SECURE Data Act: Analysis of the new federal privacy bill

On 22 April 2026, U.S. House Energy and Commerce Committee Vice Chairman John Joyce, R-Pa., introduced a long-awaited comprehensive consumer privacy bill, HR 8413.

The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act embodies the work undertaken by the Privacy Working Group established by Chairman Brett Guthrie, R-Ky., in February 2025. This is the first major attempt in the 119th Congress to establish comprehensive consumer privacy rules, a task that otherwise has fallen to the states. 

The bill text represents an opening salvo in the long legislative process. It is likely to be refined significantly as negotiations continue in the months ahead. To that end, the Working Group staffers say they welcome feedback from the privacy community.

As for the usual sticking points for federal consumer privacy bills, there are no surprises here. As a partisan Republican bill, the draft does not include a private right of action, though the drafters of the bill are quick to point out that neither does the so-called consensus framework in the states. Instead, like prior proposed federal frameworks, it would empower both the U.S. Federal Trade Commission and state attorneys general to enforce the provisions of the law. 

As introduced, the SECURE Data Act would embrace a strong preemption regime, rendering moot any state law or provision that "relates to" its provisions. This would likely preempt state consumer privacy laws, data broker registries and possibly some sectoral state laws. Provisions of the law would go into effect within one to two years.

Catching up with the states

Overall, this first iteration of the bill reflects the common baseline elements of U.S. state consumer privacy laws, albeit in slimmed down form. With notable deviations, it follows the general structure of the so-called "Washington state" model, conforming closely to the version passed in Virginia. Close state observers will also note similarities to Kentucky, Guthrie's home state, which made some enhancements to Virginia's model.

Many thresholds, more exemptions

The SECURE Data Act adopts the state model for thresholds of applicability based on number of consumers. Any company that processes the data of more than 200,000 U.S. consumers would be subject to the provisions of the law, mirroring the threshold in the prior American Privacy Rights Act, while eschewing that bill's complex nesting obligations around various types of covered entities. When adjusted for population, this is significantly more inclusive than any state except for Texas and Nebraska, which do not have a population threshold. 

However, the bill would exempt businesses with less than USD25 million in adjusted gross annual revenue, an additional threshold meant to carve out small businesses. This is less inclusive than the usual USD7.5 million that applies to those states that partially exempt businesses based on the Small Business Administration guidelines. But it is more inclusive than APRA, which would have exempted small businesses with less than USD40 million in revenue. Separately, the bill includes an on-ramp for small business compliance, instructing the Secretary of the Department of Commerce to create a code of conduct that could incentivize small businesses to comport with privacy best practices.

Any business that sells personal data would fall into coverage of the law through a separate standard, similar to the states, which is triggered if it processes data about more than 100,000 U.S. consumers and derives more than 25% of revenue from selling personal data. The first prong, adjusted for population, again applies to more companies than any state, while the second is as strong as any state except Connecticut, which has no percentage of revenue threshold for data sales, as well as Delaware, Maryland and Rhode Island, which each kick in at the 20% mark. 

Beyond the baseline thresholds, the law carves out existing federal privacy frameworks from coverage. It includes entity-level exemptions for all government entities and processors acting on their behalf, as well as entities covered by financial privacy laws, among others. And it includes data-level carve-outs for a long list of data types, including employee data, health records, credit reports and any personal data information intermingled with exempt data types.

Data rights for all

Obligations to respect data requests are table stakes for privacy legislation. The SECURE Act preserves the categories of data rights that most states have adopted. The proposed text, if approved, would grant consumers the right to access, correct and delete their personal data. The bill also includes provisions that would permit consumers to obtain a copy of their personal data in a format that is both portable and usable. Additionally, the bill provides consumers with the right to opt-out from sales, targeted advertising and reliance on profiling to make a decision that has legal or similarly significant effect on the consumer. This approach is closer to the one adopted in the Washington model, adopting all majorly accepted sets of rights, as 20 states have granted a similar group to consumers. The only exception to this is the state of Iowa, as it does not have a right to correct or a right to opt out.

The bill also adopts many other common privacy legislative mechanisms from the state framework and beyond, including distinct obligations for controllers and processors, a restriction on processing sensitive data without first receiving the consumer's opt-in choice, and a data broker registration list.

The requirement for data brokers to register looks a lot like the handful of state-level registration rules, excepting the most recent innovations seen in the California DELETE Act, such as its centralized opt-out platform.

