The SECURE Data Act: A Weakening of Privacy Standards

Introduction: A Federal Privacy Bill That Misses the Mark

The SECURE Data Act, recently proposed by House Republicans, has been hailed by some as a step toward national privacy standards. However, a closer look reveals a bill that undermines existing state protections and fails to give consumers meaningful control over their data. Rather than advancing privacy, it would create a weak federal baseline that preempts stronger state laws, leaving Americans with fewer rights than they currently have in many states.

The SECURE Data Act: A Weakening of Privacy Standards — Source: www.eff.org

Key Provisions of the Bill

The SECURE Data Act does include some standard consumer rights that have become common in privacy proposals in recent years. These include:

Access: The right to know what personal data a company holds about you.
Correction: The ability to correct inaccurate data.
Deletion: The right to request deletion of your data.
Portability: Limited ability to move your data to another service.

Additionally, the bill requires companies to obtain consent before processing sensitive data (such as health or biometric information) or using personal data for purposes not previously disclosed. Without consent, these activities are prohibited.

However, these rights are undermined by significant weaknesses. Consumers can opt out of targeted third-party advertising, the sale of personal data, and profiling that affects legal, healthcare, housing, or employment decisions—but only if they actively take steps to do so. Companies may continue these invasive practices by default, placing the burden on individuals to take action.

Another provision requires data brokers earning at least 50% of profits from selling personal data to register in a public database maintained by the Federal Trade Commission (FTC). While this adds transparency, it does little to restrict data collection itself.

The Preemption Problem: Wiping Out State Protections

Perhaps the most troubling aspect of the SECURE Data Act is its broad preemption clause (Section 15). This provision would invalidate any state law that “relates to the provisions of this Act.” This sweeping language would wipe out all 21 state consumer privacy laws enacted in recent years, along with hundreds of other state regulations covering related topics.

Federal privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Video Privacy Protection Act, typically allow states to build stronger protections on top of a federal floor. The SECURE Data Act does the opposite—it eliminates the floor altogether and prevents states from raising standards. As a result, even modest state-level innovations like California’s data broker deletion tool or automatic opt-out signal requirements would be erased.

No Private Right of Action: Consumers Cannot Sue

Unlike many state laws, the SECURE Data Act does not grant individuals the right to sue companies for privacy violations. This private right of action is a critical enforcement tool. Without it, consumers must rely on the FTC or state attorneys general to act—which they rarely do in a timely or comprehensive manner. This leaves violations largely unpunished and removes a powerful deterrent for companies that mishandle personal data.

Failure to Address Behavioral Advertising

The bill does little to curb online behavioral advertising, the practice that drives tech companies’ relentless collection of personal data. While it allows opt-outs for targeted ads, it does not ban the underlying data collection for profiling and ad targeting. This means companies can continue to build detailed profiles on users unless each individual actively opts out of every service—a nearly impossible task in today’s digital ecosystem.

Other Notable Flaws

Weak opt-out defaults: Companies are not required to provide easy-to-use opt-out mechanisms; the burden is on consumers.
Inadequate data minimization: The bill does not require companies to collect only the data necessary for a specific purpose, allowing massive data hoarding.
Definitional loopholes: Broad exceptions for “de-identified” or “publicly available” data could let companies circumvent key protections.

Conclusion: A Retreat, Not Progress

The SECURE Data Act claims to provide national clarity on privacy, but in reality it offers a weak framework that preempts stronger state laws, lacks meaningful enforcement, and fails to address the core drivers of data exploitation. A serious federal privacy law would set a strong floor with a private right of action, encourage state innovation, and rein in harmful practices like behavioral advertising. Until such a law emerges, consumers are better off with the patchwork of state protections we have today—imperfect as they are—than with this backward-looking proposal.

For more on why federal privacy laws should preserve state rights, see our analysis of preemption and state laws above.

Tags: