Small businesses are already using generative AI at scale, according to U.S. Chamber of Commerce survey data, while the Chamber told House lawmakers that fragmented AI and privacy rules could raise compliance and litigation costs for firms navigating state-by-state obligations.
The warning came in written testimony from Marty Durbin, the Chamber’s senior vice president for policy, before the House Energy and Commerce Committee’s commerce, manufacturing and trade subcommittee.
The June 30 hearing examined U.S. leadership in emerging technologies, including AI, robotics and quantum computing, amid growing tension between federal and state regulation of AI and data privacy.
Durbin said companies need clear rules for how AI-related data is governed. “To get AI policy right, companies must have certainty about how the data used for AI systems is governed,” he wrote.
The same testimony warned that “a patchwork of privacy and AI laws threatens to hold back U.S. technology leadership,” citing Chamber research that found small businesses fear higher litigation and compliance costs.
Survey shows rapid AI adoption among small businesses
The Chamber’s argument draws from its 2025 Empowering Small Business report, conducted with Teneo Research. The survey covered 3,870 U.S. small businesses with fewer than 250 employees, with data collected from June 6 to June 26, 2025.
The report found that 58% of small businesses self-identified as generative AI users, up from 40% in 2024 and 23% in 2023. Among small businesses using AI, 77% said limits on the technology would hurt growth, operations and the bottom line.
The same report found that 65% of small businesses were concerned a fragmented regulatory environment would drive up litigation and compliance costs.
The affected small-business base is large. The Small Business Administration’s 2025 Small Business Profile counted 36.2 million small businesses in the U.S., representing 99.9% of U.S. businesses and 45.9% of U.S. employees.
The push for a single national data standard
The Chamber is urging Congress to advance H.R. 8413, the SECURE Data Act. The bill text would create consumer rights to access, correct and delete personal data, opt out of targeted advertising, data sales and certain profiling decisions, and require consent before processing sensitive data.
Introduced in April 2026, the bill is part of an ongoing House debate over whether federal privacy rules should establish a national standard or preserve existing state-level protections.
The same bill would require controllers to maintain reasonable data security practices. It would also preempt state laws related to its provisions by saying no state or political subdivision may “prescribe, maintain, or enforce” a covered law, rule or standard.
For the Chamber, national preemption is central to the cost argument. Durbin wrote that the SECURE Data Act would provide baseline limits on company data use, give consumers deletion and opt-out rights, add protections for sensitive data and “establish a single national standard.”
Privacy regulators oppose federal preemption
Privacy regulators and advocacy groups are challenging the same mechanism. The California Privacy Protection Agency wrote in an April letter opposing the SECURE Data Act that the bill’s preemption language “seeks to strip away a substantial amount of important privacy protections” available under state privacy laws, including rights available to more than 100 million Americans. The agency urged Congress to set “a floor, not a ceiling” for privacy rights.
EPIC, the Electronic Privacy Information Center, made a similar case in testimony on H.R. 8413. It said 12 states require companies to honor universal opt-out mechanisms, which let consumers use browser or device-level settings to opt out of targeted advertising and personal data sales.
EPIC argued that the SECURE Data Act does not require companies to honor those tools and instead gives the Commerce secretary three years to study whether they are feasible.
State-level AI laws add new compliance hurdles
AI-specific compliance is also changing at the state level. Colorado enacted SB26-189 in May, repealing and reenacting earlier AI consumer-protection provisions with new requirements for automated decision-making technology used in consequential decisions.
The Colorado attorney general’s office says the new law creates requirements for developers and deployers of automated decision-making technology and gives consumers the right to request and correct inaccurate personal data used by such systems. The provisions take effect Jan. 1, 2027, according to the attorney general’s rulemaking page.
Colorado’s law makes the compliance issue concrete: it creates obligations for developers and deployers of automated decision-making technology used in consequential decisions.
The Colorado bill summary lists technical documentation, consumer notices, record retention, data-correction rights and human review rights, with covered decisions spanning education, employment, housing, financial or lending services, insurance, health care and essential government services and public benefits.