The US is inching toward pushing a federal comprehensive data protection and privacy rights law over the finish line. "We are committed to moving it this Congress," a congressional staffer said today.
Congressional Republicans are committed to moving a federal privacy law this session, a House Committee on Energy & Commerce staff member said today.Whether the US will ever have a comprehensive privacy rights law has been an open question for over a decade. But this time feels different, according to Evangelos Razis, a staffer on the committee leading the charge.
There are a number of reasons for this, he said at a privacy conference today in Washington, DC.* Among them is that the privacy working group established by committee Chairman Brett Guthrie and Vice Chairman John Joyce earlier this year (see here) is focused on building consensus for the bill with House Republicans on the front end.
Razis said this was an issue that prevented the advancement of the American Privacy Rights Act last Congress. “We’re trying to use the working group as an engagement platform to help empower those members,” he said.
The group also invited stakeholders early on to offer input on what the framework should look like, with the intention of “building engagement and a broad coalition in support of the bill on the front end,” Razis said.
This, too, is drawing on some of the lessons learned from APRA, he said. “Engagement at the end of a process and dropping text quite late tends to not win you a lot of friends. That's why the request for information was put out. It was an earnest attempt to learn from the community, to understand what is working, what is not, and to take those questions into the privacy working group and inform how we approach building a framework.”
The group is also looking to certain state laws as a guide, to see what’s working and what is not.
“It's a worthwhile enterprise to learn what works and doesn't work at the state level,” Razis said. "So we're looking to them as models, as the laboratories of democracy that they are."
The group has so far received some 250 comments from all corners of the business, civil society, privacy and academic communities and has been doing targeted meetings with some stakeholders.
Along with the perennial sticking points of state preemption and private right of action, data minimization is a pressing consideration. Morgan Reed, president of The App Association, said the collection-based versus use-based approach has been a somewhat intractable problem. Some states have passed laws that allow companies to collect data, with limits on use. But others, like Maryland, have strict limits on data collection. Reed said strict collection standards can hurt business, and there’s some tension between simply not collecting anything versus being good stewards of the data.
Cameron Kerry, a Brookings Institution fellow, said a federal law “could have a number of recognized, permitted uses. You need to allow for those edge cases and define that in ways that allow for beneficent, ethical uses.”
Razis said getting the right balance on data minimization is very important, though one challenge that Congress ran into with the APRA was trying to list out every potential data use. Several stakeholders have suggested potentially avoiding that path.
“That is certainly one of the primary criticisms of that one justified criticism [of APRA], because it is difficult to list out everything. We do not see that approach taken by many of the state frameworks," he said. "The majority of the states have tended to — with the exception of Maryland — to have come to the consensus that it is uniquely American, being accepting of the beneficial uses of data. And that's worth paying mind to.”
He said it’s also worth paying attention to FTC Commissioner Melissa Holyoak’s views on data minimization.
“There is some concern about how that approach impacts competitiveness,” Razis said. “If you are an incumbent with a pre-existing relationship with consumers you can find a path forward. But if you are a startup or a small business then there's a question of whether you can develop that relationship with consumers at all if you are not a trusted brand already.”
*IAPP Global Privacy Summit 2025, Washington, DC, April 22-24, 2025.
Please e-mail editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.