Taking stock of US House Republicans' proposed SECURE Data Act

U.S. House Republicans are working on the latest attempt to pass a comprehensive federal privacy bill, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or SECURE Data Act. The proposal, which is neither bipartisan nor bicameral like predecessor frameworks, will be the subject of a hearing 3 June before the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade.

A recent LinkedIn Live moderated by IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, captured insights into where stakeholders stand on key provisions of the bill while outlining the likelihood of final passage prior to the looming midterm elections.

Zweifel-Keegan said, despite the partisan make-up of the bill, it will in all likelihood need to garner some level of Democratic support in the Senate to make it to the president's desk. Regardless, the proposal represents a "strong signal about where Republicans stand in the policy debate," he said, and reveals specifics around their preference "to replace the state patchwork of consumer privacy laws and maybe even other laws too."

The substance

Key features of the SECURE Data Act include strong preemption language over state comprehensive privacy laws, like the California Consumer Privacy Act, as well as sectoral privacy laws like Washington's My Health My Data Act and the Illinois Biometric Information Privacy Act, according to Future of Privacy Forum Senior Policy Counsel Jordan Francis, CIPP/E, CIPP/US, CIPM, FIP.

Francis said the draft SECURE Data Act "broadly reflects" language contained in a number of existing state privacy laws, but most closely resembles the laws passed in Kentucky, Iowa and Utah, which he considers among the "narrowest" around the country. However, the bill omits other key elements of most state privacy laws, such as data protection impact assessment obligations and requiring companies to respect consumer opt-out signals.

"The goal here is to establish a single, unified federal standard when it comes to consumer privacy," Francis said. "What surprised me most about reading this bill is how unsurprising it was. This bill significantly borrows language from existing state laws, which creates sort of a starting point from shared knowledge with respect to core aspect of the bill's terminology and definitions."

All eyes on preemption

In 2022, the California Privacy Protection Agency Board voted to direct agency staff to actively oppose any comprehensive federal privacy measure that would preempt California state residents from exercising their privacy rights under the CCPA. The board also directed staff to support federal legislation that "provides a true floor and allows states to adopt stronger protections," according to CalPrivacy Deputy Director of Policy and Legislation Maureen Mahoney.  

Proposed preemption under the SECURE Data Act remains a nonstarter for CalPrivacy. Mahoney also pointed to the lack of provisions prohibiting companies from using dark patterns in their website designs, as well as the opt-out signal requirements, as objectionable. Additionally, the bill does not offer consumers a tool to request data broker deletion of their personal data, such as CalPrivacy's Delete Request and Opt-out Platform. 

"The problem for us is that (the bill) seems to make it harder for consumers to exercise their rights, so to that extent, it would a significant step backward from the work many of the states have been doing," Mahoney said. "From a state regulator's perspective, the (SECURE Data Act) will be difficult to enforce, because it has a mandatory 45-day right to cure, which would incentivize non-compliant businesses to take a wait-and-see approach until a regulator reaches out before addressing violations."

Mariner Strategies President Andrew Kingman disagreed with Mahoney that the SECURE Data Act's preemption language represents a fatal flaw. He made the case that an elevated federal baseline for consumer privacy with the ability for states to continue to add further patchwork requirements will further complicate compliance efforts on the part of businesses. 

Baseline legislation, according to Kingman, would present an opportunity for Congress to legislatively pursue "three or four different verticals" beyond the established framework to address not only privacy matters, but issues related to data security and data brokers. 

"If you're going to say, 'Here's our baseline, but then we've got 35 variations on that in different states that can all be enforced by their state attorneys general,' I think the preemption (language) is saying, let's have one standard, and that tends to make a lot more sense," Kingman said. "Now within that one standard framework, there are a lot of different ways to structure that and maybe there are different ways to (enforce) that, such as allowing injunctive relief or something along those lines."

FPF's Francis also downplayed the preemption provisions, noting the bill does not really move the ball forward in that aspect from what was proposed in the prior comprehensive federal privacy law proposals in recent years, the American Privacy Rights Act and the American Data Privacy Protection Act.

"Some of the overrated issues of this bill are preemption and enforcement," Francis said. "That isn't to say that those things aren't important, I think they are some of the most important, difficult issues to solve in this bill, but I don't think these issues are meaningfully different than they were when we discussed the APRA and the ADPPA."