(202) 240-7890

House GOP Bills Put Federal Preemption of State Data Privacy Laws Back on the Table

Ecommerce Innovation Alliance

May 12, 2026

House GOP Bills Put Federal Preemption of State Data Privacy Laws Back on the Table

A new set of data privacy proposals from U.S. House Republicans is doing more than restarting the federal privacy debate—it is putting forward a concrete legislative framework that could override state laws and reshape how ecommerce businesses manage customer data nationwide.

This is one of the most substantive federal privacy efforts in recent years—and one that directly intersects with long-standing concerns about regulatory fragmentation.

What’s Actually in the Proposal?

The package, led by House Financial Services Committee Republicans, centers on modernizing federal privacy rules—particularly those tied to financial data—while expanding protections to better reflect today’s digital economy.

Two key components emerging from the discussion draft and supporting materials include:

  • The “Secure Data Act” and “Guard Act” concepts, which aim to establish clearer national standards for how consumer financial data is collected, stored, and shared
  • Updates to the Gramm-Leach-Bliley Act (GLBA), extending its scope beyond traditional financial institutions to capture a broader set of data-driven business models

This matters for ecommerce because many online businesses—especially marketplaces, fintech-enabled sellers, and brands offering embedded payments or financing—could fall within an expanded definition of entities handling sensitive consumer financial data.

Most notably, the proposal includes federal preemption language, signaling an intent to override state-level privacy laws that currently govern large portions of ecommerce activity.

Federal Preemption: A Defining (and Contested) Feature

Unlike previous federal privacy discussions that struggled to reconcile state authority, this proposal leans directly into preemption.

If enacted as drafted, it could:

  • Supersede comprehensive state privacy laws like California’s CCPA/CPRA and similar statutes in Virginia, Colorado, and many other states
  • Replace divergent state requirements with a single federal compliance framework
  • Shift primary enforcement and rulemaking authority to federal regulators

However, preemption remains one of the most politically sensitive elements of any privacy legislation. Democratic lawmakers and several state regulators have historically opposed broad federal preemption, favoring stronger state-level protections and preserving the ability of states to independently regulate data privacy.

California has already signaled opposition to the proposal’s approach. The California Privacy Protection Agency (CPPA) recently criticized the framework as potentially weakening consumer protections and limiting the state’s authority to enforce and expand its own privacy standards. California officials and privacy advocates have long argued that state-led regulation allows faster policy innovation and stronger enforcement mechanisms than a single federal standard.

For ecommerce businesses, however, the concern remains the growing complexity created by an expanding patchwork of conflicting state laws, compliance obligations, and litigation exposure. As more states adopt their own frameworks—with varying definitions, enforcement structures, and consumer rights requirements—the operational burden on small and medium-sized online businesses continues to increase.

That makes preemption both the most impactful feature for ecommerce businesses—and likely the most heavily negotiated and contested provision as the debate moves forward.

What This Means for Ecommerce Businesses

The proposal, if adopted, could introduce a mix of opportunity and uncertainty:

Operational Impact
A unified federal standard could significantly streamline compliance operations, particularly for businesses selling across multiple states. Instead of adapting policies and systems to meet a growing list of state-specific rules, companies could align around a single set of requirements.

Regulatory Scope Expansion
At the same time, expanding GLBA-style obligations could bring more ecommerce businesses under stricter data governance frameworks—especially those handling payments, financial data, or customer profiling tied to transactions.

Compliance Reset Risk
Even if preemption holds, businesses should expect a transition period requiring updates to privacy policies and disclosures, revisions to data handling and security practices and even potential new audit or reporting requirements.

Legislative Outlook: Early Stage, High Uncertainty

The EIA has consistently highlighted the challenges of navigating a fragmented privacy landscape and advocated for a clear, consistent national framework. In addition to federal preemption that reduces duplication and conflict across states and practical compliance expectations for small and medium-sized businesses.

This proposal reflects meaningful movement toward those goals—particularly in recognizing that the current state-by-state approach is unsustainable for growing ecommerce companies.

At the same time, it underscores the need for continued engagement to ensure that any federal standard avoids disproportionately burdening smaller businesses, reflects how ecommerce platforms actually operate and provides clarity without limiting innovation.

At this stage, the proposal is a discussion draft, not yet a fully introduced or marked-up bill. That means:

  • Committee consideration is the next step, particularly within House Financial Services
  • Bipartisan support is not yet established, which is critical for any privacy legislation to advance
  • Senate alignment remains uncertain, where previous federal privacy efforts have stalled

Given these dynamics, the likelihood of this specific proposal becoming law in its current form is low in the near term. However, that does not diminish its importance.

Historically, legislative proposals like this serve as policy blueprints, shaping the contours of future bipartisan negotiations. Elements such as preemption, GLBA expansion, and national standards are now firmly back in play.

What to Watch Next

For ecommerce businesses, the key signals to monitor in the coming months include:

  • Whether the proposal is formally introduced and advances out of committee
  • How preemption language evolves during negotiations
  • Whether bipartisan talks begin to coalesce around a unified federal approach
  • Signals from the Senate on appetite for parallel legislation

A successful federal preemption model could finally simplify compliance at scale. But the path to getting there will involve significant negotiation, and the outcome is far from certain.

The EIA will monitor these proposals and continue to advocate for a balanced approach that delivers clarity, consistency, and a regulatory environment where ecommerce businesses can grow with confidence.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business. 

Ecommerce Innovation Alliance provides members with analysis of litigation and regulatory developments affecting online commerce and digital marketing. This post is for informational purposes only and does not constitute legal advice.

SHARE THIS POST:
Photo of author
Ecommerce Innovation Alliance
The voice of ecommerce
EIA is a nonprofit trade association dedicated to bringing the e-commerce industry together to advocate for common sense policies that strengthen the ecommerce ecosystem while protecting consumer’s privacy.
All posts by Ecommerce Innovation Alliance
, , , , , , , , , , , , , , , , , ,