The SECURE Data Act: What the Federal Privacy Bill Proposes and What It Misses

What the SECURE Data Act proposes On April 22, 2026, the House Energy & Commerce Committee released a discussion draft of the SECURE Data Act (Setting Expectations for Consumer Understanding, Rights, and Enforcement of Data). If passed, it would be the first comprehensive federal consumer privacy law in the United States. Key provisions: Coverage: Businesses with more than 200,000 consumers and more than $25 million in annual revenue Individual rights: Access, correction, deletion, portability of personal data Opt-out: The right to opt out of data use for targeted advertising and certain transfers Data minimization: Companies must limit collection to what is "reasonably necessary and proportionate" to the service provided Data broker registry: Brokers must register with the FTC and disclose their data collection and sale practices Sensitive data: Enhanced protections for health data, biometric data, geolocation, children's data, and financial information Preemption: The bill would preempt state privacy laws — including the CCPA — creating a single national standard Enforcement: FTC and state attorneys general can enforce; no private right of action What it gets right The bill includes several provisions that privacy advocates have been seeking for years: Data minimization is a genuine structural reform. It shifts the default from "collect everything in case it is useful" to "collect only what is needed." If enforced, this single provision would change how data-intensive business models operate. The data broker registry would create public transparency into an industry that currently operates almost entirely in the shadows. Knowing which brokers hold your data is a prerequisite to opting out of their databases. Sensitive data protections cover the categories that matter most — biometric, health, geolocation — and prevent the kind of secondary use that has fueled the data broker market. What is missing No private right of action. Consumers cannot sue companies that violate the law. Enforcement is entirely in the hands of the FTC and state AGs, both of which are resource-constrained and politically variable. The CCPA's private right of action (limited to data breaches) has driven more compliance than all FTC privacy enforcement combined. Removing it from a federal standard weakens the enforcement structure meaningfully. Preemption could weaken strong state laws. California, Illinois, and Washington have privacy laws that go further than the SECURE Data Act in key areas. BIPA (Illinois biometric law) and the CCPA's broader data access rights could be watered down if preemption applies. The bill's preemption language will determine whether these state laws survive. The revenue threshold excludes many companies. $25 million in revenue and 200,000 consumers exempts most small and medium businesses. This is standard in federal privacy bills, but it means the law covers only the largest data collectors. How it compares to ADPPA The ADPPA (American Data Privacy and Protection Act) was the previous best attempt at federal privacy legislation, passing the House in 2022 but dying in the Senate. The SECURE Data Act is structurally similar with key differences: ADPPA had a narrower preemption scope. The SECURE Data Act appears to preempt more state law. ADPPA included stronger algorithms provisions. The SECURE Data Act draft has less detail on algorithmic decision-making transparency. Both lack a private right of action. This has been the consistent sticking point — industry opposes private lawsuits, advocates insist they are necessary for enforcement. What happens next The bill is in discussion draft stage. Markups are expected in summer 2026. Key fights will center on: The scope of preemption — how much of the CCPA and BIPA survives Private right of action — whether consumers can sue Data broker registration — how transparent the registry must be Enforcement funding — whether the FTC gets resources to enforce What you can do Track the bill at congress.gov. Search for "SECURE Data Act" when it is formally introduced. Contact your representative. Energy & Commerce Committee members are the key votes. Support state-level privacy bills as a hedge. Federal preemption could weaken existing protections, so new state laws need to be passed now. Use privacy tools that do not rely on regulatory enforcement. The tools on this site run in your browser because regulatory timelines are measured in years. A federal privacy law is overdue. The SECURE Data Act is a serious proposal. Whether it becomes a meaningful protection or a floor that weakens existing standards will be determined in the markup process.