SECURE Data Act: What This Federal Privacy Law Means for Your Business

The United States lacks a single US national privacy law. This means rules vary across industries and states. Businesses must navigate a complex system of state laws, industry-specific rules, and different enforcement approaches. The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act) is a significant congressional proposal. It aims to replace this fragmented system with a unified federal data privacy legislation.

The proposed U.S. federal data privacy bill would establish national consumer rights. It would also set data minimization requirements and a national enforcement framework. If passed, the bill would override most state privacy laws and establish a single compliance standard for US businesses.

If enacted, the SECURE Data Act would establish a national framework for consumer privacy rights and the protection of personal data.

Structurally, the bill draws from the Virginia Consumer Data Protection Act model. It defines controllers and processors, specifies consumer rights, and relies on FTC enforcement rather than a private right of action. As of May 2026, it has not advanced to a floor vote.

The SECURE DATA Act applies to companies covered by the FTC Act or telecom common carriers that do business in the U.S., offer products or services to U.S. residents, or handle U.S. residents’ personal data.

It covers companies that either handle personal data from:

• more than 200,000 consumers a year and make at least $25 million annually, or
• at least 100,000 consumers a year and earn 25% or more of their revenue from selling that data. Data used only to complete payment transactions does not count.

The SECURE Data Act exempts a wide range of entities and data types. Exempt entities include government bodies, financial institutions covered by the Gramm-Leach-Bliley Act, HIPAA-covered entities, nonprofit organizations, and institutions of higher education, among others.

On the data side, specific categories are exempt from the bill’s scope. These include HIPAA-protected health information, education records under FERPA, employment and job applicant data, data regulated under the Fair Credit Reporting Act, data regulated under the Gramm-Leach-Bliley Act, and certain research data.

If a business already follows one of these sector-specific laws for certain data, the SECURE Data Act generally does not add new requirements for that same data.

Under the SECURE Data Act, personal data means any information that identifies or could reasonably be used to identify a specific person. This is a broad definition. It covers obvious identifiers like names and email addresses, but also data that could identify someone when combined with other information.

The definition excludes two things:

• deidentified data that cannot reasonably be linked back to an individual
• publicly available information

Data processed in a commercial or employment context falls outside the definition, which means employee monitoring data and B2B contact data are generally not covered.

Precise geolocation data, biometric data, and genetic data are categories of personal data that receive additional protection as sensitive data under the bill.

The SECURE Data Act defines sensitive data as a special category of personal data that gets stronger protection. Before a business can process this type of data, it must first get the consumer’s opt-in consent.

It includes personal data that discloses:

• racial or ethnic origin
• religious belief
• mental or physical health diagnosis
• sexual orientation
• citizenship or immigration status
• genetic or biometric data processed to uniquely identify a specific individual
• personal data collected from a child (under 13) or a teen (ages 13 to under 16)
• precise geolocation data.

Under the SECURE Data Act, consent means a clear, active choice by a consumer to allow processing of their personal data. It must be freely given, specific, and informed. Consent cannot come from dark patterns such as silence, inactivity, or a pre-ticked box.

The proposed federal data privacy legislation requires consent in two situations: before processing sensitive data, and before using data for any purpose beyond what was originally disclosed.

For children under 13, businesses must follow the Children’s Online Privacy Protection Act (COPPA), which requires verifiable parental consent. For teens aged 13 to under 16, businesses must also obtain verifiable parental consent before processing their sensitive data. This opt-in requirement is mandatory and cannot be bypassed.

Controllers must also allow consumers to withdraw consent. Once a consumer withdraws consent, the controller must stop processing the data for that purpose.

Section 2 of the SECURE Data Act grants consumers five core privacy rights.

Right to access and confirm

Consumers can ask a business to confirm whether it is processing their personal data and request a copy of that data. However, a business does not have to reveal trade secrets when responding to this request.

Right to correction and deletion

Consumers can request corrections to inaccurate personal data. They can also request deletion of their personal data. Businesses have 45 days to respond. If requests are complex or numerous, they can take an additional 45 days.

Right to data portability

When technically possible, consumers can request a copy of personal data they previously gave to a business, in a format they can easily use. This lets them move their data to a different business smoothly and without interference.

Right to opt out of sale, targeted advertising, and profiling

Consumers may opt out of three types of personal data processing:

• sale of their personal data
• targeted advertising,
• profiling used to make decisions that produce legal or similarly significant effects on the consumer. 

Significant effects in this context include decisions about healthcare services, housing rentals or leases, and employment opportunities.

The law prohibits discrimination against a consumer for exercising any of these rights. That means a business cannot deny services, charge higher prices, or reduce service quality just because a consumer used a right. Voluntary loyalty programs that offer different pricing are permitted.

Businesses must give consumers a clear and easy way to opt out of having their personal data used for targeted advertising, sale, or certain profiling. They must also describe this opt-out option in their privacy notice.

The bill does not require businesses to recognize global opt-out signals such as the Global Privacy Control (GPC). Instead, Section 10 of the SECURE Data Act directs the Secretary of Commerce to study universal opt-out mechanisms first. So for now, businesses do not need to honor global opt-out signals.

Before processing personal data, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. 

