Federal Data Privacy Bill Text is Released

The bill text for the federal data privacy legislation was released on April 22. See the press release here with the link for the bill text.

The bill includes:

● a nonprofit exemption;
● the nonprofit definition is defined as from the IRS definition;
● no private right of action;
● a study for feasibility of opt-out mechanisms;
●and thresholds regarding the number of consumers and gross revenues.

TNPA has been engaging with House Republican staff leads for nearly a year, providing perspectives from our members and utilizing earlier Advocacy Day opportunities to prioritize this issue. Our team met with senior staff in advance of the bill release to discuss and reiterate TNPA’s priority issues.

We anticipate a May hearing for next steps, along with a Hill event in late April with Members to discuss the bill in more detail. We look forward to discussing with key Hill staff during our planned May 13th Advocacy Day.

What was the process?

The House Energy and Commerce Committee developed a new data privacy proposal in 2025, moving away from frameworks used in the previous administration. Representative Brett Guthrie (R-KY), who chairs the committee, established an all-Republican working group in February 2025 to create this new proposal.

Key developments:

1.) The working group concluded its public input phase on April 7, 2025 when TNPA submitted its comments, and reviewed all feedback received. Various stakeholders, including industry representatives, were consulted through the rest of 2025.
2.) Republican priorities included federal preemption of state privacy laws and limiting enforcement exclusively to government agencies such as the Federal Trade Commission or state attorneys general.
3.) Any companion legislation in the Senate would need to pass through the Senate Commerce Committee.

Why do nonprofits care?

As the internet has enabled companies to collect more personal data, it is important to ensure that nonprofit organizations are ethical custodians of the data with which they are entrusted and also have access to information that enables them to further their missions.

● Donor trust is foundational to nonprofits’ ability to raise funds and provide services.
● Organizations use consumer data and third-party data providers to ensure our programmatic and fundraising marketing messages are delivered to those most likely to benefit – and, likewise, not to those who will not.
● Nonprofits use consumer data, including aggregated depersonalized data, to assess needs, measure effectiveness, and better direct resources to the people and places that need them the most.
● Nonprofits rely on commercial data companies to maintain data in secure environments at a level that many nonprofits could not afford to maintain on their own, certainly not without significantly reducing the funds available to spend on direct mission-focused work.

What is the ideal policy?

TNPA calls upon Congress to enact a national privacy statute for the proper handling of data, to both protect consumers and allow for the legitimate use of data:

● Federal legislation to create a single, clear, uniform set of national standards and guidelines.
● Include a clear preemption of any current or future state privacy statutes to create national consistency of laws.
● Require litigation of federal privacy legislation be filed in only federal court (and not state courts), which would create greater national uniformity of enforcement.
● No Private Right of Action, which could result in a proliferation of class action lawsuits, many of which would be frivolous.

For an in-depth discussion of these points and policy proposals, read  TNPA’s Discussion Points in Preparation for Drafting Federal Legislation Called The Individual Privacy Act.

What is the current situation?

The list of states with privacy statutes now numbers nineteen. Seven of them, Colorado, Delaware, Indiana, Maryland, Minnesota, New Jersey, and Oregon, cover nonprofits, while the other twelve states do not: California, Connecticut, Iowa, Kentucky, Montana, Nebraska, New Hampshire, Rhode Island, Tennessee, Texas, Utah, and Virginia. Privacy legislation that is limiting and costly for nonprofits’ commercial partners directly affects the nonprofit organizations that will ultimately bear the burden of less data and higher costs for the data they utilize to reach new supporters.

Unfortunately, the ever-increasing list of state privacy laws has not created a sense of haste in Congress toward enacting comprehensive bipartisan national privacy legislation to pre-empt the state-by-state patchwork quilt.

Read more about state legislation that has been proposed or enacted at the bottom of this page and on Legislation in the States.

U.S. Federal Law: 

Over the years, Congress has considered a number of federal laws dealing with portions of the handling of data. However, there is no broad-based federal statute to address the overall question of how data should be handled to better protect the privacy of consumers while setting out clear guidelines for the proper use of data by businesses.

In December 2022, the Omnibus Spending Package to fund the federal government through the end of the fiscal year (September 30, 2023) did not include the language of H.R. 8152, the American Data Privacy and Protection Act, which was reported out of the House Energy & Commerce Committee earlier in the year. H.R. 8152 included fifteen “carveouts” which would allow current state privacy-related statutes to stay in force. The bill also allowed for a Private Right of Action, which could lead to frivolous class action lawsuits. Since H.R. 8152 was not included in the “must pass” Omnibus Spending Package, it was not enacted into law before Congress officially closed out the 117th Congress at year’s end. Accordingly, H.R. 8152 died, as all legislation that has not passed does at the end of a two-year congressional cycle.

