House Committee takes first steps toward federal data privacy law

The House Committee on Energy and Commerce has launched the Privacy Working Group to address what lawmakers describe as an increasingly fragmented regulatory landscape that creates conflicting requirements for businesses and uneven protections for consumers.

Rep. Brett Guthrie (R-KY), chairman of the committee, and Vice Chairman John Joyce (R-PA) announced the initiative on February 21.

“We strongly believe that a national data privacy standard is necessary to protect Americans’ rights online and maintain our country’s global leadership in digital technologies, including artificial intelligence,” the lawmakers said in a joint statement. “That’s why we are creating this working group, to bring members and stakeholders together to explore a framework for legislation that can get across the finish line.”

The working group comes amid growing concerns about how personal data is collected, used and secured in an increasingly digital economy. While the European Union implemented its General Data Protection Regulation in 2018 and several U.S. states have passed their own comprehensive privacy laws, federal legislation has remained elusive.

The group will be led by Joyce and includes eight other Republican representatives from various states. On February 21, the committee issued a Request for Information (RFI) inviting stakeholders to submit feedback by April 7.

“The United States digital economy adds $2.6 trillion in value and employs millions of American workers across nearly every sector of the broader economy,” the RFI states. “However, the challenge of providing clear digital protections for Americans is compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws.”

The request seeks input on seven key areas: roles and responsibilities of different entities in the digital economy; definitions of personal information and consumer rights; lessons from existing privacy frameworks; data security requirements; artificial intelligence considerations; enforcement mechanisms; and additional relevant information.

The initiative might be one the most significant congressional efforts on privacy in recent years, though previous attempts at federal legislation have stalled over disagreements about preemption of state laws and enforcement mechanisms.

New privacy standards target automated AI tools

The committee’s focus on artificial intelligence is particularly noteworthy as it represents an evolving area of privacy concern. The RFI specifically asks how federal law should account for state-level AI frameworks, including requirements related to automated decision-making.

“Most state comprehensive data privacy and security laws regulate AI through ‘automated decision-making’ requirements,” the document states. “A growing number of states are also enacting—or are seeking to enact—additional AI-specific laws.”

For businesses operating across state lines, a unified federal approach could reduce compliance costs. The Information Technology Industry Council estimates that companies currently spend millions annually navigating different state requirements.

The working group’s request also examines how a federal privacy law would interact with existing sectoral privacy laws like HIPAA (health information), FCRA (credit reporting), GLBA (financial information), and COPPA (children’s privacy).

The committee is requesting that responses be limited to 3,500 words, though supplemental data, reports, and case studies are welcome. Stakeholders can submit feedback to [email protected].

Whether this effort will succeed where others have failed remains to be seen, but the committee’s methodical approach—starting with gathering broad input—suggests lawmakers are seeking to build consensus before drafting legislation.