House Bill Sets up New Clash over Federal Privacy Rules

The United States has long relied on a mosaic of state privacy statutes, from California’s CCPA to Virginia’s CDPA, leaving companies to navigate divergent requirements. In response, Rep. Zoe Lofgren’s Online Privacy Act seeks to provide a single, national framework that aligns with global trends toward stronger consumer protections. By positioning privacy as a fundamental right, the bill aims to resolve regulatory uncertainty and give lawmakers a tool to address emerging threats such as biometric data misuse and AI‑driven profiling.

At the heart of the proposal are expansive consumer rights: individuals could view, correct, delete, and port their data, and even dictate how long firms retain it—a concept Lofgren calls "impermanence." The Act shifts corporate obligations from the traditional notice‑and‑choice approach to a data‑minimization model, limiting collection to what is strictly necessary for a service. It also bans the use of private communications for advertising, outlaws dark‑pattern consent tactics, and mandates that automated decisions with significant privacy impacts be disclosed and subject to human review. These provisions collectively raise the compliance bar, compelling firms to redesign data pipelines, consent flows, and AI governance structures.

Enforcement would be anchored by a new Digital Privacy Agency empowered to issue regulations and levy fines, while individuals gain a private right of action and nonprofits can pursue collective representation. Crucially, the bill preserves state laws that offer greater protections, establishing a federal floor rather than preempting state innovation. Political hurdles remain, as bipartisan consensus on the scope of federal oversight is still elusive. Nonetheless, the Act signals a decisive move toward comprehensive privacy legislation that could set the stage for future AI regulatory frameworks and reshape industry standards across the United States.