On April 22, 2026, Republican members of the House Committee on Energy and Commerce introduced the Standardizing Electronic Commerce and Unifying Regulatory Enforcement (SECURE) Data Act. The proposed legislation aims to create a singular federal framework for data privacy and security, addressing the growing complexity of the domestic regulatory landscape. By establishing a national standard, the bill intends to provide businesses with regulatory certainty and reduce the compliance costs associated with the current patchwork of state-level privacy laws.
The most significant provision of the SECURE Data Act is the broad preemption of state privacy statutes. Under Section 401 of the bill, federal law would supersede existing comprehensive privacy acts in nearly 20 states, including the California Consumer Privacy Act and the Virginia Consumer Data Protection Act. The legislation specifies that no state may enforce any law, regulation, or standard regarding the collection, processing, or disclosure of personal information that differs from the federal requirements. Proponents of the bill argue that this uniformity is essential for the digital economy, where data flows across state borders.
In addition to state preemption, the SECURE Data Act explicitly prohibits a private right of action. This means that individual citizens would be barred from filing civil lawsuits against companies for alleged privacy violations or data breaches. Enforcement authority is instead consolidated within the Federal Trade Commission and state Attorneys General. The bill authorizes the FTC to treat violations as unfair or deceptive acts or practices under the FTC Act, allowing for civil penalties. However, the removal of the private right of action has drawn immediate criticism from privacy advocates who claim it strips consumers of their primary tool for holding large technology firms accountable.
Technical requirements within the bill mandate that covered entities implement reasonable data security practices and provide users with mechanisms to access, correct, and delete their personal data. The bill also requires companies to obtain affirmative express consent before collecting sensitive personal information, such as biometric data or precise geolocation. However, the definition of sensitive information in the SECURE Data Act has been a point of contention, as it excludes certain categories of data that are currently protected under more stringent state laws.
Official statements from the bill's sponsors emphasize that the legislation is designed to protect American innovation while ensuring a baseline of privacy for all citizens. Critics, however, argue that the bill effectively lowers the bar for consumer protection by overriding stronger state laws and limiting enforcement avenues. As of the afternoon of April 22, 2026, the bill has been formally referred to the House Committee on Energy and Commerce for consideration and further subcommittee hearings.