Small businesses are already using generative AI at scale, according to research data from the U.S. Chamber of Commerce, which told Congress that fragmented AI and privacy rules could increase compliance and litigation costs for companies meeting state-by-state mandates.
The warning was made in written testimony by Chamber of Commerce Executive Vice President for Policy Marty Durbin before the House Energy and Commerce Committee’s Commerce, Manufacturing and Trade Subcommittee.
The June 30 hearing examined U.S. leadership in emerging technologies such as AI, robotics and quantum computing amid rising tensions between federal and state regulations on AI and data privacy.
Durbin said companies need clear rules on how to manage AI-related data. “To successfully operationalize AI policies, companies must have confidence in how the data used in their AI systems will be managed,” he writes.
The same testimony cited a Chamber of Commerce study that found small businesses fear increased litigation and compliance costs, and warned that “a patchwork of privacy and AI laws threatens to stymie America’s technology leadership.”
Research shows AI adoption among small and medium-sized businesses is accelerating rapidly.
The chamber’s claims are based on its 2025 Small Business Empowerment Report, conducted in collaboration with Teneo Research. The study surveyed 3,870 U.S. small businesses with fewer than 250 employees, and data was collected from June 6, 2025 to June 26, 2025.
According to the report, 58% of small businesses identify themselves as generative AI users, up from 40% in 2024 and 23% in 2023. Among small businesses using AI, 77% say technology limitations have a negative impact on growth, operations, and revenue.
The report found that 65% of small businesses are concerned that a fragmented regulatory environment will increase litigation and compliance costs.
The affected small and medium business base is large. The Small Business Administration’s 2025 Small Business Profile counts 36.2 million small businesses in the U.S., representing 99.9% of U.S. businesses and 45.9% of U.S. employees.
Promoting a single national data standard
The Chamber is calling on Congress to move forward with HR 8413, the SECURE Data Act. The bill’s text would create consumer rights to access, correct, and delete personal data, opt out of targeted advertising, data sales, and certain profiling decisions, and to seek consent before processing sensitive data.
The bill, due in April 2026, is part of an ongoing debate in the House of Representatives about whether federal privacy rules should establish national standards or maintain existing state-level protections.
The same bill would require controllers to maintain reasonable data security practices. It also states that no state or political subdivision may “prescribe, maintain, or enforce” any applicable law, regulation, or standard, which would preempt state law related to that provision.
For the House, national preemption is central to the cost debate. Durbin wrote that the SECURE Data Act places fundamental limits on the use of company data, gives consumers deletion and opt-out rights, adds protections for sensitive data, and “establishes a single national standard.”
Privacy regulators oppose federal preemption
Privacy regulators and advocacy groups object to the same mechanism. In an April letter opposing the SECURE Data Act, the California Office of Privacy Protection wrote that the bill’s preemptive language “seeks to strip away significant portions of the important privacy protections” available under the state’s privacy law, including rights enjoyed by more than 100 million Americans. The agency called on Congress to set “floors, not ceilings” on privacy rights.
EPIC, the Electronic Privacy Information Center, made similar claims in its testimony regarding HR 8413. Twelve states said they require businesses to adhere to universal opt-out mechanisms that allow consumers to opt out of targeted advertising or the sale of their personal data using browser- or device-level settings.
EPIC argued that the SECURE Data Act does not require companies to comply with these tools, but instead gives the Secretary of Commerce a three-year period to consider whether they are feasible.
State-level AI laws add new compliance hurdles
AI-specific compliance is also changing at the state level. Colorado enacted SB26-189 in May, repealing and re-enacting previous AI consumer protection provisions with new requirements for automated decision-making technology used to make consequential decisions.
The Colorado Attorney General’s Office said the new law creates requirements for developers and implementers of automated decision-making technology and gives consumers the right to request and correct inaccurate personal data used in such systems. This provision will go into effect on January 1, 2027, according to the Attorney General’s rulemaking page.
Colorado law embodies compliance issues and imposes obligations on developers and implementers of automated decision-making technology used to make consequential decisions.
The Colorado bill’s summary lists technical documentation, consumer notification, record retention, data rectification rights, and personal review rights, and covers decisions ranging from education, employment, housing, financial or loan services, insurance, health care, and essential government services and public benefits.
