House Committee Seeks Comment on New Comprehensive Data Privacy and Security Framework

On Friday, February 21, Rep. Brett Guthrie (R-KY) and Rep. John Joyce (R-PA), the Chairman and Vice Chairman of the U.S. House Committee on Energy and Commerce, issued a Request for Information (RFI) inviting stakeholders to provide comment as the Committee explores the development of a federal data privacy and security framework. After efforts to consider a bipartisan and bicameral bill failed last year under former Chair Cathy McMorris Rodgers (R-WA), Chairman Guthrie is starting the effort anew, forming a working group with the goal of developing comprehensive legislation “that can get across the finish line.”

According to the RFI, the Committee is considering how to differentiate obligations in data privacy and security for entities based on the roles they play in handling consumer information (e.g., controllers, processors, and third parties), the limitations associated with each type of entity, and whether the law should consider an entity’s size when determining its responsibility. The RFI also seeks comment on what substantive data security requirements should be placed on regulated entities and what protections should be provided to consumers, along with fundamental questions like how the law should define “personal information” and “sensitive personal information.”

Recognizing existing state laws on privacy and data security, the RFI asks stakeholders to comment on the appropriate degree of federal preemption in a comprehensive framework—a historically divisive subject for Congress, but critical to addressing concerns about fragmented privacy laws and the costs associated with compliance. The Committee is also seeking feedback on how a new comprehensive law should account for existing federal sectoral privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA).

In light of recent debates about regulatory “barriers” to artificial intelligence (AI) innovation, the RFI calls out state comprehensive privacy laws that purport to regulate AI through automated decision-making requirements, as well as new AI-specific frameworks at the state level. Specifically, the Committee seeks input on including AI restrictions in a privacy and consumer protection law “and the impact on U.S. AI leadership.”

Stakeholders have also been asked to comment on the costs and benefits of expert agencies having sole authority to enforce the law, and what legal authorities should be available to state attorneys general and the Federal Trade Commission. No mention is made of the potential for a private right of action, but presumably information on that topic would be considered as well, as the Committee concludes with a broad request for “any additional information” that may be relevant. Another area for input may be whether a framework should include the appointment of data officers or equivalent, which many comprehensive privacy and security regimes require.

Written comments on the RFI are due no later than April 7, 2025. The broad applicability of comprehensive data privacy and security legislation should encourage interested parties across industries to provide feedback to the Committee, which has jurisdiction over commerce, manufacturing, trade, health, energy, environment, digital communications, and technology policy. Stakeholders should also consider the RFI as one step of an overall engagement plan on this effort—while Committee leaders and staff will review written responses, all members of the Committee on both sides of the aisle will be engaged in developing a policy should it become law. Crowell attorneys and policy experts, including former Energy and Commerce Committee staff and close contacts, are available to assist clients in engaging on this matter.