SECURE Data Act: U.S. House Proposes National Privacy Standards

The Digital Sovereignty Shift: Unpacking the SECURE Data Act of 2026

On April 22, 2026, the legislative landscape of the United States reached a definitive crossroads. With the introduction of the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (H.R. 8413), colloquially known as the SECURE Data Act, House Republicans have launched the most significant attempt to date to federalize American privacy standards. Introduced by Representative John Joyce (R-Pa.) and championed by House Energy and Commerce Committee Chair Brett Guthrie (R-Ky.), the bill arrives at a moment of peak friction between burgeoning AI-driven data demands and a fragmented “patchwork” of more than 20 divergent state privacy laws. For the first time in the 119th Congress, a comprehensive framework has been proposed that seeks not only to empower the individual but to provide a “single, uniform ceiling” for a digital economy that has long struggled under the weight of regulatory inconsistency.

The SECURE Data Act is designed to replace the existing reactive model of data governance with a proactive, rights-based regime. By establishing clear federal standards for data minimization, consumer transparency, and corporate accountability, the bill aims to harmonize the U.S. market with global expectations, such as Europe’s GDPR, while maintaining a distinctly American emphasis on innovation and the prevention of “litigation lotteries.” However, as the legislative process begins, the Act is already igniting fierce debates over the limits of state authority and the mechanisms of enforcement that will define the next decade of American technology policy.

Establishing a National Standard: The Death of the Patchwork

The primary catalyst for the SECURE Data Act is the escalating economic and logistical burden of state-level privacy legislation. Since 2018, when California pioneered the CCPA, a total of 21 states have enacted their own comprehensive privacy frameworks. While these laws share common goals, their nuances in definitions, thresholds, and disclosure requirements have created a compliance nightmare for small and mid-sized enterprises (SMEs). Research cited during the bill’s introduction suggests that a full 50-state patchwork could cost the U.S. economy over $1 trillion over the next decade, with $200 billion of that burden falling on small businesses alone.

To solve this, the SECURE Data Act employs a “strong preemption” standard. Under Section 15, the Act stipulates that:

• No state or political subdivision may maintain or enforce any law that “relates to” the provisions of the federal act.
• The federal standard serves as a “ceiling,” not just a floor, preventing states like California or Texas from layering additional, more restrictive requirements on top of the national framework.
• Existing state-specific registries for data brokers or specialized sectoral laws would be largely superseded, ensuring a frictionless interstate commerce environment.

This “relates to” phrasing is a critical technical detail. Unlike previous attempts at privacy legislation that left “wiggle room” for states to regulate niche areas, the SECURE Data Act seeks to occupy the entire field of consumer data privacy. For businesses, this means a singular set of engineering and legal requirements whether a customer is in Seattle, Washington, or Sarasota, Florida.

The New Bill of Data Rights for American Consumers

At the heart of the SECURE Data Act are five fundamental “Data Subject Access Rights” (DSARs) that grant Americans unprecedented control over their digital shadows. These rights are intended to be universal, regardless of the platform or service being used. Under the proposed legislation, every covered entity must provide a clear and conspicuous mechanism for consumers to exercise the following:

1. The Right to Access: Consumers can request to know exactly what personal data a company has collected, the purposes for which it is being used, and the categories of third parties with whom it has been shared.
2. The Right to Correction: If a data profile contains inaccuracies—such as an incorrect credit history or medical detail—the consumer has the legal right to demand the data controller rectify the information.
3. The Right to Deletion: Often called the “Right to be Forgotten,” this allows users to request the permanent erasure of their personal data from a company’s servers, subject to limited exceptions for legal or security reasons.
4. Mandatory Data Portability: Companies must provide consumers with a copy of their data in a usable and portable format, allowing them to switch services (e.g., from one social media platform to another) without losing their historical information.
5. The Right to Opt-Out: The Act mandates a universal right to opt-out of targeted advertising and the sale of personal data to third-party brokers.

Furthermore, the SECURE Data Act introduces a nuanced approach to automated decision-making. It grants consumers the right to opt-out of “certain automated profiling decisions” that have legal or similarly significant effects, such as those used in housing, employment, or insurance eligibility. This provision is particularly relevant in the 2026 AI era, where algorithmic bias remains a major concern for federal regulators.

