Comprehensive Federal Privacy Bill: “SECURE Data Act” Introduced by House Republicans

On April 22, 2026, the House Energy & Commerce Committee announced the introduction of “Securing and Establishing Consumer Uniform Rights and Enforcement Over Data Act” (the “SECURE Data Act”), a comprehensive federal privacy proposal intended to replace the current patchwork of state consumer privacy laws with a single national framework. While the bill largely adopts the consensus data privacy and security framework enacted by a majority of U.S. states, its significance lies less in the rights it creates and more in how it restructures the regulatory landscape.

The SECURE Data Act applies to businesses subject to the FTC Act as well as common carriers, subject to Title II of the Communications Act of 1934, that conduct business in the U.S. and meet either of these two thresholds: (1) processing or controlling the personal data of at least 200,000 U.S. consumers annually and have at least $25 million in annual gross revenue or (2) deriving 25% or more of gross revenue from the sale of personal data and processing at least 100,000 consumers’ data. Notably, payment transaction data is excluded from the consumer count. The SECURE Data Act also contains significant exemptions for government entities, nonprofits, institutions of higher education, and entities and data subject to HIPAA or GLBA. These exceptions reduce the applicability of the SECURE Data Act when compared with state consumer data privacy laws.

The SECURE Data Act borrows the familiar concept of “consumer privacy rights” from state consumer data privacy laws, but in the SECURE Data Act, makes such rights operationally specific. Individuals have the right to access correct, delete, and obtain a portable copy of their personal data from the entities subject to the law. And consumers must be provided with a clear mechanism to opt out of targeted advertising, the sale of personal data, and certain profiling activities that produce legal or similarly significant efforts. If enacted, the SECURE Data Act would require controllers to obtain opt-in consent prior to processing “sensitive data,” including employee data, health records, geolocation, financial information, and notably, would require parental consent to collect personal data from teens (individuals who are between 13-16 years old). Although several states include enhanced privacy protections for teenagers, this sensitive data approach recognizing only parental consent is unique and expands the Children’s Online Privacy Protection Act (COPPA) age requirement by adding three additional years of coverage.

The most notable departure from existing state frameworks is the SECURE Data Act’s treatment of cross-border data flows. The SECURE Data Act formally codifies the role of the Secretary of Commerce as the federal government’s lead advisor on international data flows and the protection of personal data in cross-border commerce, while reaffirming the U.S. policy position in favor of facilitating the “flow of data for commercial purposes.” The Secretary of Commerce would also be authorized to recognize codes of conduct that encourage the spread of privacy “best practices” among specific sectors or groups of companies. The codes of conduct must be voluntary and enforceable by independent organizations, with a referral mechanism in place to enforcement authorities, and meet or exceed the compliance obligations in the SECURE Data Act. It is important to note that entities that conform to codes of conduct under the oversight of independent organizations would receive a rebuttable presumption of compliance with the SECURE Data Act.

Enforcement of the SECURE Data Act is limited to the FTC and state Attorneys General and does not include a private right of action. Violations require the regulators to provide written notice to a controller or processor of the alleged violation, cite the specific provision of the SECURE Data Act that was allegedly violated, and permit at least 45 days for the recipient to cure the alleged violation. This enforcement process is less rigid and slower than some state laws and would lack some of the penalties associated with those current state laws. The SECURE Data Act also would establish a federal standard for data brokers, requiring public-facing disclosures and registration with the FTC, with a searchable data broker registry with links to their websites.

One of the most consequential features of the SECURE Data Act, as currently drafted, is its preemption provision, which has historically been a primary point of contention in prior federal privacy proposals. The SECURE Data Act broadly prohibits states from enacting or enforcing laws that “relate to” its provisions. This would likely displace state consumer privacy laws, data broker registries, and possibly sectoral state laws. It is this preemptive power coupled with some of the shortcomings of the SECURE Data Act when compared to state consumer privacy laws that may doom the legislation in an already very contentious legislative session as it doomed some earlier federal attempts at privacy legislation. In short, while the SECURE Data Act would restructure the current patchwork of state privacy laws into a uniform national data privacy and security standard for all U.S. Consumers, the fact that the SECURE Data Act fails to provide protections found in many state laws (particularly from the jurisdictions most active in this space) and would preempt such state laws in this area may prove to be its downfall.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC.