The SECURE Data Act: A Federal Privacy Framework (But for Real This Time?)

They say the third time’s the charm, but we’d be surprised if that held true for this third major swing at comprehensive federal data privacy legislation.

On April 22, 2026, Rep. John Joyce (R-PA) introduced HR 8413—which, of course, has a delightful backronym: The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or SECURE Data Act.

It’s the first major federal consumer privacy bill released in years, the product of over 14 months of stakeholder engagement by the House Energy and Commerce Data Privacy Working Group, chaired by Rep. Brett Guthrie (R-KY).

For privacy professionals, this bill deserves close attention—even if its final form, assuming it ever reaches enactment, may look quite different from what was introduced. But if you were in the privacy space when APRA and ADPPA were making the rounds, you’re no doubt tired of hearing that.

So, here’s the TL;DR for the SECURE Data Act: With an explicit preemption for state privacy laws, it sports the same Achille’s heel as APRA and ADPPA. Will this time be different?

What the SECURE Data Act Does

At its core, the SECURE Data Act establishes a national framework for consumer privacy rights, including:

• The right to access their personal data
• The right to correct their data
• The right to request their data’s deletion
• The right to receive their data in a portable format
• The right to opt out of targeted advertising, data sales, and profiling used for legally significant decisions (albeit only for fully automated profiling with no human involvement)

This is essentially the basic privacy rights package you see across US privacy laws.

Additionally, the bill adopts distinct obligations for controllers and processors, requires opt-in consent for sensitive data, and creates a data broker registration requirement with the FTC.

Enforcement would be split between the FTC and state attorneys general—but critically, there is no private right of action, consistent with the approach taken by most state privacy laws.

The SECURE Data Act is designed to work in tandem with the companion GUARD Financial Data Act, which applies similar principles to financial services companies, together forming a single national standard. Both bills carry the backing of powerful committee chairs: House Energy and Commerce Chair Guthrie and House Financial Services Chair French Hill (R-AR), though unlike the previous attempts at a federal privacy law—APRA and ADPPA—it lacks broad bipartisan support.

How It Differs from State Laws

The SECURE Data Act's most defining structural feature is its approach to federal preemption: it would override all existing state-level privacy laws. This makes federal law not a floor that states can build upon, but an absolute ceiling. As we mentioned above, this is likely the single most controversial feature of the bill.

The bill's baseline most closely resembles the Virginia and Kentucky privacy laws, emphasizing notice and opt-out rights and tying business compliance to "reasonable" standards—a notably lighter touch than the stricter mandates found in California's CCPA.

On youth privacy, the bill goes further than most states: data from teens under 16 would be classified as sensitive and require opt-in consent with verified parental consent. COPPA, in contrast, kicks in for under-13-year-olds.

The bill also recognizes participation in Global Cross-Border Privacy Rules (CBPRs) as a compliance pathway—an international interoperability provision absent from virtually all state frameworks.

Compliance with codes of conduct recognized by the Secretary of Commerce provides a rebuttable presumption of compliance with the SECURE Data Act—meaning that businesses that comply with these codes would not have to prove compliance with the SECURE Data Act, but rather a challenging party would have to prove non-compliance. The CBPRs are one such recognized code of conduct.

Points of Controversy

The bill's most contentious feature is also its most structurally significant: broad federal preemption functioning as a ceiling. This is not a new problem—both the ADPPA (2022) and APRA (2024) drew sharp criticism from state privacy advocates who argued Congress should "set a floor, not a ceiling." The SECURE Data Act repeats that pattern, arguably more aggressively, by preempting even the carve-outs those earlier bills preserved.

Critics also point to substantive weaknesses. The Center for Democracy and Technology's Eric Null called the bill full of "easily exploitable loopholes" that let companies hide behind cookie banners and terms of service. Null also argues that the bill’s data minimization language lacks teeth. And the bill is notably silent on AI and large language models, a significant gap given the privacy risks that generative AI presents.

Lastly, it shares a common feature with some of the more business-friendly state privacy laws: the lack of any requirements around privacy impact assessments or universal opt-out mechanisms.

Chances of Enactment

To become law, the bill must clear a House subcommittee (where a hearing is expected soon), survive a full House vote, pass the Senate—where it would need 60 votes to overcome a filibuster—and be signed by the President. That's a high bar, and the current political landscape presents real headwinds.

On the one hand, the bill’s sponsors deliberately spent over a year building intra-Republican consensus before introducing the bill, a direct response to the last-minute Republican defections that killed a prior privacy bill at the committee stage. Strong committee chair backing on two fronts gives the bill credible momentum toward an early vote.

But the obstacles are substantial. Democratic leadership is vocally opposed: Ranking Member Frank Pallone (D-NJ)  accused Republicans of having "lost the plot," saying the bill "protects corporations and their bottom line, not people's privacy."

State-level privacy advocates are equally critical. Tom Kemp, Executive Director of CalPrivacy, issued a statement calling it "not a real step forward for privacy," arguing the bill "seeks to eliminate existing rights and protections" and "would leave tens of millions of Americans less protected than they are today."

The preemption issue is likely the single biggest obstacle to Democratic buy-in, but the lack of a private right of action is a challenge as well. Sen. Cantwell opposed the ADPPA in part due to that omission, and private rights of action remain one of the most consistently divisive provisions in federal privacy debates—championed by Democrats and rejected by Republicans.

Here We Are All Over Again

The SECURE Data Act is the most serious Republican attempt at comprehensive federal privacy legislation in years, but unlike previous federal privacy legislation, it’s a solely Republican attempt at the moment. The bill lacks the broad bipartisan support that previous federal privacy laws enjoyed–and those died on the vine anyways.

The bill enters a legislative environment with familiar fault lines—preemption, enforcement, and private rights of action—that have derailed every prior effort.

Privacy professionals should track it closely and consider their compliance programs against its framework. Just don't assume the bill that eventually becomes law—if any does—will look much like the one introduced recently. Whatever the bill’s ultimate fate, we’ll be sure to keep you up to date on it, state privacy laws, and data privacy writ large in the Privacy Insider newsletter.