4 Protections Congress Must Include in Federal Privacy Law (2025)

• Twitter

The committee should reject efforts by industry-backed trade associations to weaken the protections that Americans overwhelmingly support.

Against this backdrop, CAP submitted formal comments to the working group outlining these concerns in greater detail on April 7, 2025. This response examined the public positions of trade associations that seemingly represent the interests and positions of the six major technology companies—Alphabet, Amazon, Apple, Google, Meta, and Microsoft, colloquially referred to as “Big Tech”—to better understand the industry’s stance on key privacy provisions. We also note that Microsoft has been a champion of comprehensive federal privacy legislation for decades. While CAP included direct statements from companies such as Google where available, most firms rely on trade associations to speak on their behalf in policy debates. These groups include the Information Technology Industry Council (ITI), TechNet, and the U.S. Chamber of Commerce. (see “Sourcing and attribution of industry positions” for more info)

CAP’s research further identified four critical protections essential to any federal privacy framework. These protections include 1) strong data minimization requirements, 2) narrowly tailored permissible purposes, 3) universal opt-out mechanisms, and 4) artificial intelligence (AI) provisions. Such protections should apply not only to commercial actors but also to government service providers, ensuring that all entities handling personal data are held to the same high standards. Despite expert and bipartisan recognition of these essentials, Big Tech firms—primarily through their trade associations—have consistently opposed strong privacy protections. However, to ensure meaningful federal legislation emerges from this process, Congress must stand steadfast.

1. Strong data minimization requirements

Meaningful data minimization restricts companies from collecting, processing, and transferring personal data beyond what is strictly necessary to deliver a requested product or service; it also mandates the deletion of such data once the purpose for collection is fulfilled. This principle, established decades ago in the Privacy Act of 1974, significantly reduces harms such as commercial exploitation, extensive online surveillance, and risks associated with data breaches because companies are both collecting less information and more limited in how they can use that information. For individuals, this means fewer invasive ads targeting personal behaviors and a lower chance that sensitive information will be exposed in a breach.

In Google’s white paper titled “Responsible Data Practices,” the company promotes data minimization as a way to minimize risk, defining it as limiting collection, use, and disclosure to what is reasonably necessary and proportionate for providing a product or service. However, Google’s interpretation of the principle lacks specific limits on how long data can be kept and does not clarify whether “disclosure” includes selling data to third parties. To be effective, data minimization must include clear limits that encompass the entire life cycle of data collection and use, rather than relying on insufficient standards defined by companies that benefit from collecting as much data as possible.

2. Narrowly tailored permissible purposes

A well-written permissible purposes section must include narrowly defined exceptions to data minimization, allowing data to be used or shared beyond their original purpose only when they serve a clear public benefit or are essential to core operations. As CAP states in response to the RFI:

Critically, any provision that allows data to be shared with law enforcement must be limited to data that was legally collected in the first place, and only shared under a valid legal process, such as a warrant. Companies should not be permitted to collect data solely on the basis that it might someday be useful to law enforcement. Carve-outs for fraud, harassment, public safety incidents, or criminal activity should prohibit both the sale or transfer of data to government entities for payment or other consideration, as well as any voluntary sharing of data. Ambiguous terms like “public safety” or “criminal activity” must be tightly defined so that they cannot be used to justify surveillance of lawful behavior, such as peaceful protest or political organizing.

Without such limits, individuals may find their personal data used in investigations they were never aware of simply because their online activity was misinterpreted or misclassified, exposing them to unnecessary scrutiny or risk. Industry trade associations often promote broad and ambiguous frameworks. For example, ITI’s list of “public interest uses” enumerate seven broadly worded purposes, including “facilitating the efficient distribution of website and other internet content” and “protecting the health, safety, rights, or property of the organization or another person.” Meanwhile, TechNet explicitly states “privacy laws should not broadly prohibit government use of third-party data.” Without specific boundaries, vague and expansive permissible purposes could undermine the very goals of a privacy law and allow companies to justify invasive practices under unclear terms.

3. Universal opt-out mechanisms

A universal opt-out mechanism allows individuals to easily communicate their privacy preferences across multiple platforms with a single action. Tools such as browser settings or automated signals make this possible by sending automatic signals to companies about a user’s preference. Without this, people must manually manage their privacy settings on hundreds of websites and apps, which is time-consuming and often inaccessible, especially for those without technical expertise. As a result, many individuals are effectively denied the ability to exercise their rights, leaving their personal data vulnerable. Entities should be required to honor these signals in order for opt-out rights to have meaningful effect. Failing to require this amounts to a giveaway to Big Tech by preserving a system that benefits companies at the expense of users’ control over their own data.

Industry groups have actively pushed for federal preemption that would block states like California from enforcing universal opt-out requirements such as the Global Privacy Control (GPC). Even Google has acknowledged that overwhelming users with consent requests can lead to fatigue. While this point was raised to argue against broad opt-in systems, it also reinforces the need for straightforward opt-out tools. The risk of overwhelming users with constant privacy choices makes it even more important to offer clear, easy-to-use mechanisms such as universal opt-outs that reduce confusion and support meaningful user control.

4. Clear artificial intelligence prohibitions

Artificial intelligence (AI) systems depend on large-scale personal data collection, often in ways that individuals cannot fully understand or control. While data regulation is important, it is not enough to address the serious risks posed by high-risk AI applications, such as automated job termination, real-time biometric surveillance, and social scoring. These uses threaten economic security and democratic norms and must be explicitly prohibited. Without clear limits, people could lose job opportunities, be denied services, or face unwarranted surveillance based on opaque and unaccountable systems they have no ability to challenge or understand.

Crucially, any federal privacy law must preserve the ability of states to enact and enforce their own restrictions on harmful AI systems. States play an essential role in addressing emerging risks and protecting individual rights, especially when federal action falls short. Industry trade associations have opposed AI prohibitions. TechNet, for example, argues that privacy laws should avoid outright bans and remain technology-neutral. Additionally, the company advocates for federal preemption, which would block states from addressing these risks on their own, leaving Americans exposed to unregulated and potentially harmful AI applications.

Conclusion

Congress has the opportunity and responsibility to deliver real privacy protections for the American public. The four provisions outlined above represent the minimum that a comprehensive federal privacy law must include. Each one addresses a core weakness in the current data ecosystem, and most have been targeted by industry lobbying efforts that aim to delay or weaken reform. Much more detail on each of these issues can be found in CAP’s full response to the privacy working group’s RFI.

Lawmakers should not give in to arguments that prioritize flexibility or innovation at the expense of privacy and safety. Americans deserve a privacy framework that centers their interests, limits harmful data practices, and creates strong safeguards for emerging technologies such as artificial intelligence. Failing to include these protections would risk cementing the very harms that privacy legislation is meant to prevent.

Sourcing and attribution of industry positions

Nicole Alvarez

Senior Policy Analyst

Technology Policy

Our team envisions a better internet for all Americans, advancing ideas that protect consumers, defend their rights, and promote equitable growth.