Congress is advancing a Republican-led data privacy bill that would create new protections in some states while weakening them in others.
The SECURE Data Act, introduced by Rep. John Joyce (R-PA) and House Energy and Commerce Committee Chair Brett Guthrie (R-KY), would require companies to collect only necessary user data, allow users to view and request deletion of their information, and mandate explicit opt-in for sensitive data like location or sexual orientation.
The Federal Trade Commission and state attorneys general could bring legal action against companies violating the law, and a companion bill, the GUARD Financial Data Act, would address consumer financial data specifically.
While the bill would establish baseline protections in roughly 30 states lacking comprehensive privacy laws, it falls short of key advocates’ demands: it does not grant individuals a private right to sue, it does not require websites to honor universal opt-out mechanisms, and it exempts pseudonymous data from certain protections — a loophole critics say could enable targeted advertising.
More significantly, the bill seeks to preempt state laws that offer equal or stronger safeguards, such as California’s, which established a dedicated privacy agency and allows consumers to sue for certain data breaches, and Maryland’s, which bans the sale of sensitive data and targeted ads to teens under 18.
The bill does include enhanced protections for teens aged 13 to 15, requiring parental consent to process their information — a provision not universally matched in existing state laws.
The Future of Privacy Forum, which includes tech platforms among its members but asserts independence from individual stakeholders, stated that while the proposal exceeds some of the narrowest state laws, it remains “consistently narrower and less prescriptive” than California’s framework and “selects particular narrow approaches used by only a handful of states.”
This legislative effort follows years of failed attempts to pass federal privacy legislation, including a canceled 2024 meeting on a prior bipartisan proposal that House Republican leadership reportedly opposed.
Guthrie and Joyce said their working group aimed to “reset the discussion on comprehensive data privacy,” though critics argue the bill’s preemption clause risks creating a race to the bottom in states with stronger protections.
What the bill would change for users in different states
In states without comprehensive privacy laws — about 30 of them — the SECURE Data Act would introduce new rights, including access to personal data, deletion requests, and opt-in requirements for sensitive information.
In states like California and Maryland, however, the bill would replace stronger existing laws with a weaker federal floor, removing tools like private rights of action, universal opt-out recognition, and bans on targeted ads for minors.
Users in those states would lose the ability to sue companies directly for certain privacy violations and would need to rely on the FTC or state attorneys general to enforce their rights.
The exemption of pseudonymous data from core protections means companies could still build detailed profiles for advertising without triggering the law’s safeguards, a concern raised by privacy advocates who warn this undermines the bill’s intent.
Who benefits and who loses under the proposed framework
Tech companies would benefit from a single, predictable federal standard that avoids compliance with a patchwork of stricter state laws, particularly in areas like data minimization and consent requirements.
Smaller platforms and startups might similarly gain from reduced legal complexity compared to navigating multiple state regimes.
Privacy advocates and consumers in states with strong existing laws would lose ground, as the bill’s preemption clause would invalidate provisions they have fought for, including legal recourse and restrictions on adolescent data use.
The FTC and state attorneys general would gain enforcement authority but lack the resources to match the scale of private litigation that laws like California’s enable.
What happens next
The bill must clear committee votes in the House before potential floor consideration, though its fate remains uncertain given past failures to advance similar proposals.
If passed, it would likely face legal challenges from states seeking to preserve their stronger privacy laws, potentially triggering federal court battles over preemption.
Without a private right of action, enforcement would depend entirely on agency action, which critics argue has historically been underfunded and slow to respond to large-scale violations.
Does the bill allow users to sue companies for privacy violations?
No, the SECURE Data Act does not include a private right of action, meaning individuals cannot sue companies directly for alleged violations.
How does the bill affect state laws like California’s?
The bill seeks to preempt state laws that offer equal or stronger protections, replacing them with a federal standard that advocates say is weaker in key areas such as enforcement and data scope.
