US SECURE Data Act faces criticism during first hearing in Congress

U.S. House Republicans had their first opportunity to publicly showcase their draft Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or SECURE Data Act, to the public during a hearing before the House Committee on Energy and Commerce's Subcommittee on Commerce, Manufacturing, and Trade 3 June. 

The SECURE Data Act was introduced by U.S. Rep. John Joyce, R-Penn., in April and unlike its two draft comprehensive privacy law predecessors — the American Privacy Rights Act and the American Data Privacy Protection Act — was crafted without bipartisan support and is not bicameral, as no companion draft has been introduced in the Senate. Democrats on the subcommittee were heavily opposed to the draft bill.   

U.S. Rep. Gus Bilirakis, R-Fla., chairman of the subcommittee, said the SECURE Data Act would solve the existing patchwork of state privacy laws by enabling companies to process personal data to glean business insight, while building in consumer protections for safeguarding that data. He said the current status-quo is "unacceptable" where millions of Americans "live in states without a comprehensive privacy law." 

"The SECURE Data Act takes the best ideas of the state privacy laws and incorporates many of the ideas developed over the past several years," Bilirakis said. "It seeks to establish meaningful consumer protections, while creating a uniform national standard that promotes innovation, economic growth and regulatory certainty."

The subcommittee invited four witnesses to testify on the draft legislation, three of whom were generally supportive of the bill, which features strong language that would preempt existing state privacy laws, and potentially sectoral privacy laws as well, such as Washington's My Health My Data Act and Illinois' Biometric Information Privacy Act.

The initial draft does not include a private right of action or requirements for data protection impact assessments, data protection officers or universal opt-out mechanisms. Among the notable novel concepts raised by the bill are a data broker registration managed by the U.S. Federal Trade Commission, a safe harbor program for companies adhering to a Department of Commerce-approved code of conduct, and treating data belonging to children under age 13 as sensitive data alongside health and geolocation data. 

Stakeholders favor bill's single national data privacy standard

Business Software Alliance Managing Director Kate Goodloe said prior efforts to pass a national comprehensive privacy law may have been easier because there were fewer states with their own on the books during APRA and ADPPA negotiations. She said with the 22 state laws on the books currently, and 21 of them sharing the "same core structure," there is a risk of that structure "unraveling" as some 30 different amendments have been added to the laws across the states, complicating compliance efforts.

"In the past, efforts to draft comprehensive privacy legislation started from a blank slate. ... but the landscape of American consumer privacy laws is no longer blank," Goodloe said, with 22 states, both red and blue, with consumer privacy laws. "Companies should not have to track 50 moving goalposts to do business in the United States. We need a single, clear set of rules that limits how companies collect and use consumers' data."

Womble Bond Dickinson Partner Tyler Bridegan, CIPP/E, CIPP/US, CIPM, who previously served in the Office of the Texas Attorney General as the former director of privacy and technology enforcement, offered his insight from his experience enforcing Texas' state privacy laws. He said the introduction of state privacy laws now offer a path forward for the SECURE Data Act to borrow from the most effective consumer protection frameworks. 

"The last time Congress pushed forward with this effort, most of the state laws were not in effect and there definitely had not been enforcement that occurred yet," Bridegan said. "We have now had the opportunity to see which provisions in the (state) laws protect key consumer harms, particularly the tangible harms that we're seeing emerge."

The SECURE Data Act is largely modeled off language contained in Kentucky's state privacy law and Kentucky Chamber of Commerce President and CEO Ashli Watts said there is an urgent need to for Congress to set a federal standard as most of her membership is comprised of small businesses. She said small businesses primarily lack the in-house legal teams, chief privacy officers and compliance budgets to make the best good-faith effort to comply with the legal patchwork of state laws. 

Watts also cited the U.S. Chamber of Commerce's 2025 Empowering Small Business Report that found roughly two-thirds of small businesses have concerns about complying with different state privacy laws that "expose them to higher compliance and litigation costs." She said that figure represented a 14% increase from 2024. 

"This is not just a technology policy issue, it is a competitiveness issue and Kentucky's businesses, and all American businesses, especially small businesses need one clear set of rules of which they can build around," Watts said. "It is important to note that strong consumer privacy protections and economic growth are not competing goals. When customers trust that their information is being handled responsibly, they're more willing to engage, to transact and participate in the digital marketplace, and clear rules help build that trust."

EPIC calls bill 'weaker than weakest state law'

The fourth witness, Electronic Privacy Information Center Deputy Director and Policy Director Caitriona Fitzgerald did not support the SECURE Data Act as proposed. She said the bill's "core weakness" is its lack of a data minimization standard and that it perpetuates the status quo of businesses' ability to provide "notice and collect." It also offers the "most expansive preemption option available to the federal government," which she believes could preempt "hundreds" of both existing comprehensive and sectoral privacy laws on the books. 

Fitzgerald also criticized the bill's lack of a private right of action, which would deny consumers any meaningful recourse if a company ignores a deletion or opt-out request.

"The SECURE Data Act sets a national standard that is weaker than the weakest state law, we shouldn't be making the floor, the ceiling," Fitzgerald said. "There's no recourse. It's essentially unenforceable because the FTC and state (attorneys general) won't take on individual cases." 

Democrats soundly criticize proposal

Democrats on the subcommittee were united in their opposition to the draft bill, with members using their allotted speaking time to criticize several provisions of the legislation, such as its preemption language, lack of a data minimization standard and private right of action. 

U.S. Rep. Frank Pallone, D-N.J., said the SECURE Data Act as drafted was "assembled from industry-friendly state privacy laws that have been pushed by Big Tech," and claimed it would enshrine the industry's ability to "continue their ongoing privacy violations." Were the bill to pass as-is, Palone said, the privacy "intrusions will only get worse as the push to insert artificial intelligence into every corner of our lives," as it "supercharges both the incentives to gather every bit of personal data and the potential harm that could result."

Pallone said despite his criticism of the legislation, he remains hopeful to "come to a compromise similar to what we've done in the past," based off the APRA and ADPPA proposals. 

"The partisan SECURE Data Act is not the strong, enforceable standard its sponsors describe," Pallone said. "Instead, this bill locks in the failed notice and consent status quo, then compounds loophole upon loophole to water down its provisions. … To make matters worse, it adds expansive preemption that will leave many Americans with fewer privacy protections than they have today."

CalPrivacy, attorneys general coalition voice opposition

In addition to the Democratic opposition to the SECURE Data Act, on 3 June the California Privacy Protection Agency announced it joined a coalition of 18 state attorneys general opposing the legislation. In 2022, the California Privacy Protection Agency Board voted to direct agency staff to actively oppose any comprehensive federal privacy measure that would preempt California state residents from exercising their privacy rights under the California Consumer Privacy Act.

"A strong federal privacy law is worth pursuing, but it should not strip away rights that tens of millions of people already depend on," CalPrivacy Executive Director Tom Kemp said in a statement. "The SECURE Act would set privacy rights back and make it much harder for consumers to exercise them in this AI-driven world where personal data is being collected at unprecedented scale."