Why the SECURE Data Act Falls Short as a Consumer Privacy Law

The SECURE Data Act, recently proposed by House Republicans, claims to address consumer data privacy but contains significant weaknesses that would undermine existing protections. Below, we break down the bill's key flaws and what they mean for your privacy rights.

What is the SECURE Data Act and why is it considered weak?

The SECURE Data Act is a federal privacy bill introduced without bipartisan support in the House Energy and Commerce Committee. It is widely criticized for being weaker than previous congressional proposals and even most current state privacy laws. The bill would preempt dozens of state protections while offering consumers limited control over their data. Notably, it lacks a private right of action—meaning individuals cannot sue companies for privacy violations—and fails to ban online behavioral advertising, a core driver of data collection. Instead, it relies on weak opt-out mechanisms and includes large loopholes that benefit tech companies. Critics argue it is not a serious attempt to protect privacy but rather a retreat from already insufficient state safeguards.

How would the SECURE Data Act affect existing state privacy laws?

Section 15 of the SECURE Data Act would preempt any state law that “relates to the provisions of this Act,” effectively wiping out 21 state consumer privacy laws passed in recent years, as well as dozens of other related regulations. This goes against the principle of federal privacy laws setting a floor, not a ceiling. Other federal statutes like HIPAA and the Video Privacy Protection Act allow states to enact stronger protections. The SECURE Data Act would eliminate state innovations such as California’s data broker deletion tool and requirements for companies to honor automatic opt-out signals. While state laws are not perfect, they are often stronger than this federal proposal, and preemption would leave consumers with fewer protections.

Why is the lack of a private right of action a major flaw?

A private right of action allows individuals to sue companies for violating their privacy rights. The SECURE Data Act omits this crucial enforcement mechanism, leaving enforcement solely to the Federal Trade Commission (FTC) and state attorneys general. Without the ability to take legal action, consumers have little recourse when their data is mishandled. This is especially problematic given the FTC’s limited resources and backlog of cases. A private right of action creates a powerful incentive for companies to comply with the law and provides direct compensation to victims. Its absence means that even if companies violate the bill’s provisions, most people will have no way to hold them accountable, undermining the law’s effectiveness.

What rights does the bill give consumers, and where does it fall short?

The SECURE Data Act would grant consumers standard rights to access, correct, delete, and transfer their personal data. It also requires consent for processing sensitive data or using data for new purposes. However, these rights are overshadowed by significant shortcomings. For example, consumers can opt out of targeted advertising, data sales, and profiling that leads to legal or employment effects—but the burden is on the user to opt out, and companies can continue these practices until they receive an opt-out request. The bill also lacks strong data minimization requirements and includes broad definitional loopholes. Compared to the GDPR or even some state laws, these rights are weaker and less enforceable.

How does the bill handle online behavioral advertising?

Online behavioral advertising (OBA) is the practice of tracking users across websites to serve targeted ads. The SECURE Data Act does not ban OBA, which privacy advocates consider a major failure. Instead, it allows companies to continue tracking and targeting users unless individuals opt out. This opt-out approach is weaker than the opt-in consent required by many other privacy frameworks. Critics argue that OBA fuels an ever-increasing appetite for personal data and undermines privacy. By not banning or severely restricting OBA, the bill leaves the most invasive data practices intact. The preemption of state laws that might restrict OBA further compounds the problem.

What are the other major flaws in the SECURE Data Act?

Beyond preemption and lack of private right of action, the SECURE Data Act suffers from several additional flaws. It sets weak opt-out defaults—meaning companies can assume consent rather than requiring explicit permission. Data minimization requirements are inadequate, allowing companies to collect more data than necessary. The bill also contains large definitional loopholes that could exempt many types of data processing. For instance, it does not clearly cover data used for algorithmic decision-making or machine learning. Furthermore, it does not address the use of automated decision systems that may discriminate. These gaps mean that even if the bill passes, companies could easily circumvent its protections.

What does the bill require of data brokers?

The SECURE Data Act requires data brokers—companies that derive at least 50% of their profits from selling personal data—to register in a public database maintained by the Federal Trade Commission (FTC). This is a positive step toward transparency, but it has limitations. The registration requirement only applies to large data brokers, and the bill does not mandate that brokers obtain consent before collecting or selling data. Moreover, the public database may not include sufficient details about what data is being sold or to whom. While registration is useful, it falls short of meaningful oversight. Combined with the bill’s lack of private right of action, consumers have little power to challenge data broker abuses.