SECURE Data Act: Analysis of the new federal privacy bill

On 22 April 2026, U.S. House Energy and Commerce Committee Vice Chairman John Joyce, R-Pa., introduced a long-awaited comprehensive consumer privacy bill, HR 8413.

The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act embodies the work undertaken by the Privacy Working Group established by Chairman Brett Guthrie, R-Ky., in February 2025. This is the first major attempt in the 119th Congress to establish comprehensive consumer privacy rules, a task that otherwise has fallen to the states. 

The bill text represents an opening salvo in the long legislative process. It is likely to be refined significantly as negotiations continue in the months ahead. To that end, the Working Group staffers say they welcome feedback from the privacy community.

As for the usual sticking points for federal consumer privacy bills, there are no surprises here. As a partisan Republican bill, the draft does not include a private right of action, though the drafters of the bill are quick to point out that neither does the so-called consensus framework in the states. Instead, like prior proposed federal frameworks, it would empower both the U.S. Federal Trade Commission and state attorneys general to enforce the provisions of the law. 

As introduced, the SECURE Data Act would embrace a strong preemption regime, rendering moot any state law or provision that "relates to" its provisions. This would likely preempt state consumer privacy laws, data broker registries and possibly some sectoral state laws. Provisions of the law would go into effect within one to two years.

Catching up with the states