Privacy & Cybersecurity Law Blog

On April 22, 2026, the House Energy & Commerce Committee announced the introduction of and intention to advance the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act, which was crafted by the majority committee members’ Privacy Working Group, would replace the state-by-state patchwork of consumer privacy laws in the U.S. and instead establish a single federal law. 

The SECURE Data Act primarily follows the consensus data privacy and security framework enacted by the majority of U.S. states that have enacted their own comprehensive consumer privacy legislation. The bill would apply to businesses subject to the FTC Act or common carriers subject to title II of the Communications Act of 1934 that conduct business in the U.S., process or sell personal data of U.S. residents, and either (1) process personal data of over 200,000 U.S. consumers annually and have at least $25 million in annual gross revenue or (2) process personal data of at least 100,000 consumers annually and derive at least 25 percent of their annual gross revenue from the sale of personal data. Notably, the bill uses a narrow definition of “sell,” limited to the exchange of personal data to a controller or governmental entity for monetary consideration only. Like many state comprehensive consumer privacy laws, the bill would exclude from application entities and data subject to HIPAA or GLBA, institutions of higher education, nonprofits, and employee and business-to-business representative data.

The bill would grant consumer privacy rights at the national level and provide U.S. consumers with the ability to request access, correction and deletion of their personal data from entities subject to the law. The bill also would provide consumers the ability to opt out of the processing of personal data for purposes of targeted advertising, sale, and certain automated decision making based on profiling. Also in line with many state comprehensive consumer privacy laws, the SECURE Data Act  would impose on controllers data minimization, data security requirements and vendor contracting requirements. If enacted, the SECURE Data Act would require controllers to obtain opt-in consent to process sensitive data (e.g., health, geolocation) and, notably, would require parental consent to collect personal data from teens (i.e., individuals who are 13 or over and under 16).

The SECURE Data Act also would establish a federal standard for data brokers (i.e., a controller that (1) collects and processes personal data of a consumer who is not a customer or client of the controller or a user, reader, or subscriber of a product or service provided by the controller and (2) derives 50% or more of annual gross revenue from the sale of such personal data). The bill would require data brokers to register annually with the Federal Trade Commission, which would establish and maintain a public registry of data brokers with links to their websites so consumers can exercise their privacy rights.

With respect to enforcement, the SECURE Data Act provides exclusive enforcement by the FTC and state Attorneys General, with a guaranteed 45-day notice-and-cure provision that requires the regulators to provide written notice to a controller or processor of the alleged violation, citing the specific provision of the Act alleged to have been violated, and to permit at least 45 days for the recipient to cure the alleged violation. The bill does not stipulate an expiration date for the notice-and-cure provision. Notably, the bill does not provide for a private right of action.

One of the most notable aspects of the SECURE Data Act, as currently drafted, is its preemption language, which has been a major point of contention for previous versions of federal consumer privacy bills. The bill prohibits state efforts that relate to the provisions of the SECURE Data Act, but notably does allow state regulators to bring actions to enforce the Act. In short, the bill seeks to preempt state comprehensive privacy laws to establish a single, uniform national data privacy and security standard for all U.S. consumers.