In a renewed effort to establish a U.S. national data privacy standard, House Republicans have announced a new working group dedicated to drafting comprehensive federal privacy legislation. The initiative, spearheaded by Reps. Brett Guthrie and John Joyce, aims to address longstanding challenges that have hindered previous attempts to create a U.S. federal privacy framework. Efforts this time could benefit from the unique windfall of a unified Republican Congress. If successful, federal privacy legislation could override the growingly complex patchwork of U.S. state privacy laws, thereby streamlining compliance but also altering existing business obligations and consumer rights.

What Happened?

On February 12, 2025, House Committee on Energy and Commerce Chair Brett Guthrie (R-KY) and Vice Chair John Joyce (R-PA) announced the establishment of a Republican-led working group tasked with drafting U.S. federal privacy legislation. The working group is composed of nine Republican lawmakers, including Reps. Morgan Griffith (R-VA), Troy Balderson (R-OH), Jay Obernolte (R-CA), Russell Fry (R-SC), Nick Langworthy (R-NY), Tom Kean (R-NJ), Craig Goldman (R-TX), and Julie Fedorchak (R-ND). According to Guthrie and Joyce, a national privacy standard is becoming increasingly necessary to “protect Americans' rights online and maintain our country's global leadership in digital technologies, including artificial intelligence.” 

The renewed effort follows a recent surge in businesses advocating for a uniform federal privacy standard. Most recently, three dozen industry groups—including U.S. Chamber of Commerce, NetChoice, and the National Retail Federation—jointly drafted and delivered a letter to congressional leaders, arguing that the current fragmented privacy landscape significantly burdens U.S. companies and that a unified federal privacy law would benefit both businesses and consumers alike by promoting regulatory clarity, consistency, competition, and consumer trust. The letter also included a proposed outline containing provisions similar to those found in the Texas Data Privacy and Security (TDPSA).

Has This Happened Before?

Yes. The push for U.S. federal privacy legislation is not new. In the last couple years, several bipartisan proposals have surfaced but failed to gain traction due to disagreements over key provisions, especially state preemption (i.e., whether the federal law would preempt existing state privacy laws) and private right of action (i.e., whether consumers may sue a noncompliant business, in addition to government enforcement).

For example, in 2022, the American Data Privacy and Protection Act (ADPPA) was introduced to limit companies’ data collection, processing, and disclosure practices and provide U.S. consumers with rights to access, correct, and delete their personal information. While the bill garnered strong bilateral support and passed in committee with near-unanimity, it ultimately stalled due to concerns over preemption of more robust state laws (e.g., CCPA/CPRA), limited private right of action, and limited child data protections. 

In April 2024, a similar proposed bill called the American Privacy Rights Act (APRA) attempted to refine the ADPPA, including by weakening its state preemption, expanding private right of action, and strengthening child data protections. However, the proposal again failed to advance past committee due to cross-aisle disagreements regarding state preemption and private right of action.

With Republicans holding both House and Senate majority today, the working group's renewed efforts may present the strongest opportunity yet to pushing past partisan debates and enacting federal privacy legislation. Success will rely on a unified Republican coalition, which in turn most likely relies on a business-friendly, minimally-prescriptive bill that preempts state law and limits enforcement to the government.

What Are The Implications?

For companies processing U.S. consumer data, the implications of the new working group and its potential to finally enact federal privacy legislation could be significant. For example: 

• State Law Preemption: If the proposed bill does in fact preempt state law, compliance for businesses operating across the now-20 states with privacy laws would be vastly simplified. However, for businesses that have intentionally fractured their privacy program or built it around the most demanding state laws (e.g., CCPA), they may need to reassess and adjust their policies and workflows. In most U.S. states, preemption would either raise or maintain the level of business obligations and consumer rights; but in a select few (e.g., California, Colorado, Connecticut), preemption could significantly water them down. 
• Business Obligations: For businesses operating in the 30 states still without a comprehensive privacy law, federal legislation would introduce brand new obligations and increased regulatory burden. They would need to develop and implement privacy programs from scratch, rapidly, and across all locations, which may have otherwise occurred on a more protracted and foreseeable timeline.
• Consumer Rights: Similarly, federal legislation would rapidly introduce new consumer rights in those 30 states, and potentially in states that have a privacy law but grant more limited consumer rights (e.g., Utah does not grant a right to correct inaccurate personal information). Businesses there would need to rapidly implement mechanisms to process and respond to consumer rights requests efficiently and at national scale.
• Enforcement and Penalties: In California, the CCPA’s private right of action has significantly increased business’ risk exposure via consumer litigation and high statutory damages. This working group’s proposed bill would likely exclude a private right of action, limiting enforcement to government agencies only. Given the current administration’s pro-business posture, government enforcement of a federal privacy law may be sparse, with the exception of potentially increased selective enforcement against companies perceived as hostile to the administration. 
• Industry-Specific Considerations: Businesses in highly-regulated sectors (e.g., healthcare, financial services) will need to evaluate how any new federal privacy law interacts with existing privacy frameworks (e.g., HIPAA, GLBA). It is likely that any federal law would include industry carveouts, similar to those currently seen in comprehensive state privacy laws.

Next Steps

The formation of the House Republican working group marks a fresh effort to join the EU, Canada, Australia, and others in establishing a comprehensive privacy framework; protect U.S. consumers online; and reinforce the country as a tech leader. While the initiative signals legislative momentum and benefits from unique windfalls, its success will depend on resolving longstanding disputes and securing across-the-board Republican support. As discussions unfold, companies should closely monitor developments, engage with policymakers to advocate for their interests, and proactively assess their privacy programs to prepare for potential changes.