The SECURE Data Act: What Businesses Need to Know About the New Federal Privacy Bill

PDF

On April 22, 2026, House Republicans introduced H.R. 8413, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act — the "SECURE Data Act" — (the “Act”) marking the most significant attempt at comprehensive federal privacy legislation in years. The bill was introduced by Rep. John Joyce (R-PA), Vice Chairman of the House Committee on Energy and Commerce (“Committee”), after over 14 months of stakeholder engagement by the Data Privacy Working Group, established in February 2025 by Rep. Joyce as well as Congressman Brett Guthrie (KY-02), Chairman of the Committee. If enacted, the SECURE Data Act would establish a single, uniform national standard to replace the current patchwork of more than twenty state comprehensive consumer privacy laws.

Key Provisions at a Glance

• Consumer Rights. At its core, the Act establishes a familiar set of consumer privacy rights drawn from the existing state privacy law landscape. Individuals would have the right to access, correct, delete, and obtain a portable copy of their personal data from covered entities, as well as the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities that produce legal or similarly significant effects.
• Controllers. Controllers would be required to limit data collection to what is "adequate, relevant, and reasonably necessary" for disclosed processing purposes, and to obtain consumer consent before using personal data for secondary, undisclosed purposes.
• Opt-in for Sensitive and Children’s Data. The bill mandates opt-in consent before processing "sensitive data," a category that includes data revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for identification purposes, precise geolocation data, and — notably — personal data of teenagers between the ages of thirteen and sixteen, for whom verified parental consent would be required. While the bill’s protections for teens effectively extend the age range subject to heightened consent requirements beyond COPPA’s under-thirteen threshold, the SECURE Data Act does not amend COPPA itself; rather, it creates a parallel regime for teen data (ages 13–16) under federal privacy law.
• National Data Broker Registry. The Act would also create a national data broker registry administered by the Federal Trade Commission. Data brokers — defined as controllers that collect and process personal data of individuals who are not customers, clients, users, readers, or subscribers of the controller, and that derive fifty percent or more of annual gross revenue from the sale of such personal data — would be required to register annually and provide public-facing disclosures about their practices. This mirrors state data broker laws and registration requirements in states like California and Vermont.
• Cross-Border Data Flows and Voluntary Codes of Conduct. One distinctive feature of the bill is its codification of the Secretary of Commerce's role as lead advisor on international data flows and personal data protection in cross-border commerce. The Secretary would be authorized to recognize voluntary codes of conduct, and entities that conform to such codes under independent organizational oversight would receive a rebuttable presumption of compliance with the Act.
• Non-Waiver and Non-Discrimination. The Act provides that any contractual provision purporting to waive or limit consumer privacy rights is void and unenforceable as contrary to public policy. The bill also prohibits controllers from discriminating against consumers who exercise their privacy rights — for example, by denying goods or services, charging different prices, or providing inferior quality — although bona fide loyalty and rewards programs are expressly carved out.

Scope, Applicability, and Exemptions

The Act would apply to businesses subject to the FTC Act, as well as common carriers subject to Title II of the Communications Act of 1934, that conduct business in the United States and meet one of two thresholds, which should look similar to those found in state laws:

(1) processing or controlling the personal data of at least 200,000 U.S. consumers annually and having at least $25 million in annual gross revenue, or

(2) deriving twenty-five percent or more of gross revenue from the sale of personal data and processing data of at least 100,000 consumers. Payment transaction data is excluded from the consumer count.

Like many state laws, the bill contains notable exemptions for government entities, nonprofit organizations, and institutions of higher education. It also exempts entities and data already subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), the latter of which is addressed through a companion bill, the GUARD Financial Data Act. These entity-level exemptions reduce applicability of the federal law, when compared to some state consumer data privacy laws, which may have data-level exemptions only for PHI (HIPAA) and NPI (GLBA).

Preemption of State Privacy Laws

Perhaps the most consequential — and controversial — feature of the SECURE Data Act is its broad preemption provision. The bill would prohibit states from enacting or enforcing laws that "relate to" its provisions, a formulation that would appear to displace existing state comprehensive privacy laws, data broker registries, and possibly some sectoral state laws. As the IAPP notes, the bill "would embrace a strong preemption regime, rendering moot any state law or provision that 'relates to' its provisions." This broad preemption became a sticky issue in past bills such as the American Data Privacy and Protection Act (“ADPPA”) approved by the Committee in 2022, but which was not ultimately brought to a floor vote. Proponents of broad preemption argue that business should have one standard to follow, not 51. Critics of broad preemption, such as the state privacy regulator, the California Privacy Protection Agency (“CPPA” or “CalPrivacy”), say that the federal law should act as a “floor” not a “ceiling”.  

The CPPA has been particularly vocal in its opposition, releasing a formal letter urging Congress to reject the bill.  Tom Kemp, Executive Director of CalPrivacy, stated: "A strong federal privacy law is worth pursuing, but it should not strip away rights that tens of millions of people already depend on. The SECURE Act would set privacy rights back and make it much harder for consumers to exercise them in this AI-driven world where personal data is being collected at unprecedented scale." The CPPA argues that the bill would, among other things, eliminate consumers' ability to use the state's consumer-friendly Delete Request and Opt-out Platform (“DROP”) and would remove the requirement for businesses to honor opt-out preference signals — protections that currently benefit over 100 million Americans.

Supporters counter that a uniform national standard is long overdue, arguing that the current patchwork of state laws creates an untenable compliance burden for businesses operating across multiple jurisdictions. The U.S. Chamber of Commerce and other business associations have publicly welcomed the legislation, noting that "national standards lower barriers to entry for new firms and increase consumer choice."