In the 118th Congress, 2023-2024, there was consideration of H.R. 8818, the American Privacy Rights Act (APRA). Unfortunately, this legislation still allowed portions of the state laws to continue without federal preemption. TNPA has consistently believed that a comprehensive national privacy law should include an unambiguous preemption of current or future state privacy statutes, allowing for one uniform national standard for the responsible use of data. Additionally, the legislation also provided for liability to  a private right of action that could be triggered by a minor violation of the legislation without requiring the actual demonstration of harm. The House Energy & Commerce Committee had planned to consider the legislation in June 2024; however, strong opposition by a number of committee members resulted an indefinite postponement for consideration of the bill. The link for the full text of the legislation is here. Also, the section-by-section review of the legislation prepared by the House Energy & Commerce Committee is here.

The 119th Congress: 

The change in Senate control to a Republican majority could have a significant impact. Several advocates for national privacy legislation will be in important positions: Sen. John Thune (R-SD) is Majority Leader, Sen. Ted Cruz (R-TX) is chairing the all-important Senate Commerce Committee, and Sen. Jerry Moran (R-KS) is serving on Senate Commerce. These three Senators have a long history of advocating for national privacy legislation that will preempt existing and future state statutes.

In the States:
What to keep an eye on

Alabama HB 351/Act 552 was signed by Republican Gov. Kay Ivey on April 16 and takes effect May 1, 2027. The law will apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

● Control or process the personal data of at least 50,000 consumers.
● Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data provided by the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law contains a 45-day right to cure. It will exempt nonprofits with less than 100 employees provided they do not engage in the sale of personal data.

Alaska HB 367 has been scheduled for a hearing in the House Judiciary Committee on April 24 at 1:00 PM. The bill would apply to a person that conducts business in the state or produce products or services targeted to consumers of the state that:

● Control or process the personal data of at least 100,000 consumers.
● Derive more than 50 percent of gross revenue from the sale of personal data.

Businesses that collect personal information from consumers would be required to notify consumers before collecting the information. Consumers would be permitted to request a business that collects or has collected their personal information to:

● Disclose the categories and specific pieces of information collected within the preceding five years along with the sources for that information and the business purpose for collecting the information.
● Delete any information collected within the preceding five years.
● Disclose the third parties in possession of the consumers’
● Not sell, share or disclose their personal information including through the use of global privacy controls.

Businesses would be required to obtain consumer consent before using precise geolocation data. The bill would require Department of Law to set up a data broker registry and grant them regulation authority. The registration fee imposed under the bill would be equal to three percent of the revenue received by the business from the buying, selling or sharing of personal information of a consumer or household. The bill contains a private right of action with no right to cure.

California SB 1106  passed the Senate Appropriations Committee on April 20 and is now pending on the Senate floor. The bill would require data brokers to access the state’s accessible deletion mechanism at least once every 30 days as opposed to every 45 days.

Connecticut SB 4 is once again pending on the Senate floor after passing the Senate Appropriations Committee on April 8 and being reported out of the Legislative Commissioners’ Office on April 17. The bill would, in part, set up a data broker registry in the state and require the Commissioner of the Department of Consumer Protection to set up an accessible deletion mechanism. Data brokers would be required to access the mechanism at least once every 45 days. The bill would also require a person who sets a price for an item using personalized algorithmic pricing to provide a disclosure that “this price was set by an algorithm using your personal data”. The bill would also amend the Connecticut Data Privacy Act, to prohibit the sale, sharing, transfer of or allowance of access to precise geolocation data.

Vermont HB 211 was heard in the Senate Economic Development, Housing and General Affairs Committee on April 22. The committee heard testimony from the Consumer Data Industry Association, Relx, Privacy Rights Clearinghouse and former Vermont assistant attorney general Ryan Kreiger, but did not vote on the bill during the hearing. As passed the House, the bill would amend the state’s data broker registration to add disclosures regarding whether a data broker collects specified information including, but not limited to, precise geolocation information, reproductive health data or biometric data. It would also impose specific data broker security breach notification requirements. Data brokers would be required to maintain verification procedures that require prospective customers to identify themselves, state the purposes for which the information is sought and certify that the information will not be used for any other purposes.  The bill would grant the attorney general rulemaking authority and provides for a private right of action.

Provisions that would have amended the state’s data broker registry to require the state to set up an accessible deletion mechanism to all consumers to opt out of all data brokers registered in the state would instead be sent to a study.

Vermont SB 71 has been scheduled for a hearing in the House Commerce and Economic Development Committee on Apri 24, where the committee is scheduled to receive a walkthrough of the bill from legislative council. The committee will use the proposed amendment for purposes of discussion over the summer. As passed the Senate, the bill would apply to nonprofits with very limited exceptions. The bill would apply to businesses that meet one or more of the following thresholds:

● Processes the personal data of at least 100,000 consumers, excluding data processed purely for the purposes of a payment transaction.
● Controlled or processed the data of at least 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

It would grant consumers various rights including, but not limited to, the right to delete personal data provided by or obtained about the consumer, obtain a copy of that data and opt out of the processing of their data for the purposes of the sale of their data or targeted advertising purposes.