US Republicans introduce latest comprehensive privacy legislation

The gears are turning once again on U.S. Congress' debate over potential comprehensive privacy legislation. The latest attempt comes courtesy of House Committee on Energy and Commerce Republicans, who introduced the draft Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act following more than a year of stakeholder consultation.

In line with the bill's title, Energy and Commerce Republicans' proposal would preempt comprehensive state privacy laws by creating a federal standard using common data subject access rights and general provisions from the current state patchwork. However, the attempt at uniformity comes with departures from what is being done in the states, including omitted and nuanced provisions.

The initial draft does not include a private right of action or requirements for data protection impact assessments, data protection officers or universal opt-out mechanisms. Among the notable novel concepts raised by the bill are a data broker registration managed by the Federal Trade Commission, a safe harbor program for companies adhering to Department of Commerce-approved code of conduct, and data belonging to children under age 13 being treated as sensitive data alongside health and geolocation data.

"This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping," Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. "We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy."

In a statement to the IAPP, Energy and Commerce Ranking Member Frank Pallone, D-N.J., said the new bill "protects corporations and their bottom line, not people's privacy."

"We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech. It seems to me that Republicans have lost the plot on efforts to pass a strong national privacy bill," he added.

The bill was crafted without input from Energy and Commerce Democrats, a notable departure from recent congressional privacy debates. The American Data Privacy Protection Act and the American Privacy Rights Act were both bipartisan, bicameral efforts that stalled at different points during their respective considerations.

IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, and Westin Fellow David Botero offered a legal analysis of the bill, including its scope and key provisions.

The SECURE Data Act is a product of the committee's Data Privacy Working Group that convened February 2025 to address, according to the group's request for information, "the challenge of providing clear digital protections for Americans" that has been "compounded by the fast pace of technological advancement and the complex web of state and federal data privacy and security laws, which in some cases create conflicting legal requirements." Guthrie and Joyce noted the group's stakeholder dialogue sought to "reset the discussion on comprehensive data privacy, taking wide ranging input from stakeholders and crafting a consensus bill that protects the privacy and security of Americans' personal data."

While drafting the SECURE Data Act, the House Committee on Energy and Commerce debated children's privacy and online safety proposals. The proposed Children and Teens' Online Privacy Protection Act was among those bills, aiming to expand the scope and requirements of the Children's Online Privacy Protection Act. Energy and Commerce Democrats reportedly abandoned that bipartisan initiative over policy discrepancies.

The comprehensive bill was unveiled jointly with the House Committee on Financial Services' discussion draft to reform financial privacy law under the Gramm Leach Bliley Act. In the joint committee statement, Financial Services Chair French Hill, R-Ark., noted the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act aims to modernize the GLBA, which was drafted "in a technology-neutral fashion that has adapted well to the changes in technology and types of consumer data that have developed since 1999."

"Our bill minimizes data collection and disclosures; allows customers and former customers to request access to their financial data held by a financial institution; allows former customers of a financial institution to request deletion of their data; and requires a financial institution to receive a consumer’s affirmative opt-in consent before sensitive personal information can be disclosed," Hill said.