SECURE Data Act: What the Proposed Federal Privacy Law Means for US Data Privacy Compliance

Introduction: A New Federal Privacy Proposal

On [date of introduction], the House Committee on Energy and Commerce's Republican data privacy working group released the SECURE Data Act (H.R. 8413), a proposed federal comprehensive consumer privacy bill. The bill aims to establish a national baseline for US data privacy compliance while preempting the growing patchwork of state privacy laws. With 21 states having enacted comprehensive privacy laws as of 2025, businesses face increasing complexity. The SECURE Data Act could simplify compliance for multi-state operations — but its provisions and preemption scope raise important questions.

The bill closely resembles narrower state privacy laws based on the Washington Privacy Act (WPA) framework, such as those in Kentucky, Iowa, Tennessee, Utah, and Alabama. Key provisions include data minimization, anti-discrimination protections, a federal data broker registry, and classification of teens' data (ages 13–16) as sensitive with parental controls. The bill also adopts narrow outlier provisions from a few states, including Virginia's biometric data definition, a pseudonymous data exception for opt-out rights, and no requirement for data protection impact assessments (DPIAs) or opt-out preference signals.

This article analyzes the SECURE Data Act's key provisions, compares it with existing state laws like the CCPA/CPRA, VCDPA, and Colorado CPA, discusses the political landscape, and provides actionable steps for businesses to prepare for potential state privacy laws preemption.

Key Provisions of the SECURE Data Act

Consumer Rights

The SECURE Data Act grants consumers rights similar to those under the VCDPA and other WPA-based laws:

• Right to access — confirm whether a controller processes personal data and access that data.
• Right to correct — inaccuracies in personal data.
• Right to delete — personal data provided by or obtained about the consumer.
• Right to data portability — in a readily usable format.
• Right to opt out — of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Notably, the bill includes a pseudonymous data exception for opt-out rights, meaning that if a controller processes pseudonymous data and can identify the consumer only with additional information held separately, the consumer's opt-out rights may be limited. This provision mirrors Virginia's approach and is narrower than the CCPA/CPRA, which does not exempt pseudonymous data from opt-out rights.

Business Obligations

The bill imposes several obligations on businesses, including:

• Data minimization — collect only what is adequate, relevant, and reasonably necessary for the purpose.
• Anti-discrimination — prohibit processing data in a manner that discriminates against consumers based on race, color, religion, national origin, sex, or disability.
• Transparency — provide a clear privacy notice.
• Data security — implement reasonable administrative, technical, and physical safeguards.
• Respond to consumer requests — within 45 days (extendable by 45 days).

Unlike the CCPA/CPRA and Colorado CPA, the SECURE Data Act does not require businesses to conduct data protection impact assessments (DPIAs) or honor opt-out preference signals (e.g., Global Privacy Control). These omissions align with the narrower state laws it mirrors.

Enforcement

The bill provides for enforcement by the Federal Trade Commission (FTC) and state attorneys general. It does not create a private right of action for privacy violations, similar to most state privacy laws except for the CCPA's limited private right of action for data breaches. The bill also includes a Code of Conduct certification process modeled on COPPA safe harbor, providing a rebuttable presumption of compliance for certified entities.

Comparison with Existing State Privacy Laws

The SECURE Data Act's applicability thresholds are higher than most state laws but apply nationally, potentially making it easier for multi-state businesses to meet. Below is a comparison of key thresholds and provisions:

Preemption: A Key Point of Contention

The SECURE Data Act includes broad preemption language that could override state comprehensive privacy laws, sectoral laws like Illinois' Biometric Information Privacy Act (BIPA), and state data broker laws. However, preemption is not automatic — it would require litigation to determine the scope. The bill's preemption clause states that it supersedes any state or local law that relates to the collection, processing, or sharing of personal data, with limited exceptions (e.g., public records, civil rights, anti-discrimination, and certain consumer protection laws).

