The SECURE Data Act: A Federal Privacy Framework Moves Forward

• SECURE Data Act Would Establish Single National Privacy Standard, Broadly Preempting State Law: The SECURE Data Act would create a uniform federal privacy framework, broadly preempting existing state consumer privacy laws. Enforcement authority is shared between the FTC and state attorneys general, with no private right of action. Before initiating any enforcement action, the FTC or a state attorney general must provide written notice of the alleged violation and allow at least 45 days to cure; a written assurance that the violation has been corrected and will not recur eliminates liability for that specific violation.
  
  
• Bill Extends Privacy Protections to Teens Ages 13 to 16 and Brings Telecom Carriers Under Federal Privacy Law: The SECURE Data Act expands beyond COPPA by classifying teen data (ages 13 to 16) as sensitive data requiring verifiable parental consent. The bill also expressly covers common carriers such as broadband ISPs and traditional telephone companies, which currently fall outside FTC jurisdiction, subjecting them to the same data privacy obligations as other covered businesses.
  
  
• Organizations Should Assess Compliance Gaps Despite Structural Overlap With Existing State Frameworks: While the bill's core structure mirrors most state privacy frameworks, several provisions warrant fresh compliance analysis, including the bill's purpose limitation standard, teen data consent requirements, the data broker definition tied to a 50 percent annual gross revenue threshold, and broad preemption provisions that may affect state sectoral laws such as Illinois's Biometric Information Privacy Act and Washington's My Health My Data Act.

On April 22, 2026, members of the House Energy and Commerce (E&C) Committee’s Privacy Working Group (“Working Group”) introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (“SECURE Data Act”).

The SECURE Data Act is the product of more than a year of work by the Working Group, which consulted over 170 stakeholders and reviewed more than 250 written submissions. If enacted, the SECURE Data Act will establish a single national privacy standard and broadly preempt the patchwork of existing state consumer privacy laws, replacing them with a uniform federal framework.

Background and Legislative Context

Congress has considered comprehensive federal privacy legislation several times over the past several years. The SECURE Data Act represents the latest effort to establish a national privacy framework. The Working Group stated that its goal was to “reset the discussion on comprehensive data privacy by taking wide-ranging input from stakeholders and crafting a consensus bill that protects the privacy and security of Americans’ personal data.”

The E&C Subcommittee on Commerce, Manufacturing and Trade held a legislative hearing on the bill in June 2026. Key features of the bill include broad preemption of state privacy laws and no consumer private right of action. The bill includes a phased implementation timeline, with provisions on consumer rights, data security, and data brokers taking effect one year after enactment, and all remaining provisions taking effect two years after enactment.

Scope and Applicability

The bill applies to entities subject to the Federal Trade Commission (FTC) Act or common carriers subject to Title II of the Communications Act of 1934 (expressly covering common carriers subject to Title II of the Communications Act, which fall outside the FTC’s standard jurisdiction under existing law) that conduct business in the United States or process or sell the personal data of U.S. residents, and meet one of two thresholds:

• Process the personal data of more than 200,000 consumers annually and have at least $25 million in annual gross revenue, or
• Process the personal data of at least 100,000 consumers annually and derive at least 25 percent of annual gross revenue from the sale of personal data.

Why does this distinction matter? Under existing law, the FTC’s jurisdiction does not extend to common carriers, meaning companies that provide telecommunications services to the public, such as broadband internet service providers (ISPs) and traditional telephone companies. These entities are instead regulated by the Federal Communications Commission (FCC) under Title II of the Communications Act. Because these carriers handle significant volumes of consumer data but currently fall outside the FTC’s privacy enforcement authority, Congress has expressly included them within the SECURE Data Act’s scope. In practice, this means that a major broadband provider, such as a cable or phone company, will be subject to the same data privacy obligations under the bill as a technology company or online retailer already subject to FTC jurisdiction.

The bill exempts several categories of entities, including financial institutions subject to the GLBA, Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates, nonprofit organizations, and institutions of higher education. Data-level exemptions include HIPAA-protected health information, data subject to the Fair Credit Reporting Act (FCRA) and educational records subject to the Family Educational Rights and Privacy Act (FERPA). Data processed solely to complete a payment transaction does not count toward the applicability thresholds.

Consumer Rights

The bill grants consumers a set of rights with respect to a controller that are consistent with those found in most state comprehensive privacy laws. Under the bill, a controller is any entity that determines the purposes and means of processing personal data, meaning the business or organization that decides why and how consumer data is collected and used. Controllers bear the primary compliance obligations under the SECURE Data Act and are directly accountable to consumers for honoring their rights.

Specifically, the bill provides consumers with the following rights:

• Right to Access: Consumers may confirm whether a controller is processing their personal data and obtain a copy of that data.
• Right to Correct: Consumers may request that a controller correct inaccurate personal data it holds about them.
• Right to Delete: Consumers may request deletion of personal data provided to or collected by a controller.
• Right to Data Portability: Consumers may obtain a copy of personal data they previously provided to a controller in a portable, readily usable format.
• Right to Opt-Out of Targeted Advertising: Consumers may direct a controller to stop using their personal data for targeted advertising purposes.
• Right to Opt-Out of Sale of Personal Data: Consumers may direct a controller to stop selling their personal data to third parties.
• Right to Opt-Out of Profiling: Consumers may opt-out of profiling used for decisions with legal or similarly significant effects, such as determinations related to employment, credit, housing, or insurance, where the decision is made through a fully automated process.

Controllers must respond to consumer requests within 45 days, provide a formal appeals process, and support at least two free requests per year per right. An additional 45-day extension is available when reasonably necessary, provided the controller gives the consumer notice and justification. The bill does not require controllers to recognize universal opt-out mechanisms, such as Global Privacy Control. Instead, it directs the Secretary of Commerce to conduct a study on the feasibility of such tools and report findings within three years of enactment. The bill also does not require data protection impact assessments or the designation of data protection officers.

