S-4211-119
Read twice and referred to the Committee on Commerce, Science, and Transportation.
Sponsored by Jerry Moran (R-KS)
What it does
This bill would establish a national framework for consumer data privacy, requiring companies that collect or process personal data to obtain consent, provide privacy notices, and honor individual rights to access, correct, and delete their data. It would require covered entities to implement data security programs and, for large data processors, designate a privacy officer and conduct privacy impact assessments. The Federal Trade Commission would enforce the law and issue implementing rules.
Who benefits
All U.S. residents whose personal data is collected by businesses, particularly those whose sensitive data (health, financial, biometric, geolocation, religious, or sexual orientation information) is processed. Individuals who have been subject to data breaches or unwanted data sharing. Privacy-focused technology companies that already meet high standards and would gain a level competitive playing field. Smaller companies that currently struggle to navigate a patchwork of state privacy laws. Consumers in states without existing privacy laws who would gain new federal protections.
Who is hurt
Large technology and data broker companies that rely on broad data collection and third-party data sharing for advertising revenue, who would face new consent and deletion obligations. Advertisers and marketing firms dependent on third-party data pipelines. Companies operating across multiple states that would face new compliance costs. Nonprofit organizations, which are covered under this bill — an unusual inclusion — that collect member or donor data. Academic and medical researchers who may face new restrictions on data use. Small businesses, though partially exempted, that would still bear some compliance costs.
Supporters argue
Supporters argue that the U.S. is the only major democracy without a comprehensive federal privacy law, leaving Americans exposed to unchecked data collection, profiling, and breach risk. They contend that a single national standard would replace a fragmented patchwork of state laws — including California's CCPA, Virginia's CDPA, and over a dozen others — reducing compliance costs for businesses while giving all Americans uniform baseline protections. They further argue that the bill's tiered consent model, which requires express affirmative consent for sensitive data, directly addresses documented harms such as the sale of precise geolocation data to stalkers, insurers, and law enforcement without individuals' knowledge.
Opponents argue
Opponents argue that the bill's federal preemption of stronger state privacy laws — such as California's CCPA — would effectively weaken protections for millions of Americans who currently enjoy more robust rights, trading a high floor for a national average. They contend that the bill's broad permissible-purpose exceptions, including for "operational purposes" and "fraud prevention," could swallow the consent requirement and allow companies to continue most existing data practices with minimal change. Critics also argue that relying on the FTC — an agency with limited resources and a historically slow enforcement record — to police the entire U.S. data economy is structurally inadequate.
Constitutional context
Congress's authority to regulate data collection by commercial entities rests on the Commerce Clause (Art. I, §8, cl. 3), as personal data flows extensively across state lines in interstate commerce, consistent with the aggregation principle established in Wickard v. Filburn (1942). The bill's delegation of rulemaking authority to the FTC — including authority to define new categories of sensitive data and operational purposes — could face scrutiny under the major questions doctrine (West Virginia v. EPA, 2022) and post-Chevron independent judicial review (Loper Bright v. Raimondo, 2024) if the FTC issues rules of vast economic significance beyond the bill's enumerated categories.
Checks and balances
Congress establishes the substantive rights and obligations; the FTC gains significant new rulemaking and enforcement authority; federal courts provide a check through independent statutory review under Loper Bright, and states retain limited concurrent enforcement authority.
Historical precedent
No comprehensive federal consumer data privacy law has previously been enacted; the closest analogues are sector-specific laws such as HIPAA (1996) for health data and COPPA (1998) for children's online data, neither of which established a general consumer privacy framework.