action and enforcement regimes. CalPrivacy calls on Congress to consider the demonstrated effectiveness state-level agencies have shown in protecting privacy, citing enforcement actions in California and Texas.
However, the private right of action at the federal level remains a main issue of contention with only 13.3% of stakeholders supporting its adoption within a federal law. While this right is present in a limited matter in the California Consumer Privacy Act and in some sectoral laws such as the Illinois Biometric Information Privacy Act, no legislature has enacted statutes with the ability for consumers to sue businesses for a broad range of privacy harms. Nevertheless, some advocacy groups suggest Congress should enact a private right of action as a concurrent tool for government enforcement.
On one hand, EPIC advocates for a private right of action as "the most important tool legislatures can give to their constituents to protect their privacy," explaining that its existence incentivizes companies to comply with the statutes as there is a financial penalty for failures. The Electronic Frontier Foundation asserts that granting consumers a private right of action will help underfinanced government entities in enforcement and ensure that the goals set out in legislation are achieved.
On the other, the Main Street Privacy Coalition sees a private right of action as a risk that has the potential to disproportionately affect small businesses. NetChoice considers it an open invitation for "abusive litigation ... [that may be] devastating to small businesses." The Chamber suggests the private right of action may undermine agency enforcement and lead to inconsistent interpretations of the law based on the district-by-district rulings that would erode the uniformity goal of the federal framework.
Enforcement by the FTC and state attorneys general is a feature of previous privacy proposals made by Congress and something that generates broad agreement among most stakeholders. As government enforcement has also been adopted in other sectoral laws like COPPA, any final outcome of the working group would likely grant these authorities the enforcement power.
However, the private right of action is likely to follow the same route taken by most state laws — that of non-existence. While previous federal bills have introduced a private right of action, state legislatures have not pursued this policy. Most groups appear to support exclusive government enforcement as a tool to preserve the nature of uniformity sought in the federal framework and to spare compliance costs for businesses.
The new frontier: Regulating AI in a federal privacy framework
The working group noted that many states are regulating AI through automated decision-making requirements, thereby bringing AI under the scope of their comprehensive privacy legislation. As many states have begun adopting legislation to regulate AI and ADM, the request for information thus inquired about the role a federal framework should play in this regulation. For example, Colorado is the only state to have implemented a comprehensive AI act and privacy law. Meanwhile, other states, such as California and Texas, have regulated AI through topic-specific laws; at least 25 states have introduced tech-specific legislation regarding AI.
The Chamber explains there will be parallel patchwork for AI if Congress does not prevent it. This would seriously affect entrepreneurs, small businesses and the business community. The Chamber supports including consumer rights and strong preemption, arguing that this approach ensures consumers' data remains protected regardless of how businesses use AI. However, only 20% of stakeholders who made public comments support this position, while 80% of the comments opposed or did not address the issue of AI preemption.
Meanwhile, NetChoice argues there is no need for legislation to specifically address AI or ADM because the federal framework should be tech neutral with flexible principles and requirements that can be adapted to rapidly evolving tech. This is similar to the position held by the Computer & Communications Industry Association, which urged Congress not to impose regulations specific to this subject matter. On the other hand, the NCSL and EPIC argue against federal preemption for AI, as states should maintain their ability to experiment and regulate it in innovative, unrestricted ways.
Preemption regarding state-level AI laws raises another issue most stakeholders want to exclude from the federal framework. The experience with the AI moratorium, approved and then later disposed at the beginning of 2025, may indicate that the working group is considering this as an option, especially because Guthrie supported it at the time.
Conclusion
The privacy working group of the House Energy and Commerce Committee shows the 119th Congress is actively working to enact a comprehensive federal privacy framework — something most stakeholders consider long overdue. However, many issues remain unresolved, and proposals risk ending in the same deadlock that stalled previous bills such as the American Privacy Rights Act of 2024 and the American Data Privacy and Protection Act of 2022.
Regardless, the diverging positions on what should be included with this latest attempt to pass federal privacy legislation show that disagreements remain. Congress will need to decide how to resolve them. Forging consensus on these key details will ultimately determine if Congress succeeds in enacting this legislation.
David Botero is a Westin Fellow at the IAPP.
