House Republicans Release SECURE Data Act, Targeting Federal Privacy Standard

House Energy and Commerce Republicans have introduced draft legislation that would establish the first comprehensive federal privacy framework in the United States while preempting all existing state-level privacy laws. The SECURE Data Act, released in 2024 alongside the companion GUARD Financial Data Act, represents the GOP's latest attempt to create uniform national standards for data protection across technology platforms and financial services.

House Energy and Commerce Chair Brett Guthrie (R-Ky.) led the introduction, working with a bipartisan coalition that includes Rep. Gus Bilirakis (FL-12) from the Energy and Commerce Data Privacy Working Group, and members from the House Financial Services Committee including Rep. French Hill (AR-02), Vice Chairman Bill Huizenga (MI-02), and Digital Assets Subcommittee Chairman Bryan Steil (WI-01). Rep. John Joyce (R-Pa.) also participated through his role in the Energy and Commerce data privacy working group.

Core Provisions and Technical Framework

The SECURE Data Act establishes data minimization as a foundational principle, requiring technology firms to limit consumer data collection to only what is necessary for specified business purposes. This represents a shift toward the principle-based approach seen in European frameworks, rather than the notice-and-consent model that has dominated U.S. privacy policy discussions.

The legislation grants consumers standard data subject rights, including the ability to access copies of personal data held by technology institutions. The framework targets what the bill defines as "controllers" — entities that determine the purposes and means of processing personal data — with specific focus on platforms that collect data from non-customers.

The bill establishes a federal definition for data brokers as controllers that derive 50% or more of their annual gross revenue from selling data collected from individuals who are not direct customers. This threshold-based approach provides clarity for compliance but may create edge cases for companies with mixed revenue models.

Federal Preemption Strategy

The most significant structural element of the SECURE Data Act is its comprehensive preemption of state privacy laws. The legislation would override existing comprehensive state frameworks, including California's Consumer Privacy Act (CCPA), Virginia's Consumer Data Protection Act (VCDPA), and similar statutes in other states that have moved ahead with their own privacy regimes.

However, the bill preserves enforcement mechanisms by allowing state regulators to bring actions under the federal standard. This creates a hybrid model where states retain enforcement authority while losing legislative flexibility to create tailored approaches for their jurisdictions.

The preemption strategy reflects a familiar pattern in technology regulation — federal lawmakers stepping in after states have established a patchwork of requirements that create compliance complexity for multi-state operations. We saw similar dynamics play out with data breach notification laws in the 2000s, though Congress never managed to pass comprehensive federal legislation in that space.

The International Association of Privacy Professionals has characterized the SECURE Data Act as most closely resembling privacy laws enacted in Virginia and Kentucky, rather than California's more expansive framework. This positioning suggests the Republican approach favors business-friendly implementation over the more aggressive consumer rights models emerging from progressive states.

Technical Implementation Challenges

For technology platforms, the SECURE Data Act would create new compliance obligations around data inventory and purpose limitation. The requirement to limit collection to "necessary" data introduces subjective interpretation challenges that companies will need to address through privacy engineering practices and documented business justifications for data processing activities.

The legislation's data broker provisions could affect advertising technology infrastructure, particularly real-time bidding systems and customer data platforms that aggregate information from multiple sources. Companies operating in these spaces will need to evaluate whether their revenue composition triggers the 50% threshold for data broker classification.

The federal standard approach may actually increase short-term compliance costs for platforms that have built systems around state-specific requirements. California-compliant systems, in particular, may require significant modification to align with the more limited consumer rights framework proposed in the SECURE Data Act.

Industry and Regulatory Context

The timing of this legislation reflects growing pressure on Congress to address the privacy regulatory gap as more states move forward with their own frameworks. Washington, Oregon, and Texas have all enacted comprehensive privacy laws scheduled to take effect in the coming years, while other states continue advancing similar legislation.

From an enforcement perspective, the hybrid federal-state model creates interesting dynamics. State attorneys general would retain the ability to investigate and prosecute violations, but under federal standards rather than state-specific requirements. This could lead to more consistent enforcement patterns while preserving the investigative capacity and local knowledge that state regulators bring to privacy enforcement.

The companion GUARD Financial Data Act signals Republicans' intent to address privacy across economic sectors, not just technology platforms. This sector-specific approach acknowledges the different risk profiles and regulatory contexts that apply to financial data versus general consumer information.

What This Enables

The SECURE Data Act represents a pragmatic compromise between industry demands for regulatory certainty and consumer advocates' calls for stronger privacy protections. By establishing federal floor standards while preserving state enforcement, the legislation could provide the foundation for more consistent privacy practices across the technology sector.

For developers and privacy engineers, a single federal standard would simplify compliance architecture and reduce the complexity of multi-jurisdictional data handling requirements. This could accelerate adoption of privacy-by-design practices that are currently complicated by varying state requirements.

The broader context here suggests Congress may finally be ready to move on comprehensive privacy legislation after years of false starts. The bipartisan nature of the sponsorship and the pragmatic approach to state preemption indicate this iteration may have better prospects than previous attempts that failed to bridge the gap between business interests and privacy advocates.