SECURE Data Act: House Proposes National Data Privacy Framework

The legislative landscape of the United States shifted significantly on April 22, 2026, as House Republicans introduced a duo of bills poised to fundamentally rewrite the rules of digital existence. The SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act) and the GUARD Financial Data Act represent the most aggressive attempt yet to harmonize the disparate, often conflicting “patchwork” of state-level privacy mandates into a single federal standard. For years, the lack of a comprehensive national privacy law has forced corporations to navigate a legal labyrinth, while consumers remained subject to varying levels of protection based solely on their ZIP code. With the introduction of these landmark bills, the 119th Congress has signaled its intent to finally assert federal authority over the data economy.

The SECURE Data Act: A New National Standard

Introduced by Representative John Joyce (R-Pa.) and backed by the House Energy and Commerce Committee, the SECURE Data Act (H.R. 8413) serves as the primary vehicle for non-financial data regulation. The legislation is built upon a framework of enforceable consumer rights that mirror several successful state models but elevate them to the federal level. At its core, the bill grants Americans five fundamental pillars of control over their personal information:

• Right to Confirm and Access: Consumers can verify if a company is processing their data and request a comprehensive copy of that information.
• Right to Correction: Individuals have the legal standing to demand that inaccuracies in their personal data be rectified.
• Right to Deletion: Companies must purge personal data upon request, whether provided directly by the consumer or obtained via third-party tracking.
• Right to Portability: Data must be provided in a portable, usable, and machine-readable format, allowing consumers to transition between services without losing their digital history.
• Right to Opt-Out: The act specifically empowers users to opt out of targeted advertising, the sale of personal data, and profiling used for automated decisions with “legal or similarly significant effects.”

The SECURE Data Act is designed to apply to any entity processing the data of more than 200,000 U.S. consumers, a threshold that captures major digital platforms while providing a buffer for small businesses. Crucially, the bill mandates a 45-day curing period, allowing companies notified of a violation to resolve the issue before facing formal sanctions from the Federal Trade Commission (FTC) or state attorneys general.

Affirmative Opt-In and Sensitive Data Protections

Perhaps the most technically rigorous aspect of the SECURE Data Act is its treatment of sensitive data. Departing from the “notice and opt-out” model that has historically favored data-hungry corporations, the act requires affirmative opt-in consent for the processing of sensitive categories. This includes biometric identifiers, genetic information, precise geolocation data, and health-related information.

The bill also addresses a long-standing gap in protections for minors. While the Children’s Online Privacy Protection Act (COPPA) covers those under 13, the SECURE Data Act extends heightened protections to teenagers (ages 13–16). Under this provision, any data belonging to a minor is automatically classified as sensitive, requiring explicit parental or individual consent before collection. This “teen safety net” is a response to growing concerns regarding the impact of social media algorithms and data harvesting on adolescent mental health.

The GUARD Financial Data Act: Modernizing the GLBA

While the SECURE Act governs the broader digital economy, the GUARD Financial Data Act (H.R. 8398) targets the financial sector by modernizing the 1999 Gramm-Leach-Bliley Act (GLBA). Introduced by Representative Bill Huizenga (R-Mich.), the GUARD Act recognizes that the 26-year-old GLBA was written for a pre-smartphone, pre-AI era. The new legislation focuses on strict data minimization protocols, requiring financial institutions to limit their collection of nonpublic personal information (NPI) to only what is “adequate, relevant, and reasonably necessary” to provide a specific product or service.

In a significant shift for the banking industry, the GUARD Act grants current and former customers the right to request the deletion of their financial data. This move toward “The Right to be Forgotten” in finance is paired with a new requirement for AI transparency. Financial institutions must now disclose when and how artificial intelligence models are utilized in the processing of customer data, particularly when those models influence credit scoring or loan eligibility.

By establishing Title V of the GLBA as the uniform national standard for the financial sector, the GUARD Act effectively preempts state-level financial privacy laws, ensuring that a bank operating in New York and California follows the same protocols as one in Nebraska.

The Great Preemption Debate: Uniformity vs. State Rights

The most contentious element of the SECURE Data Act is Section 15, the sweeping preemption clause. This provision stipulates that no state may maintain or enforce any law that “relates to” the provisions of the federal act. This would effectively nullify the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and approximately 20 other comprehensive state privacy regimes.

Proponents of the SECURE Data Act argue that federal preemption is the only way to ensure American competitiveness. A single national standard lowers the barrier to entry for startups that currently face astronomical legal fees just to ensure compliance across 50 different jurisdictions. However, consumer advocates and Democratic lawmakers have labeled this a “race to the bottom.” Representative Frank Pallone (D-N.J.) criticized the bill for “protecting corporations and their bottom line,” arguing that it strips away the more robust protections found in states like California without offering a comparable federal substitute.

Enforcement and the Missing Private Right of Action

A primary point of friction between the GOP-led bill and privacy advocates is the absence of a private right of action. Under the SECURE Data Act, individuals cannot sue companies directly for privacy violations. Instead, enforcement power is centralized within the Federal Trade Commission (FTC) and state attorneys general. This centralized enforcement model is a hallmark of Republican privacy proposals, aimed at preventing “frivolous class-action litigation” that many fear would stifle innovation.

To compensate for the lack of individual litigation, the bill establishes a national data broker registry managed by the FTC. Data brokers—companies that collect and sell personal information without a direct relationship with the consumer—would be required to register and provide clear pathways for consumers to exercise their deletion and opt-out rights. Furthermore, the SECURE Data Act introduces a “safe harbor” program. Companies that adhere to a Department of Commerce-approved code of conduct would receive a rebuttable presumption of compliance, incentivizing industry-wide adoption of best practices.

Technical Compliance: Data Minimization and Transparency

For CTOs and data officers, the SECURE Data Act and GUARD Act impose rigorous technical mandates. Data minimization is no longer just a recommendation; it is a statutory requirement. Companies must implement systems that automatically purge data once the disclosed purpose for its collection has been met. This requires a sophisticated level of data mapping and lineage tracking that many legacy systems currently lack.

Transparency requirements are also heightened. Companies must disclose whether any personal data is being processed in or sold to foreign adversaries, specifically naming nations like China and Russia. This geopolitical dimension to data privacy reflects the 119th Congress’s broader focus on national security and the protection of the American “digital border.”

Conclusion: The Path Toward a Privacy-First America

The introduction of the SECURE Data Act and the GUARD Financial Data Act marks a watershed moment in the 2026 legislative session. By attempting to bridge the gap between corporate efficiency and consumer digital rights, House Republicans have set the stage for a high-stakes debate over the future of the American internet. While the lack of a private right of action and the aggressive preemption of state laws will undoubtedly face fierce opposition in the Senate, the bills provide a comprehensive blueprint for what a unified national privacy framework could look like.

As these bills move through the committee process, the eyes of the global tech community will be on Washington. The success or failure of the SECURE Data Act will determine whether the United States can finally move past its fragmented privacy past and emerge with a cohesive, 21st-century standard for data protection that rivals the European Union’s GDPR. For the American consumer, the promise is simple: a future where privacy is a right, not a geographical privilege.