US House committee signals comprehensive privacy push next spring

House Committee on Energy and Commerce leaders have signaled that, after finishing a push on children’s online safety and teen privacy legislation, they intend to take up action on a broader, comprehensive federal privacy measure in spring 2026, framing the kids package as the nearer-term vehicle and an economy-wide privacy framework as the next step once that work clears the committee’s immediate agenda.

For more than a decade, Congress has promised a national privacy statute and repeatedly fallen short, while states have built an expanding patchwork of consumer privacy regimes that now function as the country’s de facto baseline.

Lawmakers seem to be signaling that they can still legislate on tech, but they are also navigating the same fault lines that have collapsed prior privacy efforts -preemption of state laws, whether individuals can sue, how strict data minimization should be, and whether civil rights and algorithmic harms are treated as core privacy problems rather than optional add-ons.

The committee’s next spring posture sits atop groundwork it began earlier this year. In February, Energy and Commerce Chairman Brett Guthrie and Vice Chairman John Joyce announced the creation of a privacy working group and asked for stakeholder views on what a federal “data privacy and security framework” should include.

“We strongly believe that a national data privacy standard is necessary to protect Americans’ rights online and maintain our country’s global leadership in digital technologies, including artificial intelligence,” Joyce said at the time. “That’s why we are creating this working group, to bring members and stakeholders together to explore a framework for legislation that can get across the finish line. The need for comprehensive data privacy is greater than ever, and we are hopeful that we can start building a strong coalition to address this important issue.”

That process has produced a familiar map of disagreement. Industry groups have pressed for a uniform national standard that displaces stricter state laws and limits litigation exposure, while civil organizations and many Democrats have argued that a federal law must set a strong floor, preserve meaningful enforcement, and prevent companies from treating compliance as a paperwork exercise.

The committee’s signal also comes in the shadow of the most recent near-breakthrough, the American Privacy Rights Act (APRA) discussion draft that was unveiled in April 2024 by then–Energy and Commerce Chair Cathy McMorris Rodgers and Senate Commerce Chair Maria Cantwell.

That proposal was billed as a national set of consumer privacy rights designed to replace the patchwork of state laws and included robust enforcement features, including a private right of action.

APRA’s significance now is less about whether that exact text returns than about the boundaries it set. It demonstrated that bipartisan, bicameral alignment is possible in concept, but it also highlighted where compromises tend to detonate, especially around state preemption and enforcement.

This month, the House Energy and Commerce Committee moved a bundled set of children’s online safety and privacy bills, including a House-tuned version of Kids Online Safety Act that, unlike the Senate-passed approach, removed the most controversial “duty of care” construct and substituted a narrower set of required policies and procedures for mitigating enumerated harms.

That package has become both a catalyst and a cautionary tale for comprehensive privacy. It shows the committee can move large tech policy packages, but it also shows how quickly internal differences over speech, liability, and preemption can fracture coalitions.

Those same dynamics reappear in a comprehensive privacy debate, just with more industries and more data practices in play. If the committee follows through, a spring 2026 privacy push is likely to revolve around four interlocking questions.

The first is whether Congress writes a law that preempts state privacy statutes, and if so, how. Preemption is the business community’s consistent demand, because a single federal rule reduces compliance complexity. But broad preemption can also strip away tougher state protections and eliminate state enforcement leverage.

APRA explicitly embraced a national standard that would eliminate the patchwork, and that framing still shapes negotiations today.

The House working group process has revived that debate in a way that makes a clean compromise difficult. A bill that fully preempts states may be the only bill many industry stakeholders can support, but it is also the fastest way to trigger opposition from state attorneys general, privacy advocates, and lawmakers who view state laws as the only reason privacy standards exist at all.

The second is enforcement, especially the politically radioactive question of a private right of action. APRA, as introduced in discussion form, included a path for individuals to sue after certain conditions, positioning private enforcement as a backstop to government capacity.

Critics argue that private lawsuits create an unpredictable liability environment and invite class action abuse, and supporters argue that without a meaningful ability to sue, the law becomes aspirational and underenforced, particularly when agencies face resource constraints.

In practice, the committee’s spring target could push negotiators toward a narrower private right of action, or a delayed one, paired with expanded Federal Trade Commission authority and state attorney general enforcement – an approach that often reads like compromise but tends to satisfy no one.

The third is substantive scope. In other words, what counts as “privacy” in 2026. The hard part is no longer just notice-and-consent. The real fights are about data minimization, limits on targeted advertising, restrictions on sensitive data (including precise geolocation, biometrics, and minors’ data), and whether companies must justify collection as necessary rather than merely useful.

The fourth is whether comprehensive privacy is written to confront algorithmic and civil rights risks as first-order problems.

The modern privacy argument is increasingly that data protection is inseparable from discrimination, automated decision-making, and opaque inference. But Congress has struggled to legislate in that direction without either drifting into a broader AI governance bill or prompting accusations of overreach.

Stakeholders meanwhile have questioned whether the bill should explicitly address AI-era practices or remain focused on more traditional consumer data rights.

It’s against this backdrop that the committee’s spring timetable is best read as an attempt to keep comprehensive privacy on the calendar without letting it be swallowed by the immediate, high-emotion politics of kids online safety.

The real test will be whether committee leaders can do what prior leaders could not, which is to craft a bill that threads the needle between uniformity and state power, between meaningful enforcement and liability fears, and between modern data practices and a statute that can still attract votes from lawmakers who distrust regulating the tech sector.

If the committee does take action next spring, the most likely outcome is not a privacy law that satisfies maximalists on either side, but a framework that tries to lock in baseline consumer rights while narrowing the biggest political tripwires.

Whether that kind of compromise will be enough though given how much personal data collection now underwrites advertising, identity verification, fraud detection, and AI development, will be the central question hanging over the committee’s promised next step.

Article Topics

age verification  |  AI fraud  |  children  |  data privacy  |  fraud prevention  |  legislation  |  U.S. Government