SECURE Data Act: U.S. Bill Proposes New Algorithmic Invisibility Rights

On April 22, 2026, the landscape of American digital privacy underwent a seismic shift with the formal introduction of the SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act) in the U.S. House of Representatives. Introduced by Representative John Joyce (R-PA) and supported by a powerful coalition including Energy and Commerce Committee Chairman Brett Guthrie, the bill represents the most significant federal attempt to date to consolidate the chaotic patchwork of state privacy laws into a singular, rigorous national standard. While the bill covers foundational rights—such as data access and correction—its most radical innovation lies in its adoption of “Algorithmic Invisibility,” a concept that moves beyond the “Right to be Forgotten” and into the realm of active immunity from artificial intelligence.

The Genesis of the SECURE Data Act: Ending the Privacy Patchwork

For years, the United States has operated under a fragmented privacy regime. Residents in California, Texas, and Virginia enjoyed varying degrees of protection, while those in other states remained largely exposed. The SECURE Data Act aims to rectify this by establishing a “national floor” for data protection that preempts existing state laws, creating a uniform compliance environment for businesses and a consistent set of rights for citizens. The bill’s introduction follows a year-long intensive by the Energy and Commerce Data Privacy Working Group, which synthesized feedback from over 170 organizations to draft a 21st-century framework.

At its core, the legislation mandates that companies limit their data collection to what is “adequate, relevant, and reasonably necessary” for disclosed purposes. This principle of data minimization is a direct challenge to the “collect-everything” ethos that has defined the last two decades of the internet economy. Furthermore, the act grants consumers the right to:

• Access and Portability: Obtain a copy of their personal data in a portable, machine-readable format.
• Correction and Deletion: Standardize the process for erasing a digital footprint across all commercial entities.
• Sensitive Data Protections: Require affirmative opt-in consent for the processing of sensitive information, including biometric, genetic, and geolocation data.
• Teen Privacy: Expand the Children’s Online Privacy Protection Act (COPPA) standards to include individuals under 16, requiring parental consent for data processing.

The Right to Algorithmic Invisibility: A New Frontier

The standout feature of the SECURE Data Act is the integration of the “Right to Algorithmic Invisibility.” This concept, which recently gained legal traction via California’s Digital Identity Protection Act, allows users to opt out of AI-driven profiling and behavioral prediction models. In the era of Generative AI and Large Language Models (LLMs), simply deleting a record from a database is no longer sufficient; the data may have already been used to “train” a model, influencing how an algorithm perceives or categorizes a person even after the original data is gone.

Algorithmic Invisibility provides a legal mechanism for individuals to demand that their data be excluded from the “inference” and “training” loops of AI systems. Practically, this means that a consumer can officially opt out of being “known” by a company’s predictive engines. If a user exercises this right, a lender’s AI cannot use past behavioral patterns to predict creditworthiness, and a social media platform’s recommendation engine cannot use a “shadow profile” to serve targeted content. It is, effectively, the right to become a “ghost” to the machine.

Technical Challenges of Machine Unlearning

Implementing the SECURE Data Act presents a massive technical hurdle for tech giants: Machine Unlearning. Traditionally, once a data point is ingested into a neural network’s weights during training, removing that specific influence is computationally expensive and theoretically complex. Unlike a SQL database where you can run a “DELETE” command, an AI model is a “black box” of interconnected probabilities.

To comply with “Algorithmic Invisibility,” companies may be forced to adopt one of three strategies:

1. Retraining from Scratch: Removing the opted-out data and retraining the entire model—a process that can cost millions of dollars in compute time.
2. Differential Privacy: Injecting statistical “noise” into datasets to ensure that no individual data point can be pinpointed, though this often reduces model accuracy.
3. SISA (Sharded, Isolated, Sliced, and Aggregated) Training: A modular approach where data is divided into shards; if a user requests deletion, only the specific shard containing their data needs to be retrained and re-aggregated.

