GovTechLegal

Unpacking the SECURE Data Act

Tech Policy Press
Tech Policy PressApr 26, 2026

Why It Matters

The bill would lock in a weak, industry‑favored privacy regime and strip states of the civil‑rights tools needed to curb algorithmic discrimination, leaving consumers unprotected as AI expands.

Key Takeaways

  • Secure Data Act mirrors industry‑friendly state laws, limiting privacy gains.
  • Bill narrows “sensitive data” definition, excluding most health and neural info.
  • Broad exemptions let companies sidestep compliance, especially for AI training data.
  • Lack of dark‑pattern bans enables coercive opt‑ins for sensitive data.
  • Preemption threatens state civil‑rights protections, weakening discrimination enforcement.

Summary

The Tech Policy Press podcast breaks down the newly introduced Secure Data Act, a Republican‑led effort to create a federal privacy framework. Host Justin Hendrickx interviews CDT privacy director Eric Null, who frames the bill as a regression compared with the more robust state statutes that have emerged over the past few years.

Null points out that the legislation copies the Kentucky model, adopts a narrow definition of “sensitive data” that omits most health, neural and communication information, and relies on a data‑minimization clause that merely requires companies to disclose practices in privacy policies. In addition, the bill contains sweeping exemptions—service‑related, contractual, and internal‑research clauses—that effectively let firms avoid compliance, especially for AI training data.

The conversation highlights concrete concerns: Null calls the act a “major step backward,” noting the absence of impact‑assessment requirements and dark‑pattern prohibitions. He cites Meta’s plan to track keystrokes for AI training and the ubiquitous “accept‑all” cookie banners as examples of how companies could exploit the law’s weak safeguards.

If enacted, the Secure Data Act would preempt state privacy and civil‑rights statutes, eroding the primary enforcement mechanisms for discrimination claims in the digital economy. The result would be a federal framework that offers little new protection while cementing industry‑friendly rules at a time when AI‑driven data collection is accelerating.

Original Description

With artificial intelligence systems increasingly deployed by companies and governments to hoover up every possible unit of data and to make consequential decisions about people's employment, benefits, credit, education, housing, and health care, the United States still has no baseline federal privacy law. This week, House Republicans put a new bill on the table called the SECURE Data Act.
Today’s guest is Eric Null, director of the Privacy & Data Project at the Center for Democracy & Technology. He says the bill has significant structural weaknesses (https://www.techpolicy.press/congresss-new-privacy-bill-is-built-on-empty-promises/) even as it seeks to preempt stronger state protections that are already in place.

Comments

Want to join the conversation?

Loading comments...