Skip to content

Landmark data privacy deal would create first federal standard

The right to sue for violations, a previous sticking point, is included in the draft legislation

Sen. Maria Cantwell, D-Wash., says she has a deal with Rep. Cathy McMorris-Rodgers, R-Wash., that enjoys broad support.
Sen. Maria Cantwell, D-Wash., says she has a deal with Rep. Cathy McMorris-Rodgers, R-Wash., that enjoys broad support. (Tom Williams/CQ Roll Call file photo)

Two key lawmakers said Sunday they have negotiated a bipartisan deal on federal data privacy, a breakthrough that had previously eluded Congress for years despite calls for urgency on the matter.

Senate Commerce Chair Maria Cantwell, D-Wash., and House Energy and Commerce Chair Cathy McMorris Rodgers, R-Wash., said in a joint statement that they’ve reached agreement on the broad outlines of legislation that could create the first federal data privacy standard in the United States.

They are working with colleagues in both chambers to build support for the proposal, and “there are a lot of members who are interested to see the legislation” move forward, a Senate aide told reporters, speaking on condition of anonymity.

The outlines are still a discussion draft and both sides are working on putting together formal legislation, aides said, though no dates have been set yet for introducing the measure. The bill is likely to go through regular order, meaning a markup at the relevant committees of jurisdiction before going to the floor for votes. 

Speaker Mike Johnson, R-La., and Senate Majority Leader Charles E. Schumer, D-N.Y., have been briefed on the proposal, the aides said. 

The legislation would give consumers rights over their data and also give them the right to sue companies for violations of privacy. Small businesses, not defined by the aides who briefed reporters, would be exempt from the bill’s provisions.

The legislation would preempt a patchwork of state laws and create a national standard, but state attorneys general would have the authority to enforce the law as would the Federal Trade Commission.

The proposed measure would “meet or exceed any state laws that are on the books,” a House aide said. At least 13 states have enacted privacy laws and more are considering measures. 

The last time Congress came close to passing a nationwide data privacy law was in 2022, when the House Energy and Commerce Committee approved legislation on a 53-2 vote. But the bill did not get a full vote in the House after then-Speaker Nancy Pelosi, D-Calif., objected to it on the grounds that it would weaken California state privacy legislation. The Senate did not take up a companion measure. 

Negotiators for Cantwell and Rodgers found common ground by including a provision that would allow consumers to sue companies — a right under California law but not present elsewhere — congressional aides said. 

Aides for both lawmakers said those in Congress who’d previously objected to deals over the lack the tough enforcement measures included in California’s legislation are likely to be satisfied with the draft measure.

The previous bill that the House Energy and Commerce Committee approved would have delayed individuals from suing companies for two years after the measure became law, but the current proposal does not include such a delay, congressional aides said. 

The proposal would give companies a short period of time to fix problems flagged by consumers before a lawsuit could be filed, the aides said. The measure also would prohibit forced arbitration as an alternative to a lawsuit, if a consumer is harmed, they said. 

It would address key aspects of artificial intelligence systems including barring algorithms used in decision making from discriminating and providing users the right to opt out of such automated decisions, according to a section-by-section summary.

The draft legislation also would curb data brokerage practices by giving consumers the right to opt out and requiring brokers to register with the Federal Trade Commission. It also would require companies to minimize collection of sensitive data and get the express consent of consumers before such data is transferred to third parties. 

Consumers would have the right to access, correct, delete, and export their data as well as opt out of targeted advertising. 

In the absence of nationwide policy, California became the first state to pass a comprehensive law. Its 2020 measure allows consumers to directly sue tech and online companies over data breaches involving personal information such as names, social security numbers and email addresses.

Twelve other states have taken a different approach, modeled on a bill first proposed in Washington state in 2019 that has not become law in that state. Data privacy laws now in effect in Colorado, Connecticut, Delaware, Indiana, Iowa, Florida, Montana, Oregon, Texas, Tennessee, Utah and Virginia don’t allow individuals to sue tech companies for data breaches, and instead offer consumers a mix of protections. 

Recent Stories

Legal questions surround Trump’s talk of political prosecutions

Trump can make immigration moves on his first day back in office

How RFK Jr.’s health proposals would stack up in practice

High hopes for bald eagle bill in the lame duck

Here’s a look at who’s in — and possibly in — Trump’s second administration

Trump administration faces antitrust enforcement dilemma