Privacy advocates of all political stripes say a federal data privacy standard is becoming more necessary as states pass their own laws and as artificial intelligence complicates the technology landscape.

To that end, a House Republican data privacy bill released last month would create consumer rights to delete personal data and opt out of targeted ads online. But despite the urgency, the measure has a tough road to navigate between Democratic advocates who find it too industry friendly and razor-thin GOP majorities on both sides of Capitol Hill.

Dubbed the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data,” or SECURE Data Act, the bill is the product of the Republican data privacy working group led by Rep. John Joyce, R-Pa. It has been referred to the Energy and Commerce Committee and the Judiciary Committee.

At a briefing with reporters late last month, Joyce emphasized his intention for the bill to go through regular order, including a subcommittee hearing and markup, though he did not announce a timeline. He also shared his optimism that the bill might find some Democratic support, though it was drafted exclusively by Republicans.

“I think we’re going to find Democrats who recognize how important this is, and that’s because of the response of industry. We’ve seen truck stop owners and we’ve seen truck drivers, we’ve seen mom-and-pop stores and we’ve seen major tech institutes embracing what they finally have — an outline,” Joyce said.

He also described the experience of a committee member who was previously in government at the state level where a data privacy bill was being considered and who heard from industry there.

“They said industry came to us and said, ‘Please, not one more. This should be done at a federal level. We’re playing whack-a-mole. Industries cross state lines.’ We all know that, specifically when it comes to data,” Joyce said.

The House bill would also create rights to correct inaccuracies in collected data, opt out of the data’s sale and opt out of the use of data profiling to make decisions with a legal effect.

It would require data collectors to notify users of the categories of data being collected, the purposes it’s used for, what category of data is shared and with what category of third party and how consumers can exercise their rights under the bill. It would also require companies to minimize their data collection to what is “adequate, relevant, and reasonably necessary” for the purposes they’ve disclosed to users.

Privacy in the AI age

The House bill, which Joyce sponsored, is at least the third attempt in as many Congresses to establish Americans’ rights to their data. 

Adam Thierer, a senior fellow focused on technology and innovation at the center-right R Street Institute, said the longstanding data privacy debate is now linked with the conversation over whether and how to regulate AI.

“If you want to get anything done on AI policy to address a similar patchwork of rules, you probably need to deal with this problem first,” Thierer said. “And in fact, you could argue that some of the issues that people want to deal with in the AI governance context could already be nicely handled by a data privacy bill if we had one.”

Jennifer Huddleston, a senior fellow in technology policy at the libertarian Cato Institute, said that while some data issues remain the same in the AI era, the technology could also change the calculus on what data users want available.

“In some cases, more data may actually create more anonymized, or make AI models significantly better … in a way that may change our perspective on certain elements as it relates to data privacy and data use,” Huddleston said.

Preemption

Much like in the AI regulation debate, observers are keenly aware of the variety of state laws that have popped up in the absence of federal action. 

The House bill would preempt all state laws related to the bill’s provisions. At least 20 states have comprehensive data privacy laws, though they vary in their content.

Joyce’s bill draws on some of those laws, including similar ones in Virginia and Kentucky, but it differs significantly from California’s Consumer Privacy Act, which first went into effect in 2020.

That law includes stricter provisions, such as a right to limit the use of sensitive personal data, including precise geolocation, to only what’s needed for a requested service, and a 15-day clock for companies to respond to opt-out requests. The House bill gives companies up to 90 days.

Proponents of the House bill point specifically to California’s law as a reason for preemption. In their view, without a national standard California can force companies across the country to comply with their rules.

But critics say the House bill goes too far and could preempt more than just states’ comprehensive privacy frameworks.

Ruth Whittaker, director of technology policy for center-left think tank Third Way, would prefer a “targeted” approach to the “really broad” version currently in the bill.

“It would also likely knock out more sectoral approaches to specific types of data,” Whittaker said. “Some states have passed heightened privacy protections for things like reproductive data.”

Caitriona Fitzgerald, deputy director for the Electronic Privacy Information Center, a nonprofit research and advocacy group, would like to see federal preemption establish a floor, rather than a ceiling, especially given the usual speed of congressional action on technology.

“Technology changes so quickly,” Fitzgerald said, adding that there may be a need to update laws faster than Congress can act. “I think giving the states the power to respond is very important.”

Enforcement

The House bill would give enforcement powers to the Federal Trade Commission and state attorneys general. It would not allow individuals to sue if their rights are violated. The bill includes a cure period; no enforcement actions could be brought until 45 days after a company is notified of a violation.

Bipartisan legislation was discussed in the two most recent congresses: The Republican-led House bill titled the American Privacy Rights Act in the 118th Congress, and the Democratic-led bill dubbed the American Data Privacy and Protection Act in the 117th. Those bills included a private right of action that would have allowed individuals to sue over violations.

Whittaker said disagreement over allowing individuals to sue was part of what doomed the previous bills.

“Republicans have sort of made it clear that that’s going to be a red line for them,” Whittaker said.

The bill would also allow data collectors to enter into voluntary codes of conduct overseen by independent organizations. Compliance with one of the codes would give companies legal protection in the form of a rebuttable presumption that they’re in compliance with the bill’s privacy requirements.

Whittaker said that while codes of conduct exist in other laws as voluntary guidelines for specific industries, the bill’s enforcement could be strengthened by eliminating the rebuttable presumption. She also said the 45-day cure period should be shortened or eliminated depending on the violation.

“This bill gives industry a lot of leeway in terms of sort of getting out of enforcement,” she said.

A single-party bill

Despite the additional urgency caused by state laws and the growth of AI, observers are doubtful that Congress will finish work on data privacy this session.

The working group that put the bill together was not bipartisan, and the legislation currently has no Democratic co-sponsors.

At the April briefing with reporters, House Energy and Commerce Chair Brett Guthrie, R-Ky., said the bill was written in a “different environment” than previous efforts when Republicans lacked control of both chambers and the presidency.

“If you remember my previous chair, she had a Democrat Senate, Democrat president, and trying to get a privacy bill that could be able to be signed,” Guthrie said, referring to former Rep. Cathy McMorris Rodgers, R-Wash. “And so any criticism of … the previous effort, it was a completely different effort, and it’s apples and oranges to compare.”

Thierer said Republicans are unlikely to be open to a private right of action, but said they “perhaps would be willing to incorporate some additional policies that are more narrowly focused on AI, but it would have to be done very carefully.” He also said that making exceptions to preemption could be “tricky.”

The bill currently doesn’t have a companion in the Senate. In terms of future action, that’s where Thierer is keeping an eye out.

Whittaker heard that a markup for the bill could come as soon as June, but she said prospects for the bill to become law this Congress are “pretty low.”

“I sort of see this bill as a starting point for future negotiations, and hopefully it’s a conversation starter for more bipartisan talks in the future,” she said.