The SECURE Data Act Is Not a Serious Piece of Privacy Legislation

The SECURE Data Act, introduced by Republicans on the House Energy and Commerce Committee, arrives at a moment when Congress has already debated several federal privacy frameworks, such as the American Data Privacy Protection Act and the Current American Privacy Rights Act. Unlike those proposals, SECURE offers only a minimal floor of rights—access, correction, deletion and limited portability—while explicitly preempting the 21 state privacy statutes that have emerged since 2018, including California’s CCPA and Virginia’s CDPA. By positioning itself as a national baseline, the bill threatens to roll back the stronger safeguards that states have crafted.

The legislation also strips consumers of a private right of action, leaving enforcement to the FTC and state attorneys general—agencies already stretched thin by budget cuts and competing priorities. A 45‑day cure period lets companies remediate violations without penalty, effectively rewarding non‑compliance. Moreover, the bill’s vague self‑regulatory audit scheme and the Secretary of Commerce’s broad authority over international data flows create uncertainty for businesses that must navigate an ill‑defined compliance landscape while lacking clear enforcement incentives.

For enterprises, the act’s opt‑out defaults and narrow data‑minimization language mean continued reliance on consent banners that can be engineered to mislead users. Loopholes around biometric data, de‑identified information and government‑contractor exemptions open pathways for aggressive data‑broker practices and AI training uses that many consumers oppose. If enacted, the SECURE Data Act would not only dilute existing state protections but also set a precedent for future federal bills to supersede state innovation. Stakeholders therefore continue to push for a robust, enforceable federal privacy law that complements, rather than replaces, state initiatives.