Teen data is sensitive

The SECURE Data Act does not shy away from reflecting the Energy and Commerce committee's strong desire to expand youth privacy protections. Personal data about teens under age 16 would be treated as sensitive data under the draft bill. Sensitive data processing requires opt-in consent, and parents would be required to provide verified parental consent for this age group, expanding the Children's Online Privacy Protection Act requirement by three additional years of age. 

Although several states include enhanced privacy protections for teenagers, this sensitive data approach recognizing only parental consent is unique. Florida's consumer privacy law embraces a similar structure for all consumers under age 18 but allows teens to provide their own consent. Maryland and Oregon take the approach of banning certain types of processing outright for minors, while Colorado, Connecticut and Montana take a duty of care approach.

Other than the departure around children's data, the bill adopts Kentucky's sensitive data definition word-for-word. The modification also drops the word "known" from in front of child. In fact, the bill is entirely silent on knowledge standards, a fact that is likely to spark feedback from the privacy community. 

Sensitive data coverage is one of the most varied aspects of state privacy laws. In adopting the Kentucky standard, the bill limits this definition to only those categories that are reflected in some form across all 21 state laws — the consensus approach.

Cross-border data and codes of conduct

Probably the most striking departure in the bill from the state framework is a section related to the flow of personal data across borders. The bill would enshrine in statute the long-held role of the secretary of commerce as an advisor and representative of the U.S. federal government on "international data flows and the protection of personal data in international commerce." More significantly, through the secretary's reaffirmed role, the bill would codify the longstanding policy position of the U.S. — which has come under question in recent years — in favor of facilitating the "flow of data for commercial purposes" in a manner that protects personal data in international commerce.

The secretary of commerce would also be granted new powers to recognize codes of conduct that encourage the spread of privacy best practices among specific sectors or groups of companies. The bill requires codes of conduct to be voluntary and enforceable by independent organizations — with a referral mechanism in place to enforcement authorities — and to meet or exceed the compliance obligations in the law. 

Companies that conform to codes of conduct under the oversight of independent organizations would receive a rebuttable presumption of compliance with the SECURE Data Act. The existing multilateral CBPR and Privacy Rules for Processors codes would be the only ones recognized statutorily to receive this rebuttable presumption as soon as the law goes into effect.

Absent… and accounted for?

While the SECURE Data Act preserves the essence of the current state patchwork, there are some topics that are conspicuously absent from the draft. 

Most notable is the absence of any data protection impact assessment obligation, which is otherwise required in nearly all states with comprehensive consumer privacy laws. In fact, Kentucky recently amended its law to include a DPIA requirement for profiling, which is not reflected in the federal draft. Instead, the authors of the federal framework decided to follow the example of Alabama, Iowa and Utah, by not mandating businesses to perform these assessments.

Reference to automated decision-making technologies is also absent from the draft, along with any explicit reference to artificial intelligence. This is one issue on which the Working Group sought stakeholder comments, and many commenters seemed to express reservation on the inclusion of ADMT rules. Their absence also likely reflects the White House's intentions to tackle AI — and preempt state standards — in separate legislation. 

Nevertheless, a narrow set of standards providing an opt-out from automated profiling is included in the bill. Decisions made in reliance on fully automated profiling, with no human review, involvement, oversight or intervention, must be disclosed with an opportunity to opt out.

Speaking of opt-out mechanisms, another intentional omission in the SECURE Data Act is the lack of a requirement for controllers to recognize universal opt-out mechanisms. At least 11 of the 21 states with comprehensive consumer privacy laws now require recognition of these signals in some form.

Perhaps reflecting on the open technical questions that remain for these requirements, the SECURE Data Act instead empowers the Secretary of Commerce to conduct a study about UOOMs and publish a report on its findings within three years of the bill's enactment. This study would have to review commercially available technologies, be open to public consultation and evaluate the feasibility of the technologies as tools for beneficial use of personal data. This provision will likely still have preemptive effect, despite not mirroring the requirements of the state laws.

Regular order process

Guthrie's privacy working group was created with a stated objective to "bring members and stakeholders together to explore a framework for legislation that can get across the line." This task was taken up by Joyce and eight other Republican members of congress, who issued on 21 Feb. 2025, a request for information that invited stakeholders to provide written responses to a questionnaire. The group received replies from at least 45 stakeholders, including civil society organizations, state legislators, small businesses, industry groups and state level enforcement agencies. These responses helped to inform the current bill.

With the bill now introduced, it begins its long journey to become a law. The House Subcommittee for Commerce, Manufacturing and Trade will soon call a hearing, where members and witnesses will have a chance to share their opinions publicly. This will be followed by a subcommittee markup where members will introduce amendments, a step that will later be repeated at the full committee level.