Congress is trying again to enact a national data privacy law. While it would create new protections in some states, it could weaken privacy rights in others and lacks key elements privacy advocates consider essential.
The SECURE Data Act, developed by a Republican working group led by Rep. John Joyce and introduced with House Energy and Commerce Committee Chair Brett Guthrie, proposes that companies only collect necessary user data, allow users to access and delete their data, and require explicit consent to collect sensitive information.
The Federal Trade Commission and state attorneys general could enforce the law. A related bill, the GUARD Financial Data Act, focuses on consumer financial data.
This is part of a long-standing effort to establish federal privacy protections, following past failures to gain congressional support. In 2024, discussions on a bipartisan proposal were canceled due to House Republican opposition. Guthrie and Joyce stated the working group’s aim to “reset the discussion on comprehensive data privacy.”
The SECURE Data Act could offer new protections for many Americans, as only about 20 states currently have comprehensive data privacy laws, many of which received poor grades from advocacy groups. It would also add protections for data on teens aged 13 to 15.
However, the bill doesn’t allow individuals to sue for privacy violations, doesn’t require sites to recognize universal opt-out mechanisms, and excludes pseudonymous data from some protections. It also seeks to override state laws with equivalent or stronger protections, such as those in California and Maryland.
The Future of Privacy Forum (FPF), an organization with tech platform members, notes that while the bill surpasses some state laws, it is generally less thorough than California’s standards. Some definitions in the bill, like “biometric data,” are more restricted than in many state laws.
Oregon, Delaware, Maryland, and Minnesota allow consumers to request the identity of third-party recipients of their data, which would likely be overridden. The Electronic Privacy Information Center (EPIC) opposes the bill, arguing it would eliminate crucial privacy protections without providing meaningful safeguards.
Business groups support the bill, including its preemption of state laws. They argue that tracking and complying with numerous state laws is burdensome for small businesses. Several industry groups back the bill, stating it would end a confusing patchwork of state laws that harm consumers and small businesses.
Democrats, who typically oppose broad preemption and support a private right of action, are not yet supporting the measure. Its sponsors hope to gain their backing after passing out of the committee along party lines. FPF suggests that elements missing from the bill might be intended for negotiation later.
If enacted, states might argue to maintain their standards, asserting they do not directly relate to the federal standard. California’s law might resist preemption because it covers areas the federal bill doesn’t address, like employee and B2B data.
With midterm elections approaching, the bill faces a challenging journey, and while a federal privacy law is seen as crucial, there are concerns this bill won’t achieve significant progress.