Energy companies may not be thinking much yet about federal legislation to regulate the consumer data they hold, but they should be. Privacy is shaping up to be a key legislative topic this year.

Why would an energy company need to care about privacy legislation? Because lots of different energy companies have extensive consumer data. Oil companies’ service station loyalty programs, electric utilities’ customer data—these are among the many types of consumer data that might end up being regulated under legislation Congress is expected to consider. Any company with large amounts of consumer data should pay attention to the issue. In addition, HR data may also be covered by privacy legislation, affecting every US company whether or not they hold consumer data.

Why is Congress considering the issue at all? Many reasons. But one key reason is that in 2018 the California legislature passed a bill known as the California Consumer Protection Act of 2018 (CCPA). This bill gives consumers rights over the use of data about them. Specifically, the CCPA gives consumers the right to request businesses to disclose the information they have about them; to delete information about them; and to opt out of information about them being sold to other businesses. On their face, these requirements sound reasonable, but because of significant flaws in the way the California law is written, they would disrupt or preclude many legitimate and valuable data uses. Moreover, some of the terms are quite vague, and violation of the law carries heavy penalties. Importantly, the term “consumer” is broadly defined to include HR data and beyond.

California was on the verge of a ballot initiative that would have required many of the same things. However, if a ballot initiative had been passed, the legislature wouldn’t have a chance in the future to correct unintended consequences arising from it. Though many have identified serious concerns with the CCPA, a ballot initiative would have caused greater havoc.

If Congress is going to enact a bill, there are some common elements that many agree should be included. One is preemption of state laws covering these issues. Companies that operate across state lines need uniform rules in how they handle consumer data so they do not face conflicting requirements from different states. Already a dozen or more states are considering legislation like California’s. Another key provision is reasonable penalties. A company that faces a penalty of, say, $50 per day per violation in how they have handled consumer data, where the number of violations is calculated by determining the number of consumers potentially affected, and perhaps also the number of days of violation, quickly could find itself facing potentially billions in penalties.

In exchange for preemption and reasonable penalties, lawmakers may require that businesses agree to be accountable in various ways for their data practices—keeping data secure, properly training employees, assuring that data is used consistent with the context of the consumer relationship, assuring that any entity with whom data is shared also abides by the rules that apply to the data, and so on. They also may provide consumers with specific rights regarding data about them, such as the ability to access the data, to request that inaccurate data be corrected, to opt out of data about them being processed in certain ways, and to request its deletion.

Some companies—utilities, for example—already may face restrictions with respect to their data under state utility regulation. Energy companies already are under legal obligations to keep their systems secure. It will be important to assure that existing regulation is accounted for in federal legislation, to avoid duplication or conflicting requirements.

If Congress doesn’t act, companies quickly could face widely divergent or conflicting consumer data requirements in multiple states, high penalties, and possibly consumers banding together in class actions to sue for violations. Congress is only in the early stages of considering legislation, and a strong consensus has yet to emerge among the business community on the elements that should be in a bill. However, the stakes are high and no federal action would bring high risks. Usually, those factors are a strong impetus for legislation to be enacted.