Congressional republicans are now trying to pass new legislation that would establish national standards for protecting privacy rights, and also put an end to lawsuits seeking damages from American businesses for state consumer privacy law violations.
Even as the bill works its way forward, it’s received significant opposition from trial attorneys, privacy advocates, and Democratic attorneys general in states whose courts have handed out big-dollar verdicts, such as California and Illinois.
What is the SECURE Data Act?
Known by supporters as the SECURE Data Act, the short title stands for “Safeguarding and Enhancing Cybersecurity and Understanding Rights of Every Data Subject Act.”
Republican lawmakers, including Representatives Russell Fry (R-SC-7) and Thomas H. Kean (R-NJ-7), introduced the legislation on April 21, 2026. A day later, the House Financial Services Committee and the House Energy & Commerce Committee announced a joint effort to advance the SECURE Data Act with the GUARD Financial Data Act “to provide Americans more control over their personal data, create a uniform national framework to promote competition, and improve consumer choice by increasing access to financial products and services for all Americans.”
The bill provides that a consumer has the following privacy rights with respect to a controller, which is defined as “a person that, alone or jointly with others, determines the purpose and means of processing personal data”:
1. To confirm whether a controller is processing the personal data of the consumer and has access to a copy of such data, unless the confirmation and access would require the controller to reveal a trade secret.
2. To correct any inaccuracy in the personal data of the consumer, taking into account the nature of the personal data and the purpose of processing the personal data.
3. To delete personal data provided by or obtained about the consumer.
4. If the data is available in a digital format, and to the extent technically feasible, to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance.
5. To opt out of the processing of the personal data for the following purposes:
Targeted advertising.
The sale of personal data.
Reliance on profiling to make a decision that has a legal or similarly significant effect on the consumer.
The proposed law would give citizens a legal right to know what personal information a company has about them and access to that personal data. Consumers would be permitted to correct inaccurate information or delete the information. Plus, Americans could opt out of targeted advertising, the sale of their personal data, and any processes that use profiling or automated systems that make decisions that could impact them.
In addition, the SECURE Data Act would forbid businesses from collecting certain sensitive data, like biometric, health, precise geolocation data, and financial information, from consumers without their consent.
Proponents’ View
Those supporting the SECURE Data Act assert that the bill is necessary to address a "patchwork" of state privacy protection laws that have generated billions of dollars for trial lawyers from thousands of individual and class action lawsuits, while creating uncertainty and risk for American tech companies seeking to advance new technologies and for other companies adopting that tech.
California’s state privacy laws have been the subject of numerous lawsuits in the past few years. The proposed legislation would specifically eliminate the right of private action that allows such lawsuits under state laws and also preempt existing and new state laws that might look to go beyond the parameters of the proposed federal law.
Supporters of the legislation include Representative John Joyce (R-PA) and House Energy and Commerce Committee Chairman Brett Guthrie (R-KY). They argue that the bill is needed to level the playing field and create one national standard on privacy rights.
“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Representative Joyce said in April when the legislation was introduced. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”
Support from the Business Community
The bill has garnered strong support from the business community, including the U.S. Chamber of Commerce. An open letter co-signed by other state and local chambers of commerce from throughout the United States, was submitted Rep. Guthrie and the House Energy and Commerce Committee. In the letter, the Chamber "urged" the committee to advance the legislation in the House.
"The SECURE Data Act would establish a single national privacy standard with robust consumer protections that builds upon a strong framework already adopted in 20 states," the Chamber wrote in the June 2 letter. "Those protections include data minimization and sensitive data requirements, as well as access deletion, correction, and opt-out rights.
"Importantly, this legislation will also help small businesses who are disproportionately impacted by the regulatory confusion caused by a patchwork of state privacy laws."
Opponents Ask Lawmakers Not To Take Up the Bill
The Electronic Frontier Foundation, an online privacy advocacy group, has criticized the proposed legislation, particularly its attempt to limit lawsuits and cede enforcement to government regulators. They noted that this provision is “most troubling” because the Foundation thinks that "strong consumer privacy laws should allow consumers to take companies to court to defend their own rights."
Likewise, Democratic attorneys general in several states have asked Congress to allow their state laws to stand and reject attempts to create a federal privacy protection replacement standard.
In a recent letter by California Attorney General Rob Bonta, the group of 18 state attorneys general urged federal legislators to clarify that individual states remain free to set different, more stringent privacy standards, including those that enable a range of lawsuit risk for companies that operate across state lines.
They said states should keep the power to "rapidly respond to the evolving data landscape," as they see fit.
"A robust federal data privacy law is one that maximizes protections for consumers by setting a floor, not a ceiling, to allow states to continue to innovate and quickly adapt to the ever-evolving technology industry," the Democratic attorneys general wrote.
"... As the data economy has grown, states across the political spectrum have enacted thoughtful privacy legislation that meets the unique needs of their residents, including heightened protections for minors and sensitive consumer data, limits on how data may be used and retained, and requiring that businesses honor tools such as universal opt-out preference signals to make it easier for consumers to exercise their rights.
"The SECURE Data Act would wipe out these meaningful protections and leave consumers with a privacy regime that makes it harder to exercise their rights, gives businesses more discretion on how to use and retain their data, and significantly limits enforcement remedies."
Bonta separately claimed that the proposed federal law “would hamper the ability of California to adequately protect the privacy of its citizens” by overriding California’s growing body of laws dedicated to expanding privacy rights, while also expanding the ability of people to sue.
Takeaway
This consumer privacy bill, if enacted, would restrict state laws that regulate privacy topics and eliminate consumers’ right to sue to protect their own rights (a private right of action). In addition, the law would impact how businesses use consumer information. If you have any questions regarding this issue, contact us at Eanet, PC. We'll continue to monitor this legislation.