U.S. House Privacy Working Group’s RFI Driving Stakeholder Responses to Inform its Crafting of New Federal Privacy and Data Security Legislation

On Feb. 12, Rep. Brett Guthrie (R-KY), the new chairman of the U.S. House Committee on Energy and Commerce, together with his vice chairman, Rep. John Joyce (R-PA), announced the creation of the Committee's data privacy working group (PWG) “to bring members and stakeholders together to explore a framework for legislation that can get across the finish line,” a goal that has stymied Congress for nearly a quarter century. The PWG will be led by Congressman Joyce and includes eight other Republican members who sit on the Committee.

The PWG took its first formal action on Feb. 21st by issuing its Request for Information (RFI) inviting public comment in the form of written responses to a set of 16 specific questions about data privacy legislation across six key provisions in privacy law. To its credit, the transparent impetus for the PWG’s action was to capture the best proposals from the collective mindshare of privacy lawyers and lobbyists, academics, public interest advocates, and the digerati class — all privacy law “stakeholders” — to leverage their insights and suggestions as the lawmakers work to craft a new, comprehensive federal data privacy framework that can be enacted by this Congress in 2025 or 2026.

The PWG members underscored the importance of their task to develop a national privacy law, observing that “leadership in digital technologies, including artificial intelligence, underpins U.S. economic and national security, provides American consumers with access to lower cost goods and services, and enables small businesses to reach markets around the world.” Indeed, members of Congress have spent nearly 25 years working to enact a federal privacy law to establish a uniform national privacy framework but, as the PWG release keenly observed, “the challenge of providing clear digital protections for Americans is compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws” that has created a fragmented regulatory landscape with “conflicting legal requirements.”

We provide here a high-level breakdown of the RFI to help business executives and their legal, regulatory and/or government affairs teams understand the PWG’s principal inquiries in the RFI’s six topical areas, including those who may be interested in responding by the April 7 deadline.

Roles and Responsibilities

The PWG recognizes that our digital economy encompasses various business models, including businesses that directly collect information from consumers, those that process personal information on behalf of another business, and third parties that gather and sell personal information that they do not collect directly from a consumer or as a service provider to another business.

The RFI seeks information from stakeholders regarding how a federal comprehensive data privacy and security law can take into account these different actors within the digital economy and still effectively protect consumers. It explores what specific obligations should be assigned to differently regulated entities as well as the practical and legal limitations associated with such delineations.

Related story: 3 Regulatory Trends That Will Define Retail Background Checks in 2024

Personal Information, Transparency, and Consumer Rights

The PWG believes a federal privacy law should apply to personally identifiable information (PII) and grant consumers transparent access to disclosures and rights to their personal information.

Stakeholders are asked to provide input on the proper scope of federal law, including definitions of “personal information” and “sensitive personal information.” There's relative consensus on the definitions of these terms within the current comprehensive privacy laws at the state level regarding the scope of these concepts, although there are some differences at the margins that could be streamlined through a federal privacy law.

The RFI also asks what disclosures should be provided to consumers regarding the collection, processing and transfer of their personal information, and what heightened protections should be provided in the case of sensitive data.

Existing Privacy Frameworks and Protections

Many of America’s global trading partners and approximately 40 percent of U.S. states have enacted comprehensive data privacy laws that regulate the processing of consumers’ personal information.

The PWG seeks stakeholders’ insights into these existing privacy frameworks and evaluations of their effectiveness in protecting consumers while balancing the impact on data-driven innovation and small businesses. It asks whether the fragmentation of U.S. privacy protections at the state level has led to uneven consumer rights or additional costs to businesses and innovation. Most importantly, the RFI requests input on the appropriate level of preemption that a federal comprehensive data privacy and security law should adopt in preempting state laws to establish uniform national standards, and how that legislation may account for existing federal and state sector-specific laws that apply to healthcare providers, financial institutions, consumer reporting agencies, and businesses collecting and processing children’s personal information.

Given the patchwork quilt of privacy regulation that has developed in this country over the past 50-plus years, this is a critically important set of policy issues. From a business perspective, the policy goal of protecting consumers’ privacy can be more effectively achieved through streamlining and standardizing requirements on a nationwide basis. Such streamlining will facilitate better understanding of the rules by both businesses and consumers, and is consistent with the comprehensive approach businesses take to actually processing their data.

Data Security

Given the goals of privacy legislation, which includes at its foundation seeking to ensure appropriate processing and use of personal information, any new federal privacy law will need to address data security. A business is not, for example, processing personal information appropriately if it's not implementing physical, technical and administrative measures to safeguard the data. For these reasons, the RFI asks what requirements may be placed on regulated entities in a new comprehensive privacy law to improve data security for consumers. Similar to the issues outlined above with respect to existing privacy frameworks and protections, there are existing information security laws imposing various requirements comprehensively at the state level and on an industry basis at the federal level. The harmonization of existing requirements in the data security context will need to be carefully considered as well.

Artificial Intelligence

The PWG recognizes that comprehensive state privacy laws can regulate certain uses of AI through requirements in circumstances where a business might make important decisions about consumers without human involvement. In addition, states have begun passing legislation that's aimed at regulating AI specifically, as the EU has done through its AI Act. For this reason, the RFI seeks additional information regarding how a federal privacy law should account for these state-level requirements in privacy laws and AI-specific laws that will bear impact on the development and use of AI.

Accountability and Enforcement

Calling accountability and enforcement the “cornerstones of a data privacy and security regime that protects consumers, promotes compliance, and enables data-driven innovation,” the PWG seeks input on the benefits and costs of expert agencies having the sole authority to enforce a federal data privacy law, and the availability of expertise, legal authorities, and resources for the Federal Trade Commission and state Attorneys General to enforce the law. Stakeholders are also asked to explore the benefits or harms of a safe harbor provision in promoting compliance.

Similar to the preemption issues addressed above, accountability and enforcement of a new federal privacy law will be critically important to effectively protecting consumers’ privacy. To date, the state privacy laws are generally enforced through state attorneys general and regulators, although there are some exceptions to this approach. At the federal level, there has been discussion over the past decade of creating a private right of action that would enable private litigants to challenge alleged noncompliance. Such a private right of action was included in the comprehensive privacy legislation the House Energy and Commerce Committee considered and failed to advance last year, known as the American Data Privacy and Protection Act (APRA). From a business perspective, policy goals to protect consumers in this space will be more meaningfully achieved through the consistency and coherence offered by a more unified and exclusively governmental approach to enforcement.

Paul Martino is a public policy advocate and government relations partner in the Washington, D.C. office of Hunton Andrews Kurth LLP, with nearly 25 years of experience focused on privacy, data security, artificial intelligence (AI), ecommerce, and technology policy. Aaron Simpson is a partner and co-leader of Hunton’s global privacy team.