WASHINGTON — A new Republican-led bill in Congress aims to establish a national standard for data privacy, but critics warn it could undermine stronger protections already in place in several states. The SECURE Data Act, introduced by Rep. John Joyce (R-PA) and House Energy and Commerce Committee Chair Brett Guthrie (R-KY), seeks to require companies to collect only necessary user data, allow individuals to view and delete their information, and mandate explicit opt-ins for sensitive details like location or sexual orientation. While the proposal promises uniformity across the country, privacy advocates argue it would preempt more robust state laws, potentially leaving Americans with weaker safeguards overall.
The bill emerges from a Republican data privacy working group formed to 'reset the discussion on comprehensive data privacy,' according to a joint statement from Guthrie and Joyce. It would empower the Federal Trade Commission and state attorneys general to enforce violations, with a companion measure, the GUARD Financial Data Act, addressing financial data separately. This latest push follows years of failed attempts at federal legislation, including a bipartisan proposal whose key meeting was canceled in 2024 amid reported opposition from House Republican leadership.
Currently, only about 20 states have comprehensive data privacy laws, many of which have earned low marks from independent evaluators for their effectiveness. The SECURE Data Act would introduce new protections in those states lacking such frameworks, including special rules for teens aged 13 to 15 that require parental consent for data processing. Proponents highlight these additions as a step forward for millions of Americans without existing state-level safeguards.
However, the legislation draws sharp criticism for its omissions and preemptive scope. It does not grant individuals a private right of action to sue companies for privacy breaches, a feature long sought by Democrats and advocates. Websites would not be required to honor universal opt-out tools, forcing users to repeatedly adjust settings to limit data collection. Additionally, the bill exempts pseudonymous data from some protections, which critics say could open loopholes for targeted advertising.
At the heart of the controversy is the bill's provision to override state laws that offer equal or stronger protections. California's landmark privacy law, for instance, established a dedicated privacy agency and allows consumers to pursue legal action for certain data breaches. Maryland's statute bans the sale of sensitive data and prohibits targeted ads to minors under 18. Other states like Oregon, Delaware, Minnesota, and Connecticut enable users to request details on third-party data recipients or contest automated profiling decisions—rights that could be nullified under the federal measure.
The Future of Privacy Forum (FPF), an independent group whose members include tech platforms, analyzed the bill and noted it adopts 'particular narrow approaches used by only a handful of states.' While the proposal exceeds some minimal state standards, FPF described it as 'consistently narrower and less prescriptive' than California's requirements. The group's report pointed out limited definitions, such as for biometric data, which excludes information from audio or video recordings—unlike broader state interpretations.
Privacy organizations have been vocal in their opposition. Caitriona Fitzgerald, deputy director and policy director at the Electronic Privacy Information Center (EPIC), stated, 'This bill would wipe out a huge range of privacy, security, online safety, and civil rights laws without providing any meaningful protections for Americans.' She added, 'A weak federal standard is worse than no standard at all.'
R.J. Cross, director of the Public Interest Research Group's Our Online Life Program, echoed those concerns, calling the bill 'basically a green light for the tech industry to keep collecting whatever data they want from you and doing whatever they want with it. Then it makes sure that no pesky state that may want to, you know, actually regulate what companies are doing can get in the way.'
Eric Null, director of the Center for Democracy and Technology's privacy and data project, warned that the measure 'would cement the harmful online data practices that Americans need and want a privacy law to fix, resulting in more data breaches, more intrusive data collection, more creepy advertising practices, and more business for data brokers.' The center receives funding from large tech firms but maintains that supporters do not influence its priorities.
On the other side, business advocates praise the bill for simplifying compliance amid a patchwork of state regulations. Rob Retzlaff, executive director of the Connected Commerce Council—which supports small businesses and has received funding from companies like Amazon and Google—said, 'The cost and complexity of tracking and complying with more than 20 state privacy laws are crippling small businesses, and some states’ radical data restrictions are jeopardizing the digital tools that power small business growth.'
Major industry groups, including the U.S. Chamber of Commerce, the National Retail Federation, and NetChoice, issued a joint statement supporting the legislation: 'The bill would end a confusing patchwork that harms consumers and small businesses.' They argue that a uniform federal standard would reduce burdens on companies while protecting user rights.
Democrats have historically resisted broad preemption of state laws and advocated for private lawsuits, and none are currently co-sponsors of the SECURE Data Act. Sponsors hope to attract bipartisan support after it advances through committee on a party-line vote, as reported by CNBC. FPF suggested that several exclusions in the bill, such as coverage for employee or business-to-business data, might be negotiation tactics to build consensus.
Even if enacted, the bill's preemption clause could face legal challenges. FPF anticipates states would contest overrides, arguing their laws do not directly conflict with federal standards. California's statute, for example, encompasses areas like employee data that the federal bill exempts, potentially shielding it from full preemption. Similar battles could arise in states with unique provisions on data sales or youth protections.
The timing adds uncertainty, with midterm elections approaching that could shift congressional dynamics. A federal privacy law remains a priority for many lawmakers, addressing growing concerns over data breaches and surveillance in the digital age. Yet, as this Republican initiative moves forward, the debate underscores deep divisions over how best to balance innovation, business needs, and individual rights in an era of pervasive data collection.
Supporters see the SECURE Data Act as a pragmatic foundation that could evolve through amendments, while opponents fear it sets a low bar that entrenches industry-friendly practices. As the House Energy and Commerce Committee prepares to review the bill, stakeholders on all sides are watching closely for signs of compromise—or further entrenchment—in the ongoing quest for national privacy protections.