US Republicans introduce latest comprehensive privacy legislation

The gears are turning once again on U.S. Congress' debate over potential comprehensive privacy legislation. The latest attempt comes courtesy of House Committee on Energy and Commerce Republicans, who introduced the draft Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act following more than a year of stakeholder consultation.

In line with the bill's title, Energy and Commerce Republicans' proposal would preempt comprehensive state privacy laws by creating a federal standard using common data subject access rights and general provisions from the current state patchwork. However, the attempt at uniformity comes with departures from what is being done in the states, including omitted and nuanced provisions.

The initial draft does not include a private right of action or requirements for data protection impact assessments, data protection officers or universal opt-out mechanisms. Among the notable novel concepts raised by the bill are a data broker registration managed by the Federal Trade Commission, a safe harbor program for companies adhering to Department of Commerce-approved code of conduct, and data belonging to children under age 13 being treated as sensitive data alongside health and geolocation data.

"This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping," Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. "We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy."

In a statement to the IAPP, Energy and Commerce Ranking Member Frank Pallone, D-N.J., said the new bill "protects corporations and their bottom line, not people's privacy."

"We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech. It seems to me that Republicans have lost the plot on efforts to pass a strong national privacy bill," he added.

The bill was crafted without input from Energy and Commerce Democrats, a notable departure from recent congressional privacy debates. The American Data Privacy Protection Act and the American Privacy Rights Act were both bipartisan, bicameral efforts that stalled at different points during their respective considerations.

IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, and Westin Fellow David Botero offered a legal analysis of the bill, including its scope and key provisions.

The SECURE Data Act is a product of the committee's Data Privacy Working Group that convened February 2025 to address, according to the group's request for information, "the challenge of providing clear digital protections for Americans" that has been "compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws, which in some cases create conflicting legal requirements." Guthrie and Joyce noted the group's stakeholder dialogue sought to "reset the discussion on comprehensive data privacy, taking wide ranging input from stakeholders and crafting a consensus bill that protects the privacy and security of Americans' personal data."

While drafting the SECURE Data Act, the House Committee on Energy and Commerce debated children's privacy and online safety proposals. The proposed Children and Teens' Online Privacy Protection Act was among those bills, aiming to expand the scope and requirements of the Children's Online Privacy Protection Act. Energy and Commerce Democrats reportedly abandoned that bipartisan initiative over policy discrepancies.

The comprehensive bill was unveiled jointly with the House Committee on Financial Services' discussion draft to reform financial privacy law under the Gramm Leach Bliley Act. In the joint committee statement, Financial Services Chair French Hill, R-Ark., noted the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act aims to modernize the GLBA, which was drafted "in a technology-neutral fashion that has adapted well to the changes in technology and types of consumer data that have developed since 1999."

"Our bill minimizes data collection and disclosures; allows customers and former customers to request access to their financial data held by a financial institution; allows former customers of a financial institution to request deletion of their data; and requires a financial institution to receive a consumer's affirmative opt-in consent before sensitive personal information can be disclosed," Hill said.

The reception

Workday Vice President and Chief Privacy Officer Barbara Cosgrove, CIPP/E, welcomed the efforts on the latest comprehensive bill, noting the lack of a federal floor on privacy risks "a fragmented digital economy where a person's privacy rights depend on their zip code."

"By setting out protections based on roles, formalizing the oversight of the free flow of data, recognizing proven programs like Global Cross Border Privacy Rules, and embracing established security certifications, this draft establishes the necessary foundation for a national standard that we look forward to helping refine into a permanent, workable solution," she said.

The SECURE Data Act recognizes participation in Global CBPRs under its proposed code of conduct with respect to data flows. Cosgrove said that inclusion helps to promote mechanisms that are "vital tools for fostering customer trust at scale."

The Association of National Advertisers issued a statement to the IAPP highlighting the commonality the bill carries to existing state privacy laws, which in turn reflects "an approach that's endorsed by state elected officials across the political spectrum." The group also hailed the bill as a "common-sense standard" that "protects all Americans without jeopardizing the 29 million U.S. jobs supported by advertising."

Lisa Hone served as Energy and Commerce Democrats' chief counsel to minority members of the Subcommittee on Consumer Protection and Commerce during the APRA debates two years ago. She told the IAPP the Republican tact on the new framework is "an enormous and disappointing step away" from past bipartisan work toward federal privacy protections.

"The Republicans' new bill would give Big Tech a nationwide license to collect vast amounts of consumers' personal information and use it however they please, including to feed unregulated artificial intelligence models, while preempting state laws that provide real limits on the collection, use, and sharing of consumers' data," she said. "That result is wholly inconsistent with previous calls from both sides of the aisle for meaningful federal privacy protections for all consumers."

Center for Democracy and Technology Privacy and Data Project Director Eric Null also highlighted the SECURE Data Act's departures from the ADPPA and APRA, indicating those proposals "responded better to people's actual needs and expectations." While the new bill proposes requirements to minimize data collection to what is "adequate, relevant, and reasonably necessary," Null does not see the stringency behind the measures to uphold those processing standards.

"The SECURE Data Act fails to change the equation, letting companies hide behind cookie banners and lengthy terms of service rather than establishing meaningful privacy protections, and including easily-exploited loopholes," he said.