The United States is the only major democracy without a comprehensive federal privacy law. On April 22, House Republicans introduced a bill that would change that — but privacy advocates warn it would do more harm than good.
The SECURE Data Act
The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (HR 8413), introduced by Rep. John Joyce of Pennsylvania and eight co-sponsors on the House Energy and Commerce Committee, would create the first national standard for consumer data privacy. A companion bill, the GUARD Financial Data Act, would modernize the 1999 Gramm-Leach-Bliley Act governing financial data.
On paper, the consumer rights look reasonable:
- Access and portability — the right to see what data companies hold about you and export it
- Deletion — the right to have your data removed
- Opt-out — the ability to say no to targeted advertising, data sales, and profiling used for decisions that affect you
- Sensitive data consent — companies would need your explicit permission before processing health, biometric, financial, or precise location data
- Youth protections — opt-in consent and parental verification for anyone under 16, extending COPPA protections by three years
The bill also requires data minimization, limiting collection to what is “adequate, relevant, and reasonably necessary.” Data brokers would need to register with the FTC, which would maintain a public registry.
The Preemption Problem
Here’s where it falls apart. Section 15 of the bill states that no state may “prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law” relating to the Act’s provisions. That’s total preemption — every state privacy law in the country gets overwritten.
Twenty-one states have already enacted consumer data privacy laws. Several go significantly further than the SECURE Data Act:
- California’s CCPA/CPRA includes a private right of action for data breaches and established the first standalone state privacy enforcement agency
- California’s DELETE Act created a centralized opt-out platform where you can remove your data from all registered data brokers with a single request — the SECURE Data Act has nothing comparable
- Maryland and Oregon ban the processing of certain sensitive data categories outright, rather than just requiring consent
- Florida allows teens to consent to their own data processing in some cases, rather than requiring parental permission until 16
All of this would be wiped out and replaced with a federal floor that, in many cases, is a ceiling lower than what several states already provide.
No Right to Sue
The bill’s most glaring gap: there is no private right of action. If a company violates your privacy rights under this law, you cannot sue them. Enforcement rests entirely with the FTC and state attorneys general.
This is a dealbreaker for privacy advocates. The ACLU’s Cody Venzke said the bill “opts for letting Big Tech and the government continue to invade our privacy” by placing the burden on individual consumers to manage their privacy while stripping them of the ability to hold companies accountable in court.
Eric Null of the Center for Democracy and Technology was more pointed: the bill would “federally codify industry-favored state privacy rules while preempting state laws that include stronger protections” and “cement the harmful online data practices that Americans need and want a privacy law to fix.”
What’s Missing
Beyond the enforcement gap, the bill lacks several protections that privacy experts consider baseline requirements in 2026:
- No AI governance rules — nothing about algorithmic decision-making, automated profiling transparency, or AI-driven surveillance
- No restrictions on selling sensitive location data — data brokers can still sell information about where you go, as long as they register with the FTC
- No protections against doxxing of public servants — Justin Sherman of the Security Project at Public Service Alliance flagged that the bill fails to protect lawmakers, judges, school board members, and 911 operators from having their personal information sold and weaponized
- No centralized data broker opt-out — unlike California’s DELETE Act, there’s no single mechanism for consumers to remove their data from all brokers at once
The Political History
This isn’t the first attempt. In 2022, the bipartisan American Data Privacy and Protection Act (ADPPA) had broad support in the House but was blocked by Republican leadership. The SECURE Data Act uses a lower revenue threshold for small business exemptions ($25 million vs. ADPPA’s $40 million) but otherwise retreats from the bipartisan bill’s stronger protections — particularly on private enforcement.
The bills were introduced exclusively by Republicans. Without Democratic co-sponsors or support from privacy advocacy groups, the path to passage through both chambers remains uncertain.
Why This Matters
Americans need a federal privacy law. The current patchwork of state laws creates genuine compliance challenges for companies and leaves people in states without privacy laws with essentially no data rights. The concept of a national standard is right.
But a national standard that eliminates the ability of states to innovate stronger protections — and doesn’t let you sue when your rights are violated — isn’t really a privacy law. It’s a compliance simplification bill for the companies collecting your data.
The European Union figured this out with the GDPR in 2018. That law sets a high floor and lets member states go further. It includes a right to compensation for data protection violations. It mandates data protection impact assessments for high-risk processing, including AI systems. The SECURE Data Act reads like the US looked at the GDPR and chose the opposite approach on every contentious point.
What You Can Do
- Contact your representatives and tell them a federal privacy law needs a private right of action, not just FTC enforcement. The FTC is already overstretched.
- Support your state’s privacy law. If you live in a state with existing protections (California, Colorado, Connecticut, Virginia, and others), tell your legislators that federal preemption of stronger state laws is unacceptable.
- Don’t wait for legislation. Use privacy tools now — encrypted email, privacy-respecting cloud storage, browser extensions that block trackers. No matter what Congress does, the best protection is minimizing the data that gets collected about you in the first place.
- Use services in jurisdictions with real privacy protections. Swiss privacy law already provides what the SECURE Data Act promises, without the loopholes. Your data stored in Switzerland isn’t subject to US data broker markets or warrantless government access.