In early 2025, Chairman Guthrie (R-KY) and Vice Chairman Joyce, M.D. (R-PA) of the U.S. House Committee on Energy and Commerce launched a working group to solicit input and begin crafting a comprehensive federal data privacy and security law. As the process has evolved, three state privacy laws—the Kentucky Consumer Data Protection Act, Texas Data Privacy and Security Act, and Virginia Consumer Data Protection Act—have emerged as leading models, with each offering a strong foundation for a federal privacy framework. Congress should build on these state models with a preemptive federal standard that includes small businesses to reduce regulatory complexity and standardize protections for consumer data.

Similarities between Kentucky, Texas, and Virginia privacy laws

Kentucky, Texas, and Virginia have enacted privacy laws that share several essential provisions that Congress should adopt in a comprehensive federal privacy law.

Consumer rights. Each law grants consumers key rights, including the ability to access, correct, and delete their personal information, the right to opt out of its sale, and protection against discrimination for exercising these rights. Together, these rights give consumers greater control over their data while preventing harm from inaccurate or excessive data processing.

No private right of action. The laws also exclude a private right of action, protecting businesses from opportunistic litigation based on meritless claims. This exclusion is a boon to small businesses, which often lack extensive legal departments or ample resources for compliance. Costly litigation and settlements steal time and capital from innovation, hiring, and growth.

Guardrails on enforcement. They include enforcement by state Attorneys General with a 30-day right to cure that allows businesses time to resolve issues before facing significant legal consequences. Moreover, all three laws require controllers to meet robust cybersecurity obligations, including administrative, technical, and physical security provisions, to protect consumers’ personal information.

Difference between Kentucky, Texas, and Virginia privacy laws

Though each law features similar provisions, they take different approaches to applicability thresholds, creating complexity that federal legislation could streamline.

Scope of applicability. Kentucky’s and Virginia’s laws apply to businesses that either control or process the personal data of at least 100,000 consumers, or control or process the personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. In contrast, the Texas law explicitly exempts small businesses as defined by the U.S. Small Business Administration (SBA), except to prohibit the sale of sensitive personal data without consumer consent. As a result, small businesses operating in all three states may be subject to some laws but not others.

Broader differences between all the states

The takeaway from a comparison of these laws is that they overlap completely at a high level and in their substantive purposes, but the differences in drafting approaches and style serve to make compliance more difficult without improving privacy. Beyond small business exemptions, all state privacy laws can also differ in other key areas and make compliance with privacy regulations more complex. For example, states may vary in consumer rights, such as the ability to delete personal information or opt out of certain data processing, or the inclusion of transparency requirements and a private right of action.

A federal law with preemption would provide small businesses with one clear standard and reduce the burden of navigating these substantially similar laws with inconsistent requirements.

Don’t leave small businesses to the states while shielding big corporations

Congress should avoid excluding small businesses when crafting a preemptive federal law. While small business exemptions in these state approaches are well-intentioned, they can actually increase compliance burdens. If a federal law preempts state laws but exempts small businesses, they would still be subject to the existing patchwork of state privacy laws, unlike larger companies which would benefit from a single, uniform standard. This dynamic puts small businesses at an even greater competitive disadvantage since they often lack the legal and technical resources of their larger counterparts to navigate new regulations. Moreover, although small businesses are frequently exempt from current state laws, that will not remain the case for long. Some states, including Connecticut and Montana, have recently lowered exemption thresholds, bringing more small businesses under regulation. If Congress passes a federal law that excludes small businesses—ironically leaving small businesses as virtually the only entity unprotected from a confusing and costly patchwork of state laws—more states would rather quickly follow this trend and expand regulations to fully capture small businesses. To support both small businesses and effective privacy compliance, Congress should include them in a preemptive federal framework.

Congress should also include a safe harbor that helps small businesses meet a federal privacy law’s requirements. For example, the American Data Privacy and Protection Act (ADPPA) included a provision allowing small businesses to participate in compliance programs using Federal Trade Commission-approved guidelines that met or exceeded the law’s standards. Under ADPPA, participation in such a program would have created a presumption of compliance, helping small businesses demonstrate good faith efforts to meet the law’s obligations without facing immediate penalties for every misstep. This approach holds small businesses appropriately accountable while reducing liability concerns and easing compliance burdens.

Kentucky, Texas, and Virginia have enacted workable privacy laws with enough high-level commonality that they provide a reasonable foundation for federal legislation. By building on these models with preemption, small business inclusion, and compliance relief for small businesses, Congress can enact a smart, balanced privacy law that effectively protects consumer privacy while minimizing regulatory burdens on U.S. businesses.