Controller and Processor Obligations

Controllers must follow a strong data minimization standard, limiting collection to what is adequate, relevant, and reasonably necessary for disclosed purposes. The bill prohibits secondary uses of personal data unless they are reasonably necessary or compatible with the original disclosed purpose, or the controller obtains prior consumer consent. Before collecting personal data, a controller must provide a clear and accessible privacy notice disclosing the categories of data processed, the purposes for processing, how consumers can exercise and appeal rights, categories of third parties receiving data, and whether any data transfers involve North Korea, China, Russia, or Iran.

The bill extends compliance obligations to processors, who must act on controller instructions, assist controllers in fulfilling consumer rights requests and data security obligations, and enter into contracts specifying the nature, purpose, duration, and subject matter of processing. A processor is a person or entity that handles personal data on behalf of, and under the direction of, a controller. Processors must impose flow-down obligations on subcontractors and maintain confidentiality of personal data. Neither a controller nor a processor is relieved from liability by virtue of the other party’s role in processing.

Data security requirements call for reasonable administrative, technical, and physical safeguards calibrated to the volume and sensitivity of data processed. Controllers and processors may submit proposed codes of conduct to the Secretary of Commerce for approval. Compliance with an approved code creates a rebuttable presumption of compliance with the relevant provisions of the Act. A certification pursuant to the Global Cross-Border Privacy Rules (CBPR) system is treated as participation in an approved code of conduct. The bill also addresses cross-border data flows, designating the Secretary of Commerce as the principal advisor to the President on international personal data flows and authorizing the Secretary to enter into international agreements to promote cross-border data transfers.

Sensitive Data

The bill requires opt-in consent before processing sensitive data. The sensitive data category includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic data, biometric data processed to uniquely identify an individual, and precise geolocation data. Sensitive data shares some overlap with the concept of Personally Identifiable Information (PII), which refers to information that can be used to identify a specific individual, such as a name, address, or Social Security number, but the two are distinct. PII is a broad category that covers any data tied to a person’s identity. Sensitive data, as defined in the bill, is a narrower subset that describes categories of information that carry heightened privacy risks because of the potential for discrimination, harm, or exploitation if disclosed. For example, a person’s name and email address are PII, but not sensitive data under the bill. A person’s medical diagnosis or immigration status, by contrast, falls into both categories and triggers the stricter opt-in consent requirement.

Youth Privacy

The bill classifies the personal data of children under 13 as sensitive data and requires processing to comply with the Children’s Online Privacy Protection Act (COPPA). The bill extends sensitive data treatment to teens between the ages of 13 and 16, requiring verifiable parental consent for the processing of their personal data. This represents an expansion beyond COPPA’s current framework, which applies only to children under 13, and reflects an emerging trend in privacy law to extend additional protection to children over the age of 13. Consumer rights requests on behalf of children and teens may only be exercised by a parent, defined broadly to include natural parents, adoptive parents, legal guardians, and those with legal custody. Controllers that comply with COPPA’s consumer rights processes for children’s data requests are deemed compliant with the corresponding consumer rights requirements under the bill. The bill does not include a defined knowledge standard specifying when controllers must apply these age-specific protections.

Data Broker Registry

The bill establishes a federal data broker registration framework. The bill defines a data broker as a controller that collects and processes personal data of consumers who are not customers or users of the controller’s products or services and derives at least 50 percent of annual gross revenue from the sale of that personal data. Data brokers must publicly disclose their status, register with the FTC annually, and provide the FTC with detailed disclosures, including categories of data sold and prior security incidents. The FTC must establish and maintain a searchable public registry of registered data brokers within 18 months of enactment, with links to each broker’s privacy policy and a mechanism through which consumers can exercise their rights.

Enforcement and Preemption

The FTC and state attorneys general share enforcement authority. The FTC treats violations as unfair or deceptive acts or practices under Section 5 of the FTC Act. State attorneys general may bring civil actions on behalf of their residents to federal district court, subject to notice and coordination requirements with the FTC. The bill does not provide a private right of action. Before initiating an enforcement action, the FTC or state attorney general must provide written notice identifying the specific alleged violation and allow at least 45 days to cure. A written assurance that the violation has been corrected and will not recur eliminates liability for that specific violation.

The bill broadly preempts state laws that relate to its provisions. The bill explicitly preserves COPPA, GLBA, HIPAA, and FERPA, along with other existing federal sectoral privacy regimes. It also repeals the Video Privacy Protection Act (VPPA) and limits Federal Communications Commission (FCC) jurisdiction over personal data practices to emergency services contexts.

What Comes Next

The E&C Subcommittee on Commerce, Manufacturing, and Trade held a legislative hearing on the bill on June 3, 2026. Witnesses addressed a range of substantive policy questions raised by the bill, including the scope of its preemption provisions, its data minimization standard, and the absence of a private right of action. The next procedural step is a subcommittee markup, at which point members may introduce amendments before the bill advances to a full committee vote.

For organizations already operating under state privacy laws, the SECURE Data Act’s core structure aligns closely with existing frameworks. Data minimization, consumer rights workflows, opt-in consent for sensitive data, and controller-processor governance all mirror concepts found in state comprehensive privacy laws. Organizations should assess how the bill’s purpose limitation standard, teen data consent requirements, data broker definition, and broad preemption provisions (including potential interaction with sectoral state laws, such as Illinois’s Biometric Information Privacy Act and Washington’s My Health My Data Act) will affect their existing compliance programs, and monitor the bill’s progress as it advances through the legislative process.