The notice must cover: 

• category of personal data processed and the purpose for processing it
• how consumers can exercise their privacy rights and appeal controller decisions
• category of personal data the controller shares with other controllers or government entities
• Category of controllers or government entity with whom the data is shared
• whether any personal data is transferred to or stored in a covered nation (a country of concern for national security purposes),

The SECURE Data Act places several obligations on controllers and processors. These requirements cover data minimization, security, consumer rights workflows, vendor contracts, and non-discrimination.

Data minimization and purpose limitation

Businesses must only collect data that is adequate, relevant, and necessary for the stated purpose. You cannot use that data for a different purpose without obtaining the consumer’s opt-in consent.

Data security

Businesses must put in place reasonable administrative, technical, and physical security measures. These should match the volume and sensitivity of the personal data they handle. A business may get a compliance safe harbor if it follows an approved code of conduct or a recognized data security framework.

Processor contracts

When a business hires a vendor to process data on its behalf, the two parties must sign a written contract. That contract must cover the processing instructions, the purpose, the type of personal data involved, the duration, and the rights and duties of each party. Vendors must also keep data confidential, delete or return it when directed, and allow audits.

The SECURE Data Act includes dedicated requirements for data brokers. A data broker is a business that collects personal data about people who are not its own customers or users. It also earns 50 percent or more of its annual gross revenue from selling that data.

Data brokers must:

• Post a conspicuous notice on their website disclosing that they are a data broker and explaining how consumers can exercise their rights.
• Register annually with the FTC within 12 months of the act’s enactment

For businesses affected by federal data privacy legislation, the data broker rules are some of the most detailed and demanding in the entire bill.

Section 15 of the SECURE Data Act contains broad preemption language. In plain terms, it means no state or local government can create or enforce any law that covers the same ground as this Act.

This preemption is broad. It does not make exceptions for specific state laws such as the Illinois Biometric Information Privacy Act (BIPA), state consumer protection laws, or state-level equivalents of the Gramm-Leach-Bliley Act.

The practical impact is significant. If enacted, the SECURE Data Act would replace the current mix of US state data privacy laws. That includes well-known laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act. As a result, businesses currently managing compliance across multiple state data privacy laws would only need to follow one federal standard.

However, the Gramm-Leach-Bliley Act and HIPAA still apply under Section 14, which keeps those sector-specific federal laws intact. State-level privacy laws that cover the same ground as this bill, though, would no longer apply.

The Federal Trade Commission (FTC) is responsible for enforcing the SECURE Data Act. The FTC treats violations as breaches of its rules on unfair or deceptive business practices.

State attorneys general also have enforcement authority. If a state AG believes residents’ interests are at risk, they can take a business to federal court. They can also seek to stop violations, enforce compliance, and recover damages. All state AG actions are coordinated with the FTC, which can step into any state case.

The SECURE Data Act does not give consumers a private right of action. That means individual consumers cannot sue businesses directly for violations.

Before the FTC or a state AG can take enforcement action, they must first send the business a written notice explaining the alleged violation. The business then has 45 days to fix the issue and confirm in writing that it has done so. Enforcement can only move forward if the business fails to fix the violation or repeats it later.

The SECURE Data Act and GDPR share several structural similarities.

• Both define controllers and processors as distinct roles, both require data minimization, and both grant consumers access, correction, deletion, and portability rights. 
• They also give consumers the right to opt out of automated profiling for significant decisions.

However, the GDPR goes further in several ways.

It requires a lawful basis for every processing activity, gives broader erasure rights, and allows consumers to object to processing. The GDPR also carries much higher penalties, up to 4% of global annual revenue. In addition, it created independent data protection authorities with ongoing oversight powers. By contrast, the SECURE Data Act relies on enforcement by the FTC and state AGs after a violation occurs.

Compared to the CCPA and its amendment, the CPRA, the SECURE Data Act is narrower in some areas. The CCPA applies to businesses earning $25 million or more in annual revenue, regardless of how much data they process. The SECURE Data Act, however, requires businesses to meet both a revenue threshold and a data processing volume threshold. It also does not give consumers a right to know the specific third parties to whom their data was sold.

If enacted, the SECURE Data Act would preempt the CCPA for covered businesses and replace state-specific obligations with a single federal standard.

Criticism and concerns about the SECURE Data Act

The SECURE Data Act has drawn criticism from privacy advocates since its introduction. The biggest concern is its broad preemption of state data privacy laws, which override the 21 existing state privacy laws. This is the same issue that stalled the American Privacy Rights Act (APRA) in 2024, when the California Privacy Protection Agency opposed it for weakening the CCPA. Critics argue that a federal floor that displaces stronger state laws may lower consumer protections rather than raise them.

Beyond preemption, the bill has no private right of action, meaning consumers cannot sue companies directly for violations. Its data minimization rule only restricts data use to what a company “disclosed” and not what is strictly necessary.

These concerns reflect the bill as introduced; the text may change significantly through committee amendments before any vote.

This checklist is based on the bill’s current text. Use it as a planning tool, not as legal advice.

• Determine whether your business meets the applicability thresholds
• Conduct a data inventory and mapping exercise to identify all personal data your business collects, processes, or sells.
• Publish a privacy notice
• Implement secure and reliable methods for consumers to exercise their rights.
• Build a response workflow for consumer rights.
• Establish opt-in consent processes for sensitive personal data.
• Establish verifiable parental consent processes for data collected from teens (ages 13 to under 16).
• Implement opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
• Review and update processor contracts. 
• Train relevant staff on consumer rights obligations and internal response procedures.
• Monitor developments in the bill’s progress through the House committees and any amendments that may follow.