The hearing happened. The hearing always happens.
Since 2019, the House Energy and Commerce Committee has convened multiple rounds of hearings on comprehensive federal privacy legislation. COPRA. ADPPA. Now reportedly the SECURE Data Act, identified as H.R. 8413 in initial coverage of the June 3 CMT Subcommittee hearing, though the specific bill details are reported, not yet independently confirmed. Each cycle follows a recognizable arc: introduction, subcommittee hearing, committee markup (sometimes), floor stall (always). The bills die on two recurring disputes. Understanding those disputes is the first job for compliance teams trying to assess whether as of publication is different.
The Two Structural Blockers
Federal preemption is the first. Any federal privacy law strong enough to matter to industry would need to preempt state laws, otherwise companies face 50-plus compliance frameworks in addition to a federal one. California has historically objected to preemption that weakens its CPRA protections. The 2022 ADPPA passed committee with bipartisan support and stalled on the House floor partly because California’s delegation wouldn’t accept a preemption provision that reduced state-level consumer protections. That dispute isn’t resolved. The same geography produces the same political math today.
Private right of action is the second. Consumer advocates and plaintiff attorneys want individuals to be able to sue companies directly for privacy violations, without waiting for an FTC or state AG enforcement action. Industry opposes it, citing litigation exposure. This has been a non-negotiable dealbreaker for industry coalitions in prior cycles. No federal privacy bill has successfully threaded that needle.
Both blockers are structural, they don’t dissolve because a new bill gets a new name.
Why This Round Feels Different to Industry
AI training data has changed the economic stakes. Under the current state patchwork, organizations training AI models on personal data navigate inconsistent consent requirements, opt-out mechanisms, and data subject rights across jurisdictions. California’s CPRA, Colorado’s CPA, Connecticut’s CTDPA, and Illinois’ BIPA each create distinct obligations. Running a national AI training pipeline means either complying with the most restrictive state’s requirements everywhere, or building jurisdiction-specific data processing architectures, both expensive paths.
A federal privacy standard with a clear AI training data carve-out or preemptive effect would eliminate that complexity. That’s a material compliance savings. Industry witnesses at these hearings are showing up with sharper arguments and more specific asks than they brought to the 2019 and 2021 cycles. The lobbying pressure has changed because the dollar figures have changed.
The question is whether sharper industry arguments can overcome structural political blockers that have nothing to do with AI. So far, there’s no evidence they can.
Active US State Privacy Frameworks with AI Relevance
| State | Framework | AI-Specific Provisions | Enforcement Status |
|---|---|---|---|
| California | CPRA | Automated decision-making rights under CPPA rulemaking | Active |
| Colorado | CPA | Profiling and automated decision-making opt-out | Active |
| Connecticut | CTDPA | Automated decision-making and profiling rights | Active |
| Illinois | BIPA | Biometric data, active litigation landscape | Active |
Compliance Planning Framework: Federal Privacy Uncertainty
- Build state-by-state compliance architecture for AI training data, don't defer pending federal action
- Conduct jurisdiction-by-jurisdiction consent and opt-out analysis for AI training uses
- Set markup calendar alerts, not hearing alerts, for CMT privacy bill activity
- Monitor for a narrow AI training data vehicle as an alternative to comprehensive legislation
The State Patchwork That Exists Now
While federal legislation stalls, state law is not standing still. TJS has documented the state-level activity in detail, Colorado, Connecticut, and Illinois have enacted frameworks with meaningful AI-specific provisions. California’s AI bill activity has been extensive. The White House framework’s call for federal preemption, documented in prior coverage, reflects industry’s preference, not current law.
What this means practically: compliance teams operating now are already managing a patchwork. The architecture you’ve built for multi-state privacy compliance is the architecture you’re likely running on through at least 2027, possibly longer. Federal legislation doesn’t appear in any analyst’s near-term projection as a solved problem.
The Shortcut Worth Watching
Here’s where the analysis gets specific. The real legislative risk for the state patchwork isn’t a comprehensive federal privacy bill. It’s a narrower AI training data vehicle, a targeted exemption or safe harbor for AI training uses of personal data, with preemptive effect on state restrictions. Industry has every incentive to push for this as an alternative to comprehensive legislation when comprehensive legislation stalls. It’s a smaller, more focused ask that could theoretically move through a budget reconciliation vehicle or attach to a broader AI legislative package.
The White House’s federal preemption framework already previewed this approach. Several elements of the framework addressed AI-specific data uses in ways that looked like the foundation for a targeted federal vehicle. Watch the legislative calendar for a narrow AI training data bill that doesn’t try to resolve the comprehensive privacy debate, that would be the signal that industry’s lobbying strategy has shifted from “pass comprehensive privacy legislation” to “carve out AI training from state restrictions.”
What Compliance Teams Should Actually Do
The planning framework for this environment has three components.
Build for the patchwork. Don’t defer state-by-state compliance architecture pending federal action. The CPRA, Colorado CPA, and Connecticut CTDPA are enforceable now. Illinois BIPA litigation is active. Your AI training data governance program needs to work within those frameworks today. Federal legislation may simplify this eventually, plan for “eventually” to mean 2028 or later.
Warning
The compliance teams most exposed in a federal preemption scenario aren't those who built state-compliant programs, they're the ones who delayed state compliance expecting federal simplification. If a federal law passes with a permissive AI training data carve-out, compliant programs can relax requirements. If it doesn't, programs built for the patchwork are the only programs that work.
Monitor the markup calendar, not the hearing calendar. Hearings are necessary but not sufficient. The signal that matters is committee markup scheduling, a scheduled markup means the bill has enough support to move to a vote, which is qualitatively different from a hearing. Set up alerts for “CMT markup” and “Energy and Commerce markup” on privacy legislation. A hearing-only cycle without markup tells you nothing has changed.
Map your AI training data exposure by jurisdiction. If you’re training on personal data and operating across multiple US states, conduct a jurisdiction-by-jurisdiction consent and opt-out analysis. Identify which state framework imposes the most restrictive requirements on your use case, and assess whether your current architecture complies with that floor. If a federal standard eventually passes with preemptive effect and a permissive AI training data carve-out, you’ll relax requirements. If it doesn’t, you’ve built the right architecture anyway.
The Pattern’s Implication
Seven years of federal privacy hearings without a law has produced one durable outcome: a state patchwork that keeps growing. Every year without federal preemption is a year another state passes its own framework, deepening the compliance complexity that industry claims justifies federal action. It’s a self-reinforcing cycle, and the AI training data stakes are accelerating it.
The compliance teams that manage this well aren’t the ones waiting for Congress to simplify their job. They’re the ones who’ve accepted that the patchwork is the operating environment and built programs that can run within it, flexible enough to adapt if federal legislation passes, robust enough to survive if it doesn’t.
The next federal privacy hearing will happen. The next federal privacy law is less certain.