California Attorney General Rob Bonta is leading a multistate push to stop Congress from passing a federal privacy bill that critics say would actually weaken protections for Californians rather than strengthen them.
The proposal, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, H.R. 8413, would create a single nationwide privacy standard that could override tougher state laws and limit how much control people have over their own data.
In Tuesday's letter to Congressional leaders, a coalition of 18 attorneys general and state privacy or consumer protection agencies warned that the measure would “wipe out” existing state safeguards and effectively freeze privacy law in place unless and until Congress acts again, according to the California Attorney General's Office. The group argued that any federal privacy law should serve as a floor for protections, not a ceiling that blocks states from going further as technology evolves.
“Federal action to protect Americans' privacy is essential, but not at the expense of the strong state laws that already protect Californians,” Bonta said in a statement from his office. The Attorney General's press release listed officials from Connecticut, New York, Virginia, the California Privacy Protection Agency and other state entities among the signees, the California Attorney General's Office reported.
What the bill would do
On paper, H.R. 8413 sets out a federal baseline of consumer privacy rights: the ability to access, correct and delete personal data, along with options to opt out of targeted advertising, data sales and certain kinds of profiling used to make major decisions about people. It also directs the U.S. Secretary of Commerce to conduct a three-year study of universal opt-out mechanisms rather than requiring companies to honor those signals immediately.
The bill would limit data collection to what is “adequate, relevant, and reasonably necessary,” a standard privacy advocates argue is looser than what some state laws already require. As described in the bill text on GovInfo, the Commerce Department would publish the results of its study after public consultation and a review of commercially available technologies.
Why states say it weakens protections
For state officials and privacy advocates, the sticking point is not only what H.R. 8413 includes, but what it punts to later study. The coalition flagged that the Act does not require businesses to respect universal opt-out preference signals, even though a dozen states already mandate that kind of protection.
They also criticized provisions that would let companies charge consumers fees for certain privacy requests, arguing that paywalls around basic rights would deter people from exercising protections they technically have. The Sacramento Bee reported on the coalition's objections.
Preemption and enforcement
Another major flashpoint is the bill's preemption clause, which would prohibit states from adopting or enforcing laws that relate to the provisions of the Act. Critics say that language could wipe out a wide range of state privacy rules, from data-broker registration systems to certain privacy-related legal claims in state courts.
Under the current draft, enforcement would primarily fall to the Federal Trade Commission. State attorneys general would retain only limited authority and would have to provide notice to companies and offer a chance to cure violations before taking action, a structure the coalition argues would slow or blunt timely enforcement. These preemption and enforcement mechanics are detailed in the bill text on GovInfo.
What it means for Californians
California has one of the strongest privacy frameworks in the country. State law gives residents rights to know what data is collected about them, to delete many types of that data and to opt out of certain uses, and it created the California Privacy Protection Agency to enforce those rules.
State regulators, including the California Privacy Protection Agency, have come out against H.R. 8413. They warn it would set privacy rights back and undercut tools such as the state's Delete Request and Opt-out Platform (DROP), which is designed to help residents exercise their rights more easily. CalPrivacy laid out those concerns.
What's next in Congress
The measure was introduced in April and received its first hearing before a House Energy and Commerce subcommittee on Wednesday. Lawmakers have not yet advanced it to a full committee vote.
Opponents are banking on the multistate push and the hearing record to either change the bill significantly or halt it altogether, while supporters argue that a single federal standard would cut down on compliance headaches for businesses operating across state lines.
