House Republicans have introduced the Secure Data Act, a new legislative proposal aimed at establishing comprehensive digital privacy protections for American consumers. The bill, unveiled Wednesday, grants individuals more control over their personal information, focusing on data collection for targeted advertising, third-party sales, and automated decision-making processes.
The Secure Data Act outlines several key provisions designed to empower consumers. It mandates that companies clearly inform individuals when their personal data is being collected or utilized. Furthermore, it requires businesses to provide consumers with a portable version of their data and extends consent rights to parents concerning the data collected from teenagers. Representatives Brett Guthrie (R-Ky.) and John Joyce (R-Pa.) stated that the bill aims to ensure Americans remain in control of their data.
House Republicans Propose New Digital Privacy Legislation
The draft legislation also introduces stipulations for businesses regarding data collection. Companies will be required to limit the collection of personal consumer data to what is deemed adequate, relevant, and reasonably necessary for pre-disclosed purposes. Additionally, organizations must implement enhanced safeguards for customer personal data and disclose any third parties with whom data is shared or sold, including any foreign adversaries like Russia and China.
Strengthening Data Broker Oversight
A significant component of the Secure Data Act focuses on increasing oversight of data brokers. The Federal Trade Commission (FTC) would gain expanded authority to monitor data brokers that acquire, compile, and resell personal information. The bill mandates that data brokers register with the FTC, adhere to data minimization, disclosure, and security requirements, and establishes a national registry for these entities.
Cobun Zwiefel-Keegan, managing director at the International Association of Privacy Professionals, noted that the bill’s structure bears similarities to privacy laws recently enacted in states such as Virginia and Kentucky, emphasizing notification and opt-out rights for consumers. He also indicated that the legislation could potentially bolster the FTC’s and state Attorneys General’s powers to investigate and penalize non-compliant entities.
The Secure Data Act is the result of over 16 months of internal discussions and consensus-building within the Republican majority. A working group, led by Rep. John Joyce, actively sought input from 170 organizations and gathered over 250 public responses to a request for information released last year.
However, the drafting process did not involve Democratic members, a factor observers suggest could impede the bill’s ability to garner bipartisan support. While Republicans may argue that the bill reflects principles found in privacy laws passed in Democratic-led states, critics point to potential weaknesses.
Zwiefel-Keegan highlighted that the bill includes federal preemption of more stringent state privacy laws, such as California’s, and lacks a private right of action enabling individuals to sue companies directly. It also includes a mandatory 45-day “curing period” that allows companies to rectify violations before facing sanctions.
Republican leaders express optimism about the bill’s prospects out of committee, but its broader passage will likely depend on securing Democratic backing and navigating potential disagreements from representatives who may oppose the preemption of existing state laws.
Following the draft’s release, Rep. Frank Pallone (D-N.J.), ranking member on the House Energy and Commerce Committee, voiced opposition, stating the bill prioritizes corporate interests over consumer privacy. He argued that the legislation should empower consumers and should not preempt stronger state-level consumer protections at the behest of large technology companies.
Eric Null, director of the privacy and data project at the Center for Democracy and Technology, echoed concerns, asserting that the Secure Data Act contains “easily exploitable loopholes” allowing companies to avoid meaningful privacy protections by relying on standard practices like cookie banners and lengthy terms of service.
Null also criticized the bill’s handling of Artificial Intelligence (AI), noting that Large Language Models present significant and escalating privacy challenges. He stated that any federal privacy law in 2026 must be future-proofed against AI-related harms, including limiting data collection for AI training and preventing discriminatory uses, which he believes this bill does not sufficiently address.
The American Civil Liberties Union (ACLU) also opposed the bill. Senior staff attorney Cody Venzke stated that the legislation places the burden on individuals to navigate complex privacy policies to request opt-outs or data deletion and offers insufficient recourse, even preventing legal action if requests are ignored.
In their joint statement, Guthrie and Joyce indicated their intent to collaborate with colleagues to build support for the Secure Data Act, aiming to advance digital privacy protections suitable for the current economic landscape.
The next step for the Secure Data Act will be its consideration and potential advancement out of committee. The bill’s future remains uncertain, with significant debate expected regarding its balance of consumer rights and industry obligations, as well as its potential impact on existing state privacy laws.