This broad preemption is a double-edged sword. For businesses, it offers the promise of a single national standard, reducing compliance costs and complexity. For consumer advocates, it risks weakening stronger state protections, such as California's CPRA, which provides broader rights and stricter obligations. States like California and Illinois are likely to challenge preemption in court, creating uncertainty until resolved.

The bill's higher applicability thresholds ($25M revenue and 200K consumers nationally) mean that some small businesses currently subject to state laws may fall outside federal coverage, potentially creating a compliance gap for those not covered by the federal law but previously covered by state law. However, the national scope may still simplify compliance for larger multi-state businesses.

Political Landscape and Likelihood of Passage

The SECURE Data Act faces an uphill battle in Congress. While there is bipartisan interest in a federal privacy law, disagreements over preemption, private right of action, and enforcement persist. The bill's Republican sponsors favor a uniform national standard with limited private enforcement, while many Democrats advocate for stronger protections, a private right of action, and preserving states' ability to enact additional protections.

The bill's narrow provisions — no DPIAs, no opt-out preference signals, and pseudonymous data exceptions — may draw criticism from privacy advocates and Democratic lawmakers. Additionally, the broad preemption could alienate states with robust privacy laws, reducing support from state attorneys general and consumer groups.

Given the current political climate, passage in its current form is uncertain. However, the bill could serve as a starting point for negotiations, potentially leading to a compromise that balances federal uniformity with state flexibility. Organizations should monitor developments but not assume immediate enactment.

Actionable Steps for Businesses to Prepare

Even if the SECURE Data Act does not pass, many of its provisions reflect the consensus model in state privacy laws. Businesses can take the following steps to prepare for a potential federal baseline and improve their US data privacy compliance posture:

1. Conduct comprehensive data mapping — inventory all personal data collected, processed, stored, and shared. Understand data flows across systems and third parties.
2. Update privacy policies — ensure policies clearly disclose data collection, processing purposes, and consumer rights. Align with the transparency requirements common to both state and proposed federal law.
3. Implement consent and opt-out mechanisms — deploy mechanisms for consumers to exercise rights, including opt-out of targeted advertising, sale of data, and profiling. Even if the federal law does not require opt-out preference signals, many state laws do.
4. Assess vendor compliance — review contracts with data processors and third parties. Ensure they include obligations to assist with consumer rights requests, data security, and breach notification.
5. Evaluate data minimization practices — review collection practices and limit data to what is reasonably necessary for the intended purpose. This aligns with both state laws and the SECURE Data Act.
6. Monitor regulatory developments — track progress of the SECURE Data Act and other federal proposals. Engage with industry associations and legal counsel to stay informed.

For businesses operating in multiple states, preparing for a federal privacy law can simultaneously improve compliance with existing state laws. Tools like AIGovHub's interactive compliance tools can help streamline multi-state privacy management, from data mapping to policy generation.

Key Takeaways

• The SECURE Data Act proposes a federal baseline for consumer privacy, closely resembling narrower WPA-based state laws.
• Broad preemption could override state comprehensive and sectoral privacy laws, but preemption is not automatic and may face legal challenges.
• Key provisions include data minimization, anti-discrimination, a federal data broker registry, and teen data protections, but omit DPIAs and opt-out preference signals.
• Businesses should prepare by conducting data mapping, updating privacy policies, implementing consent mechanisms, and assessing vendor compliance.
• The political landscape is uncertain; passage is not guaranteed, but the bill could influence future federal privacy legislation.

How AIGovHub Can Help

Navigating the evolving landscape of US privacy laws — from state-specific requirements to potential federal legislation — requires robust tools and expertise. AIGovHub's compliance platform offers interactive tools to help businesses manage multi-state privacy compliance efficiently. From the Privacy Impact Assessment tool to the Policy Mapper, our solutions simplify data mapping, policy updates, and vendor due diligence. Explore our compliance tools to stay ahead of regulatory changes and build a resilient privacy program.

This content is for informational purposes only and does not constitute legal advice.