Congress tries again on national preemptive data privacy law

House Republicans rolled out yet another proposal for national data privacy legislation that once again would preempt existing state laws, drawing a torrent of criticism.

Leaders on the House Energy and Commerce and Financial Services Committees unveiled two pieces of legislation last week: the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, known as the SECURE Data Act, and the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act, known as the GUARD Financial Data Act.

The SECURE Data Act would establish a national data privacy standard that lawmakers said would build on the “proven framework” adopted by the “overwhelming majority” of states with comprehensive privacy laws. Consumers would have new rights and companies would have new obligations for privacy, all enforced by the Federal Trade Commission and state attorneys general. Lawmakers said they held a slew of meetings in working groups with different organizations before releasing the texts.

These new proposals represent another attempt by Congress to implement a national privacy standard, which so far has been unsuccessful. In the absence of federal action, states across the country have stepped up with their own laws and regulations, which would be preempted if the federal bills pass.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Republican Reps. Brett Guthrie and John Joyce, the chairman of the House Energy and Commerce Committee and the leader of the Energy and Commerce Data Privacy Working Group, respectively, said in a joint statement.

Under the new bill, consumers have the right to know when their data is being collected and used, can access it and delete it, as well as opt out of targeted advertising, the sale of that data and other automated decisions. Sensitive data would only be processed with their consent, while parents would be required to give consent before their child or teens’ personal data is processed.

Businesses would be required to limit the personal data they collect to what is deemed “adequate, relevant and reasonably necessary,” and disclose the personal data they share to others, including data that is processed in or sold to China, Russia or other foreign adversaries. Companies also must implement security practices to protect data. In addition, data brokers must also comply with various data minimization, disclosure and security requirements and register with the FTC, which would establish a public registry.

The national effort, then, has much in common with the comprehensive data privacy legislation signed into law in more than 20 states. And while some experts have warned continually that having so many state privacy laws creates a compliance nightmare, others said states cannot be preempted from protecting their residents when Congress has failed to step up.

“[The] bill would entirely destroy the work that states have been doing for years to protect their residents,” Cody Venzke, senior staff attorney with the American Civil Liberties Union’s Speech Privacy, and Technology Project, said in an email. “Instead of building meaningful guardrails for data and AI, this bill instead opts for letting Big Tech and the government continue to invade our privacy and profit from even our most personal information.”

In an analysis of the bill, nonprofit IAPP’s Washington, D.C. Managing Director Cobun Zweifel-Keegan and Westin Fellow David Botero noted its similarities with laws passed in Virginia, Kentucky and Washington state and said it “preserves the essence of the current state patchwork” of laws. But they noted that it would “embrace a strong preemption regime,” which would likely impact state consumer privacy laws, data broker registries and potentially some sectoral laws.

A fact sheet accompanying the bills said having a national standard would mean “ending the confusing and ineffective privacy patchwork currently in place,” and that it “integrate[s] rights, requirements, and definitions from state comprehensive laws” while maintaining enforcement.

Given how new the legislation is, other stakeholders are in a holding pattern. Alex Whitaker, director of government affairs at the National Association of State Chief Information Officers, said during the group’s Mid-Year Conference in Philadelphia this week it is going to “wait and see” how the legislative process plays out, especially given it is a partisan bill with no Democratic co-sponsors.

A previous NASCIO report found that a number of states have established privacy programs and have empowered a chief privacy officer or similar role, albeit with a lot of work still to do and a need for more funding. Whitaker said anything that raises the issue of preemption is a “concern.”

“We want to make sure that states have the flexibility that they need to meet the demands of their constituencies,” he said. “They develop these regulations in conjunction with state legislatures and regulators, so to come in and prevent states from maintaining certain standards is always a problem for us, and that's writ large, that's on cybersecurity, that's on privacy, that's on anything.”