Proposed U.S. Privacy Legislation
Background
EPIC has been calling on Congress to enact comprehensive federal privacy legislation for over 25 years.
Documents
Federal privacy legislation has long been a bipartisan issue. In recent years, bills such as the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) were sponsored by bipartisan leaders on the House Energy & Commerce Committee and Senate Commerce Committee. Both of those bills included strong data minimization provisions, prohibited discriminatory uses of data, and provided for a limited private right of action to encourage meaningful enforcement.
EPIC has been calling for comprehensive federal privacy legislation for over 25 years. In July 1999, then-EPIC Executive Director Marc Rotenberg testified before Congress and said:
[T]he recent developments in the online industry make clear the need for privacy legislation. For those who are willing to look closely, there is little indication that self-regulation is working. Privacy policies read more like warning notices and disclaimers. The proposed merger of Internet advertising giant Doubleclick and the largest catalog database firm Abacus demonstrates many of the shortcomings of the self- regulatory approach. The merger would significantly undermine online privacy as advertising is radically transformed. In the absence of a legal framework for online privacy, Internet-based services are also being offered without privacy protections that would otherwise be required. The Internet is quickly becoming a privacy-free zone, where companies can push new products past an unsuspecting public.
He went on to warn of what has become the surveillance advertising ecosystem of today:
In practical terms, advertising will be radically transformed. Where once advertisers could reach segmented markets and still allow potential customers who browsed a news magazine or watched a television show to safeguard their privacy, now advertisers will literally be watching potential customers even as those customers are reading web-based ads. Enormously detailed secret profiles of Internet users will be developed based on transactional records, purchase histories, and clickstream data.
But Congress failed to act in 1999 and in the years since then, and EPIC’s predictions unfortunately came true. Testifying before the House Energy & Commerce Committee in 2022 in support of the American Data Privacy and Protection Act, EPIC Deputy Director Caitriona Fitzgerald told Congress:
The United States faces a data privacy crisis. Large and powerful technology companies invade our private lives, spy on our families, and gather the most intimate details about us for profit. […] These industries and systems have gone unregulated for more than two decades. And the result has been uncontrolled data collection, large scale data breaches, and an ecosystem dependent on a few large commercial surveillance platforms. […] We need comprehensive, baseline privacy protections for every person in the United States, changes to the business models that have led to today’s commercial surveillance systems, limits on government access to personal data, and strong enforcement of privacy protections.
EPIC and a coalition of privacy and consumer privacy groups have long recommended that Congress enact a privacy law that:
- limits the collection and use of personal data;
- prohibits discriminatory uses of data;
- requires algorithmic fairness and accountability;
- bans manipulative design and unfair marketing practices;
- limits government access to personal data;
- provides for a private right of action;
- preserves states’ rights to enact stronger provisions; and
- establishes a federal data protection agency to enforce these new rules.
In April 2025, EPIC responded to a request for information issued by the Majority members of the House Energy & Commerce Committee. EPIC told the Working Group:
Federal privacy legislation must limit the collection and use of Americans’ personal data with rules that respect our human right to privacy, limit harmful discrimination and targeting, and support the beneficial evolution of the technologies and systems we rely on in our everyday lives.
[…]
As Congress considers federal privacy legislation, it should learn from and improve upon existing state laws by strengthening privacy protections. The Virginia/Connecticut “models” and the state laws that follow them do not adequately protect privacy. Many of those laws have been heavily influenced by lobbying groups doing the bidding of Big Tech companies, leading to “privacy” laws that, in fact, do little to protect privacy. In a recent report scoring 19 state privacy laws by EPIC and the U.S. PIRG Education Fund, eight received Fs, and none received an A.
EPIC has been calling on Congress to pass a strong comprehensive privacy law for more than 25 years – but the enactment of a weak law that cements the current status quo into law is worse than passing no law at all. Any federal privacy legislation must reflect the reality that America is in a data privacy crisis and that regulation is badly needed to encourage privacy-protective innovations in technology and ensure privacy, fairness, and security in our online world.
Recent Documents on Proposed U.S. Privacy Legislation
-
Statements
EPIC Statement re: Data Privacy Act of 2023
-
Testimony
Hearing on “Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors”
EPIC's testimony regarding privacy risks in the public and private sector and what a privacy law should look like.
Top Updates
EPIC's Experts on Proposed U.S. Privacy Legislation
-
Caitriona Fitzgerald
Deputy Director
-
Alan Butler
Executive Director and President
-
John Davisson
EPIC Senior Counsel and Director of Litigation

Support Our Work
EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.
Donate