Policymakers look to state laws for federal data privacy law
20 U.S. states have adopted comprehensive data privacy laws, meaning businesses face a complex network of laws with varied privacy requirements and definitions.
WASHINGTON, D.C. – The House Committee on Energy and Commerce is once again working on a federal data privacy bill that will consider input from stakeholders and assess the multitude of existing state data privacy laws.
Evangelos Razis, a professional staff member on the committee, said during a panel discussion at the IAPP Global Privacy Summit 2025 on Thursday that the committee wants to introduce a bill this Congress. Policymakers and committee staff are currently processing 250 responses from businesses, civil organizations and other stakeholders who provided input to a request for information on a federal data privacy framework issued in February.
The last two federal data privacy bills introduced by the committee, the American Privacy Rights Act, or APRA, and the American Data Privacy and Protection Act, or ADPPA, failed to pass into law. Razis said the failed bills indicated a different approach to data privacy was needed, leading Committee Chairman Brett Guthrie (R-Ky.) to establish a data privacy working group to build consensus in the Republican party on data privacy issues. Gaining consensus, getting stakeholder input on the bill to build support at the beginning, and recognizing U.S. states' work on their own data privacy laws, sets the committee's latest attempt at a federal data privacy law apart, Razis said.
"Looking to the states, learning what has worked, looking to them as models and the laboratories of democracy that they are, that is why this time is indeed different," he said.
State laws help guide committee work on federal bill
Caitlin Fennessy, vice president and chief knowledge officer of the IAPP, said in an interview that she expects the House committee to pay particular attention to data privacy laws in Texas and Kentucky to inform a federal privacy bill.
I wouldn't expect a bill to pass this year, but I do think we'll see a new model in Congress.
Caitlin FennessyVice president and chief knowledge officer, IAPP
"We do expect to see a bill in this Congress," she said. "Whether or not that sees real movement or has a possibility to cross the finish line is really difficult to say. I wouldn't expect a bill to pass this year, but I do think we'll see a new model in Congress."
Complying with a growing patchwork of state data privacy laws is one of the biggest complaints levied by tech industry leaders, who view the next two years as an opportunity to get a bill they are "comfortable with" and avoid the fragmentation created by the state laws, Fennessy said.
Razis said that's one reason for a unified data privacy framework -- providing a single set of rules to balance innovation with consumer rights and data protection. He said the "existing web of state frameworks" is not conducive to innovation.
Panelist Morgan Reed, president of ACT | The App Association, reiterated the need for a federal data privacy law to preempt state laws. Reed said if the law doesn't preempt state laws, it should standardize data privacy definitions to create greater cohesion among existing laws.
"They're not all exactly the same," Reed said of the state data privacy laws. "If you're a small, medium-sized company that is maybe three people, you don't have the assets to deal with the small definitional differences between states."
Panelist Cameron Kerry, visiting fellow at the Brookings Institution, said previous federal bills and state data privacy laws give the committee a significant foundation to build on.
"There's a lot of commonality when it comes to individual rights, access, a lot of the definitions, and other things like transparency and accountability measures," he said. "The crux is preemption."
AI and the EU
Advancements in generative artificial intelligence push the technology even more squarely into the data privacy realm, Kerry said. Data privacy affects AI, which relies on data for model training, gathering and providing insights and a plethora of other uses.
"The overlap of AI and privacy is enormous," he said.
While the committee is crafting a federal data privacy framework, Razis said AI remains a strategic priority.
Marco Cantin, deputy chief privacy officer at IT services company GFT Technologies, said he attended the summit to hear about AI, a prominent theme at the event. Cantin said he understands and believes in innovation and experimenting with new technologies. However, he said, "we need to be respectful of human life."
"It's interesting to see what people are thinking, how AI is evolving, and to see what will be our role, as privacy comes into it," he said. "For me, privacy is not about compliance. Privacy is an essential right for human beings."
Cantin said he also attended the summit to understand the direction of the European Union-U.S. Data Privacy Framework, a set of data sharing rules established in 2022 between the U.S. and the EU. While the EU has the GDPR codifying consumer data protections into law, the U.S. has yet to pass a federal data privacy law, necessitating the data sharing rules.
ACT | App Association's Reed said in an interview that the U.S.'s work on a federal data privacy law would affect data sharing between the U.S. and EU. Businesses from both the EU and U.S. have wanted greater interoperability of language within data sharing rules, Reed said.
"Whatever the United States does is going to have an impact on it," he said, of the EU-U.S. Data Privacy Framework.
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining Informa TechTarget, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