Protecting the Next Generation: The 13-16 Threshold

One of the bill’s most progressive—and technically demanding—provisions concerns the protection of minors. While the Children’s Online Privacy Protection Act (COPPA) has long protected children under 13, the SECURE Data Act identifies a new “sensitive” demographic: teens between the ages of 13 and 16. For this age group, the bill mandates verified parental consent (opt-in) before any personal data can be processed. This is a significant escalation from current state models, many of which allow 13-to-16-year-olds to provide their own consent. By reclassifying this data as “sensitive,” the Act places a heavy burden of proof on social media companies and gaming platforms to verify age and parental authority.

Technical Obligations: Data Minimization and Foreign Adversaries

The SECURE Data Act moves beyond “notice and choice”—the old model where a company could do anything as long as it was buried in a 50-page privacy policy. Instead, it adopts a normative data minimization model. Companies are legally required to limit the collection and processing of personal data to what is “adequate, relevant, and reasonably necessary” for the specific purpose disclosed to the consumer.

Additionally, the bill introduces a unique National Security Disclosure requirement. In response to growing concerns over data sovereignty, the Act mandates that companies must explicitly disclose if a consumer’s personal data is being processed in or sold to “foreign adversaries,” specifically naming China, Russia, Iran, and North Korea. This technical requirement forces transparency in the global supply chain of data, ensuring that Americans are aware if their information is subject to the jurisdiction of hostile regimes.

Applicability and Thresholds

To avoid crushing startups under the weight of federal regulation, the SECURE Data Act defines “Covered Entities” using specific technical and financial thresholds. The Act applies to any business that:

• Collects and processes the personal data of more than 200,000 consumers annually AND has an annual gross revenue of $25 million or more.
• OR, collects and processes the personal data of 100,000 or more consumers and derives 25% or more of its annual revenue from the sale of that data.

This excludes small, local businesses that do not trade in data as a primary commodity. It also establishes a partner bill, the GUARD Financial Data Act, which handles privacy for institutions already covered by the Gramm-Leach-Bliley Act (GLBA), ensuring there are no regulatory gaps in the financial sector.

The Enforcement Mechanism: Why There is No “Private Right of Action”

Perhaps the most contentious element of the SECURE Data Act is its enforcement structure. The legislation designates the Federal Trade Commission (FTC) as the primary enforcer, alongside State Attorneys General. Crucially, the bill omits a “Private Right of Action.” This means that an individual citizen cannot sue a company directly for a technical violation of the Act. Instead, they must report the violation to the FTC or their state’s top legal officer, who will then decide whether to pursue a civil action.

Republican lawmakers argue that omitting the private right of action is essential to prevent the “avalanche of frivolous lawsuits” that they believe would otherwise bankrupt tech innovators. By centralizing enforcement, they argue the law can be applied consistently and predictably. Opponents, however, including many Democratic leaders and consumer advocacy groups, argue that without a private right of action, the law is a “false promise” that leaves citizens at the mercy of potentially under-resourced federal agencies.

The “Rebuttable Presumption” and Codes of Conduct

To further incentivize compliance without resorting to litigation, the SECURE Data Act introduces a “Safe Harbor” mechanism through Voluntary Codes of Conduct. Under this system:

• Industry groups or independent organizations can develop privacy “Codes of Conduct.”
• These codes must be submitted to the Secretary of Commerce for approval, in consultation with the FTC.
• If a company adheres to an approved code, they receive a “rebuttable presumption of compliance.” In any enforcement action, the burden of proof shifts to the government to prove that the company’s adherence to the code was insufficient to meet the Act’s standards.

Conclusion: A New Era for the 21st-Century Economy

The SECURE Data Act represents a seismic shift in how the United States conceptualizes digital identity and corporate responsibility. By attempting to bridge the gap between 21 disparate state laws and a single federal standard, House Republicans have laid down a marker for the future of the American internet. The bill’s emphasis on data minimization, minor protection, and national security transparency reflects the complex realities of the 2026 digital landscape.

While the debate over preemption and the private right of action will undoubtedly dominate the headlines, the technical foundations of the Act—H.R. 8413—offer a blueprint for a more stable, predictable, and rights-oriented digital market. As the bill moves toward committee markups, the stakes could not be higher: the final version of this legislation will decide whether the U.S. remains a fragmented collection of digital borders or emerges as a unified global leader in the privacy-first economy.