Business Implications: Benefits and Burdens

For businesses, the SECURE Data Act presents a mixed picture. On the positive side, a single federal standard would dramatically simplify compliance for companies currently navigating the requirements of twenty or more state privacy regimes. The bill's alignment with the consensus framework already adopted by a majority of states means that organizations with mature state-law compliance programs would have a head start.

However, several features of the bill have drawn criticism. The Center for Democracy and Technology's Eric Null has called the bill full of "easily exploitable loopholes" that allow companies to "hide behind cookie banners and terms of service," and argued that the data minimization language "lacks teeth." The bill is also notably silent on artificial intelligence and large language models — a significant gap given the privacy risks that generative AI presents. Additionally, the SECURE Data Act does not require data protection impact assessments and, while Section 10 mandates a study on the feasibility of universal opt-out mechanisms within three years of enactment, the bill does not require controllers to honor such mechanisms in the interim — departing from the approach taken in some of the more protective state laws. It could also introduce new compliance burdens on businesses subject to the Act that are not already subject to any of the twenty or more state privacy regimes.

Enforcement is limited to the FTC and state attorneys general, with a guaranteed forty-five-day notice-and-cure provision that requires regulators to provide written notice of alleged violations and permit at least forty-five days for the entity to remedy the issue. Importantly, the bill does not include a private right of action — a deliberate choice consistent with most state privacy laws but a persistent point of Democratic opposition. As a result, individuals would not have standing to sue companies directly for privacy violations under the federal framework, which consumer advocacy groups argue weakens accountability.

Notably, the bill also includes a tiered effective date structure. Consumer privacy rights (Section 2), data security requirements (Section 4), and data broker obligations (Section 5) would take effect one year after enactment, while the remainder of the Act — including controller obligations, codes of conduct, cross-border data flow provisions, and enforcement mechanisms — would take effect two years after enactment. This phased timeline would require covered entities to prioritize implementation of consumer-facing rights and data security measures first.

The bill also caps the number of free consumer privacy requests at two per year, after which businesses may charge fees or disregard additional requests — a provision CalPrivacy argues could disproportionately harm vulnerable populations, such as domestic violence victims and data breach survivors.

Outside Perspectives

Commentary from the legal and privacy communities has been swift and divided largely along partisan and advocacy lines:

• Matt Davis, writing for Osano (a consent management and privacy compliance platform company), characterized the bill as bearing "the same Achilles' heel as APRA and ADPPA" — referring to the preemption issue that torpedoed prior federal privacy efforts — and questioned whether the result would be different this time. (https://www.osano.com/articles/secure-data-act-federal-data-privacy-law)
• Attorneys at the law firm Taft note that while the bill's "closer alignment with state law frameworks, combined with its meaningful protections for children and teens, may give it more negotiating surface than its predecessors," the preemption question remains the central challenge. (https://www.privacyanddatasecurityinsight.com/2026/04/a-new-push-for-federal-privacy-law-what-to-know-about-secure-and-guard/)
• Privacy and Data Security attorneys at Venable observe that the bill "represents renewed momentum toward a comprehensive federal privacy framework grounded in widely adopted state law concepts," while urging companies to monitor the legislative process closely. (https://www.venable.com/insights/publications/2026/04/secure-data-act-congress-introduces-new-federal)
• Ballard Spahr attorneys similarly recommended that businesses already complying with state frameworks "evaluate whether their existing programs satisfy the SECURE Data Act's requirements, particularly with respect to data broker registration requirement, data use and minimization obligations, and the consumer rights provisions." (https://www.cyberadviserblog.com/2026/05/u-s-house-committee-releases-secure-data-act-to-establish-new-federal-privacy-framework/)
• The Center for Democracy and Technology's Eric Null further criticized the bill for being notably silent on AI and large language models, calling this a significant gap given the privacy risks that generative AI presents.
• Meanwhile, Democratic leadership, has been sharply critical. Ranking Member Frank Pallone (D-NJ) accused Republicans of having "lost the plot," arguing the bill "protects corporations and their bottom line, not people's privacy."

Legislative Status and Outlook

The SECURE Data Act currently resides with the House Energy and Commerce Committee. The House Subcommittee on Commerce, Manufacturing, and Trade is expected to schedule a legislative hearing in the near term, where members and witnesses will have an opportunity to comment publicly on the bill. Following the hearing, the subcommittee would issue a markup, at which time members may introduce amendments before the bill advances to a full committee vote.

It is still early days for the bill, which heretofore has only been introduced and referred to the Committee. For the bill to become law, it would need to be approved by the Committee, clear a full House vote, and also pass the Senate committee and full vote, where it would need 60 votes to overcome a filibuster. Then it would need to be signed by the President. The bill's sponsors deliberately spent over a year building intra-Republican consensus before introduction, likely a direct response to the last minute Republican defections that killed the ADPPA and other federal privacy bills at the committee stage in the past. Still, the bill currently lacks bipartisan support, and the familiar fault lines of preemption, enforcement mechanisms, and the private right of action continue to define the debate.

Regardless of the ultimate fate of this bill, the signal to many businesses is clear. To the extent they have not already done so as required by many state laws, companies should be updating their public privacy notices, building consent and data governance frameworks and mechanisms, reviewing contractual arrangements with vendors, business partners, and service providers with whom they share data, and auditing their practices for collecting, using, retaining, and sharing data, paying special attention to online marketing and targeted advertising practices and to the handling of sensitive data and the data of minors. Whatever form the Act takes as it navigates the federal legislative process, if any, these measures will be central to any such bill if enacted, just as they are to the currently enacted state comprehensive privacy laws that are in effect or that take effect soon.

This article is provided for informational purposes only and does not constitute legal advice. Readers should consult with qualified legal counsel regarding how the SECURE Data Act or any pending legislation may affect their specific operations and compliance obligations.