The United States needs a federal consumer data privacy law, but not one like the recently proposed SECURE Data Act.
On April 22, Republicans on the House Energy and Commerce Committee introduced the SECURE Data Act (H.R. 8413), making it the first attempt at comprehensive privacy legislation in years; unfortunately, the bill is a disaster, as it would erase too much state-level progress.
The main problem with the SECURE Data Act is the issue of federal preemption. The bill would preempt all state legislation, effectively eviscerating strong state legislation like California’s CCPA (2018) and CPRA (2020).
The preemption problem
Nobody, myself included, wants businesses to have to deal with a patchwork of data privacy laws. We absolutely need a federal data privacy law on the books. That said, any federal law should build on top of state-level laws; it shouldn’t dilute existing laws, rendering them unenforceable, and erasing years of state-level legislative work.
As of May 2026, the U.S. has comprehensive privacy legislation in 21 states: Alabama, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.
Of course, there is a great deal of nuance here, as some states have stronger laws than others. Nevertheless, any proposed federal law should be treated as a floor to build on top of these state-level laws, rather than a ceiling.
I agree with the Electronic Frontier Foundation’s Mario Trujillo, who writes, “Federal privacy laws should allow states to build ever stronger rights on top of the federal floor. Many federal privacy laws allow this, including the Health Insurance Portability and Accountability Act (HIPAA).”
Which businesses are affected
The proposed bill would apply to all businesses subject to the FTC Act, as well as all businesses in the U.S. that process the personal data of 200,000 U.S. consumers or more.
Additionally, there’s another standard that would affect other businesses; any business that processes the data of more than 100,000 U.S. consumers and derives more than 25% of revenue from selling that data would also be subject to the SECURE Data Act.
As it stands, the proposed bill exempts businesses with less than $25m in adjusted gross annual revenue.
Key provisions of the bill
The SECURE Data Act mandates that U.S. consumers be given a clear mechanism to opt out of targeted advertising practices as well as the sale of their personal data.
Were the bill to pass, many businesses that process and control consumer data would be forced to obtain opt-in consent before they processed any sensitive consumer data, including geolocation, financial information, and health data. Also, the bill would require businesses to get parental consent before processing the personal data of kids aged 13-16.
Data broker registry
This is my favorite part of the proposed bill. The SECURE Data Act would create a federally mandated data broker registry. Maintained by the FTC, this registry would require many data brokers to register every year and disclose all of their data collection and sales activities.
All data brokers that make over 50% of their profits by selling our personal data would be forced to register in the FTC’s public database. This is a wonderful development.
Enforcement
Here is where things get problematic for privacy advocates. The SECURE Data Act mandates that all enforcement be handled by the FTC and state attorneys general.
Particularly problematic for most privacy advocates, the proposed bill doesn’t include a private right of action, meaning that consumers cannot file civil suits against law-breaking companies. Only the FTC and state attorneys general can enforce the SECURE Data Act.
Moreover, the proposed bill includes a “45-day notice-and-cure provision,” which basically means that if a company is caught breaking the law, they have 45 days to “cure” any violation with no penalty.
Personally, for me, the lack of a private right of action isn’t a deal-breaker. And I think future iterations of this bill can reach a compromise on this issue.
No private right of action
Although privacy rights activists are up in arms about the lack of a private right of action, Electronic Privacy Information Center (EPIC) Deputy Director and Policy Director Caitriona Fitzgerald suggests that a compromised version of a private right of action could be reached down the line.
As Fitzgerald writes, “Previous bipartisan privacy proposals, such as the American Data Privacy and Protection Act and the American Privacy Rights Act, proposed a compromise version of a private right of action that allowed for injunctive relief so that consumers could force companies to stop violating the law, but did not allow for statutory damages.”
I think such a “compromise version” of a private right of action could get future iterations of this bill across the finish line.
The issue of “notice and choice” and burying fine print in the privacy policy
Another important issue to highlight is “notice and choice”; this is a common model in data privacy that allows companies to collect our data as long as they tell us what they’re doing with it (and they give us an option to opt-out.)
The problem with “notice and choice” is that sometimes exactly how the data is being used is buried in the companies’ privacy policies. And who reads these?
Also, many times, the consumers’ choice to allow data collection is bundled with the service itself, creating a take-it-or-leave-it situation.
Alternatively, companies sometimes combine user consent for necessary data collection (e.g., a navigation app needing our location data in order to provide us with directions) with totally unrelated uses (e.g., selling our location data to third-party advertisers or data brokers).
A far better policy is to mandate that companies adhere to data minimization requirements. For example, some state-level laws prevent companies from collecting consumer data beyond what is necessary to fulfill the requested service. This way, even if the consumer technically gives his or her consent, it is still illegal for companies to surreptitiously over-collect and profit from that user’s data in other ways.
The SECURE Data Act perpetuates the notice-and-choice model, as opposed to requiring that companies adhere to data minimization. This is a shame.
Maryland’s data privacy law has an excellent data minimization standard, as did two other previous bipartisan federal bills: American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA). It’s too bad the SECURE Data Act didn’t have such a standard.
Support for the SECURE Data Act
I’d be remiss if I didn’t point out that many folks are happy with the proposed bill. As an example, Adam Thierer, a senior fellow at the R Street Institute, was excited to see the bill not include a private right of action. Thierer writes, “Importantly, the SECURE Data Act wisely does not include a PRA, which would only exacerbate America’s growing over-litigation problem.”
And of course, many lobbyists and lawmakers are rejoicing at the chance to dilute the CPRA and other state laws. For example, advocacy group Americans for Tax Reform and twenty-three other center-right groups are particularly excited by the prospect of the SECURE Data Act passing.
The self-proclaimed center-right groups collectively write, “If all 50 states move forward with their own privacy laws, it could cost the American economy over $1 trillion in the next decade, with $200 billion of that burden falling on small businesses.” These 24 groups want to see “strong preemption, with no private right of action and no open-ended rule-making authority for federal agencies or additional state regulations.”
My take
I agree with the EFF’s contention that “the bill is weaker than congressional proposals in prior years, as well as most of the 21 state consumer privacy laws already on the books.”
The fact that the SECURE Data Act preempts existing state-level laws ultimately makes this a bad bill.
Aside from the federal preemption problem, which is a deal-breaker in and of itself in my mind, there are several other issues with the SECURE Data Act. As it stands, the bill perpetuates the “notice and choice” status quo, allowing organizations to obfuscate how they process consumer data, as they bury the specifics deep in their corporate privacy policies. Given that few consumers bother to read or understand corporate privacy policies, data minimization provisions would be much better than this “notice and choice” approach.
Unlike other privacy advocates, I am less concerned about the bill’s failure to include a private right of action. That’s not a deal-breaker for me. However, I am inclined to agree with EPIC’s Fitzgerald, who writes, “The combination of minimal consumer protections, weak enforcement, and insanely expansive preemption of state laws makes the SECURE Act a disaster for Americans’ privacy.”
That said, there are some great things inside the proposed SECURE Data Act. I particularly like the call for a federal data broker registry. It’s refreshing to see politicians on both sides of the aisle ready to crack down on the data brokerage industry, a particularly pernicious part of the data surveillance apparatus.
