BlogLine

SECURE Data Act: Congress introduces new federal privacy framework

5/29/26

cyber security in two-step verification, Login, User, identification information security and encryption, Account Access app to sign in securely or receive verification codes by email or text message.

By: Jacob Berlinger & David Cole

On April 21, 2026, Representative John Joyce (R‑PA) introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the “SECURE Data Act”) in the House of Representatives. The bill represents the latest effort to establish a comprehensive national framework for consumer privacy rights.

Key provisions of the proposed SECURE Data Act

(1) Scope of the SECURE Data Act

The SECURE Data Act would generally apply to an entity that (a) conducts business in the U.S. or offers for use or sale to a resident of the U.S. a product or service, or (b) processes or engages in the sale of personal data of a resident of the U.S., and

(a) Collects and processes personal data of more than 200,000 consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and has an annual gross revenue of $25 million or more (as adjusted for CPI annually);

or

(b) Collects and processes personal data of 100,000 or more consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and derives 25% or more of its annual gross revenue from the sale of personal data.

(2) Consumer rights

The bill adopts a familiar consumer rights–based approach consistent with state privacy laws, including rights to know, access, correct, delete, and obtain a portable copy of personal data, as well as the right to opt out of certain processing activities, such as targeted advertising and data sales.

(3) National data broker registry

The SECURE Data Act would create a national data broker registry that requires data brokers to publicly register with the Federal Trade Commission (FTC) and provide disclosures regarding their data practices. The bill would define a “data broker” as a controller that:

(1) collects and processes personal data concerning a consumer who is not a client of or a user of a product or service provided by the controller; and

(2) derives at least 50% of its annual gross revenue from personal data sales.

(4) Regulatory enforcement

The bill would entrust enforcement to the FTC and state attorneys general. The bill also would establish a 45-day cure period. As is generally the case under all state privacy laws, the SECURE Data Act would not provide consumers a private right of action.

(5) Preemption

The SECURE Data Act includes a broad preemption provision, stating that “[n]o State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law … if such provision relates to the subject matter of this Act.” This language reflects a “ceiling” preemption approach, under which federal law would operate as both a floor and a ceiling, preventing states from imposing additional or differing privacy requirements within the Act’s scope. The provision has already drawn criticism from California officials, who have characterized the Act as “substantially weaker” than existing state protections.

(6) Sensitive data and protections for children

The Act requires affirmative opt-in consent before the collection or processing of “sensitive data,” a category that largely tracks existing state definitions but notably extends verifiable parental consent requirements to teens (individuals aged 13 to under 16), going beyond COPPA, which applies only to children under 13.  For children under 13, the Act defers to COPPA’s consent framework for the sensitive-data requirement, but the remainder of the SECURE Data Act’s obligations, including data minimization, privacy notices and data security, still apply in parallel.

What the SECURE Data Act means for businesses

The SECURE Data Act represents a significant push toward establishing a comprehensive federal privacy framework grounded in widely adopted state law principles, with the potential to replace fragmented, state-by-state policymaking with a more cohesive national approach.

We will continue to monitor the legislative process. If you have questions about this development and what it could mean for your organization, please reach out to Jacob Berlinger at jacob.berlinger@fmglaw.com, David Cole at david.cole@fmglaw.com or your local FMG attorney. 

Information conveyed herein should not be construed as legal advice or represent any specific or binding policy or procedure of any organization. Information provided is for educational purposes only. These materials are written in a general format and not intended to be advice applicable to any specific circumstance. Legal opinions may vary when based on subtle factual distinctions. All rights reserved. No part of this presentation may be reproduced, published or posted without the written permission of Freeman Mathis & Gary, LLP.

Share

Save Print

FMG Law Firm Services for Insureds – Emergency Legal Support Blogline