Will Congress finally act on data privacy late this year?
The 2024 Election is now less than three weeks away, but some lawmakers already are thinking about the “lame duck” legislative session that will happen between Nov. 5 and the start of the 119th Congress in January.
That group includes members of the U.S. House of Representatives that support — and oppose — the Kids Online Safety Act (KOSA). The U.S. Senate has already approved this bill, which aims to protect children from the harms of social media, gaming sites, and other online platforms, on an overwhelming 91-3 vote, but it has been stalled in the lower chamber of Congress.
What is the issue with KOSA, and what does opposition to it indicate about the potential for approval of a broader federal data privacy bill? And if Congress can’t address data privacy, what are state lawmakers likely to do, if anything?
Why Some Lawmakers Oppose KOSA
The bipartisan Kids Online Safety Act, sponsored by Sen. Richard Blumenthal (D-Conn.) and Sen. Marsha Blackburn (R-Tenn.) would:
- Require social media platforms to provide minors with options to protect their information, to disable addictive product features, and to opt out of personalized algorithmic recommendations;
- Require technology platforms to enable the strongest privacy settings for kids by default;
- Give parents new controls to spot harmful behaviors, and provide parents and educators with a dedicated channel to report harmful behavior;
- Create a duty for online platforms to prevent and mitigate specific dangers to minors, including the promotion of suicide, eating disorders, substance abuse, sexual exploitation, and advertisements for certain illegal products; and
- Ensure parents and policymakers know which online platforms are taking meaningful steps to address risks to kids by requiring independent audits and research into how these platforms impact the well-being of children and teens.
As noted above, the legislation was embraced by both Senate Democrats and Republicans. The House Energy and Commerce Committee, where Republicans are in charge of the agenda and have a majority, also has approved an amended version of the bill.
Still, Speaker of the House Mike Johnson (R-La.) made it clear last week that he has no appetite to bring the bill to a vote during the upcoming lame-duck session of Congress. (If the House does not approve KOSA by the time the next Congress is seated, the bill’s sponsors will be forced to go back to square one in both the House and Senate, reintroducing the bill, amassing a list of cosponsors, scheduling hearings, and convincing leaders of the two chambers to consider it.) The speaker did not get into specific reasons why he opposes KOSA, arguing instead that it is generally “very problematic” and could result in “unintended consequences.”
The Hill spoke with Speaker Johnson, who confirmed his stance. The Hill also noted other GOP lawmakers are worried KOSA would give the Federal Trade Commission (FTC) “sweeping authority” that could potentially result in the censorship of right-leaning viewpoints. Back in August, a House leadership aide told The Hill KOSA “could lead to censorship of conservative speech, such as pro-life views, is almost certainly unconstitutional and grants sweeping new authority to unelected bureaucrats at the FTC.”
Speaker Johnson’s opposition to, and statements against, KOSA could have implications for issues other than children’s online safety. Indeed, they could indicate that, at least in the near term, the years-long quest for a federal data privacy bill is dead.
The Ongoing Fight Over A Federal Data Privacy Standard
As this column has explained in the past, Republicans and Democrats have been divided over data privacy for at least the last 20 years.
Republican lawmakers, who are typically strident defenders of states’ rights, have argued in this instance for a national system. Industry advocates have sided with the GOP because they believe compliance for businesses across 50 different state frameworks is incredibly difficult, if not impossible. Democrats, meanwhile, have been reluctant to embrace a national standard since they think it could weaken robust state regimes, including California’s, which many Democrats regard as the gold standard for data privacy law. Consumer groups and privacy advocates have sided with Democratic lawmakers.
This division, and disagreement over whether any data privacy framework should include a private right of action allowing consumers to sue companies for misusing consumers’ data, explains why no federal data privacy legislation has passed either chamber of Congress over the last two decades.