The FTC Data Broker Registry: A Centralized Kill Switch

A frequent criticism of current privacy laws is the “friction of enforcement.” To delete one’s digital footprint today, a consumer must manually contact hundreds of obscure data brokers—companies like Acxiom, Epsilon, and CoreLogic—most of whom the average person has never heard of. The SECURE Data Act solves this by mandating the creation of a centralized **Data Broker Registry** managed by the Federal Trade Commission (FTC).

Under the new law, any entity that derives more than 50% of its annual revenue from the sale of data of individuals who are not its direct customers is classified as a “data broker.” These entities must:

• Register annually with the FTC and pay a registration fee.
• Disclose the types of data they collect and the third parties with whom they share it.
• Honored Global Deletion Requests: The FTC will maintain a “One-Stop-Shop” portal where a consumer can submit a single request that legally binds all registered data brokers to delete that individual’s data and stop future collection.

This “centralized kill switch” mirrors the logic of the “Do Not Call” registry but with significantly more teeth. The FTC, alongside state attorneys general, is granted robust enforcement powers, though the bill notably lacks a “private right of action,” meaning individuals cannot sue companies directly—a point of contention for some privacy advocates.

Impact on Surveillance Advertising and AI Training

The introduction of the SECURE Data Act signals the beginning of the end for “Surveillance Advertising”—the practice of tracking users across the web to build psychographic profiles for ad targeting. By allowing a blanket opt-out of behavioral profiling, the act forces the industry back toward contextual advertising (ads based on the content of the page you are currently viewing) rather than tracking-based advertising.

For the AI industry, the bill introduces a friction point in the data pipeline. Many AI models are trained on vast scrapings of the open web and purchased datasets from data brokers. If a significant percentage of the population utilizes the FTC registry to “go invisible,” the quality and diversity of training data may diminish. Developers of Generative AI will have to implement rigorous “data provenance” protocols to ensure that no “invisibilized” data accidentally enters their training sets, as the FTC has previously used “algorithmic disgorgement”—ordering the complete destruction of models built on illegally obtained data—as an enforcement tool.

The GUARD Financial Data Act: A Parallel Protection

Recognizing the unique risks of financial information, the SECURE Data Act was introduced alongside the GUARD Financial Data Act. This sister bill modernizes the 1999 Gramm-Leach-Bliley Act (GLBA) to account for modern fintech and AI. It ensures that banks and financial institutions provide the same deletion and “invisibility” rights for former customers, preventing financial profiles from being sold to third-party marketing firms under the guise of “financial insights.”

Criticisms and the Preemption Debate

Despite its premier status, the SECURE Data Act faces significant opposition from two sides. On one side, tech-heavy states like California argue that federal preemption would “water down” their existing, more aggressive protections. Critics note that the absence of a private right of action leaves enforcement entirely at the mercy of bureaucratic agencies like the FTC, which may be underfunded or politically influenced.

On the other side, industry lobbyists express concern over the “rebuttable presumption of compliance” for companies following voluntary codes of conduct. While the bill encourages industry-standard “Cross-Border Privacy Rules” (CBPR), small and medium-sized enterprises (SMEs) fear the compliance costs of the SECURE Data Act will solidify the dominance of Big Tech firms, who have the legal teams and infrastructure to manage complex “algorithmic invisibility” requests.

Conclusion: The Future of Data Sovereignty

The introduction of the SECURE Data Act marks a turning point in the digital age. By moving from a “reactive” privacy model—where we find out our data was leaked after the fact—to a “proactive” model of Algorithmic Invisibility, the U.S. is finally addressing the root cause of modern digital anxiety. The ability to systematically wipe one’s digital footprint through a centralized FTC registry provides a level of agency that was previously reserved for the technically elite.

As the bill moves through the 119th Congress, the world will be watching. If enacted, the SECURE Data Act will not just change how companies handle data; it will redefine the very relationship between the human individual and the algorithmic systems that seek to predict them. In 2026, the “Right to be Forgotten” has evolved into the “Right to be Invisible,” ensuring that in a world of total surveillance, the exit door is finally clearly marked.