From the summary of Data Protection Law: An Overview (R45631, Mar. 25, 2019):
Should the 116th Congress consider a comprehensive federal data protection law, its legislative proposals may involve numerous decision points and legal considerations. Points of consideration may include the conceptual framework of the law (i.e., whether it is prescriptive or outcome-based), the scope of the law and its definition of protected information, and the role of the FTC or other federal enforcement agency. Further, if Congress wants to allow individuals to enforce data protection laws and seek remedies for the violations of such laws in court, it must account for standing requirements in Article III, Section 2 of the Constitution. Federal preemption also raises complex legal questions — not only of whether to preempt state law, but what form of preemption Congress should employ. Finally, from a First Amendment perspective, Supreme Court jurisprudence suggests that while some privacy, cybersecurity, or data security regulations are permissible, any federal law that restricts protected speech, particularly if it targets specific speakers or content, may be subject to more stringent review by a reviewing court.