The SECURE Data Act, introduced by House Republicans, aims to set a federal baseline for consumer data privacy but is widely viewed as a step backward relative to existing state laws and prior congressional efforts. Privacy advocates warn it could erase key protections and limit enforcement options for consumers.
- Preempts many existing state privacy protections
- No private right of action for consumers
- Fails to ban targeted online behavioral advertising
What happened
The SECURE Data Act was introduced recently by Republicans on the House Energy and Commerce Committee without bipartisan backing. It proposes certain consumer rights such as access, correction, deletion, and limited portability of personal data—rights that mirror previous data privacy proposals. The bill also mandates companies obtain consent before processing sensitive data or using personal information for new purposes and allows opt-outs from targeted advertising and data sales.
Despite these provisions, the bill has significant shortcomings. It lacks explicit consumer enforcement powers, known as a private right of action, meaning individuals cannot sue companies for violations. Additionally, it contains weak opt-out requirements and broad loopholes, offering companies expansive freedom to continue collecting and profiting from personal data. Importantly, the bill’s scope would also override numerous state laws designed to protect consumer privacy.
Why it matters
This legislation’s preemption clause threatens to invalidate 21 state-level consumer privacy laws passed in recent years along with other state privacy and data breach statutes. While state laws are often criticized for inconsistency, most currently provide stronger protections than those proposed federally. Key state measures like California’s data broker deletion tool and mandatory compliance with automatic opt-out signals would be compromised.
The absence of a private right of action critically weakens consumer enforcement, as regulatory bodies such as the FTC and state attorneys general cannot monitor and penalize every violation. Also, allowing companies a 45-day period to fix violations without penalty further hurdles robust enforcement. Without state-level protections and meaningful enforcement, consumer data privacy could substantially erode under this bill.
What to watch next
Observers should track how the bill progresses through Congress, especially whether bipartisan support emerges or if amendments address current weaknesses. Advocacy from privacy groups and public pushback could influence modifications towards stronger consumer protections and enforcement mechanisms.
Additionally, it will be important to watch state responses. States may seek to challenge federal preemption or adapt laws to maintain privacy standards. The ongoing debate will likely highlight broader tensions between federal uniformity and states’ abilities to protect their residents’ digital privacy rights amid rising data exploitation.