There was some hope earlier this year that members of Congress might finally iron out their differences, but in June the House Energy and Commerce Committee canceled a vote on a comprehensive data privacy bill., the American Privacy Act. It was never rescheduled. (Two years before, the House Energy and Commerce Committee approved data privacy legislation almost unanimously.)
According to The Washington Post, the June vote cancellation was due to the fact that House Majority Leader Steve Scalise (R-La.) opposed giving consumers a right to sue companies for violations. “This bill has become so poisonous and the structure is just so difficult that you really need to scrap this bill and start over, which is a very difficult task to take on, but we stand ready to help them do that,” a GOP leadership aide told The Post at the time.
While the Democratic party platform endorsed at the party’s convention earlier this year called for approving KOSA and for enacting several data privacy measures — among them putting stricter limits on the personal data collected for all consumers, allowing users to control and transfer their data, and updating the Electronic Communications Privacy Act to protect personal electronic information and safeguard location information — the GOP’s party platform was silent on the issue of data privacy.
If Election 2024 results in divided government in the nation’s capital in 2025, it will be difficult for lawmakers to make much progress on data privacy. In the absence of any progress in Washington, states will continue to proceed on their own.
States Moving Fast To Fill Data Privacy Void
California lawmakers approved the country’s first data privacy bill six years ago, in June 2018. Several states followed. Indeed, according to the International Association of Privacy Professionals (IAPP), since then state-level momentum for comprehensive privacy bills has reached “an all-time high.”
At least 20 states have comprehensive data privacy laws in place. These states are not bound by party. In fact, the list of states with data privacy bills includes both Republican-dominant states and those led by Democrats. Specifically:
- California has that bill approved in 2018, the California Consumer Privacy Act, which gives consumers more control over their personal information;
- Colorado has the Privacy Act, which requires certain websites to have a privacy policy and imposes fines on those that do not comply;
- Montana, where the Consumer Data Privacy Act protects residents from the unwarranted use of their personal data for targeted advertising or profiling;
- The Nebraska Data Privacy Act, which gives residents the right to request that companies correct or delete their data;
- Utah has the Consumer Privacy Act, which gives consumers the right to access and delete their data and opt out of data collection; and
- Virginia, where the Consumer Data Protection Act grants Virginia residents specific rights regarding their data.
The latest state to approve a comprehensive data privacy bill is Rhode Island. The legislation, which will take effect January 1, 2026, will give consumers the right to confirm what data a company collects, correct it, receive a copy, and opt out of certain uses. Companies must also secure consent before processing sensitive data.
As Bloomberg Law has explained, “several other states,” including Massachusetts, North Carolina, and Pennsylvania have introduced narrow consumer privacy bills that address a range of issues, including protecting biometric identifiers and health data or governing the activities of specific entities like data brokers or internet service providers.”
According to the U.S. Public Interest Research Group (USPIRG), these bills are not all cut from the same cloth, however. “The Virginia law was weak,” U.S. PIRG has said. “Companies could continue collecting whatever data they want as long as it was disclosed somewhere in a privacy policy. While consumers could, in theory, request companies delete their data, they would have to submit requests one at a time to the hundreds — if not thousands — of entities holding their information. Consumers also had no ability to hold companies accountable in court for violating the privacy law meant to protect them.”
In the absence of action by members of the U.S. House and Senate, however, this patchwork is what Americans can expect.
Or can they?
The type of partisan skirmish over data privacy that we have seen in Washington, D.C. over the last few years may finally have reached the states. Earlier this year, lawmakers in the Vermont statehouse and Senate approved a comprehensive data privacy bill. (Both chambers are controlled by Democrats, but the vote in the lower chamber for the bill was 139-3.) The Republican governor vetoed it.
At issue? The same one Republicans in the U.S. House were worried about with the American Privacy Act: a private right of action. In his veto message, Vermont Gov. Phil Scott (R) urged the legislature to start over, using Connecticut’s data privacy bill as a model. Connecticut’s Data Privacy Act does not have a private right of action.