Privacy GuideJuly 1, 20269 min read

Understanding the Consumer Data Privacy and Security Act of 2026

SC

By Sarah Chen

Head of Privacy Research

Understanding the Consumer Data Privacy and Security Act of 2026

Don't want to do this by hand? We remove your info from 100+ broker sites automatically.

The United States still lacks a comprehensive federal privacy law, but the Consumer Data Privacy and Security Act of 2026 (S.4211) represents the latest serious effort to change that. Introduced by Senator Jerry Moran on March 25, 2026, the bill aims to create a uniform federal privacy and data-security framework that would replace the growing patchwork of state privacy laws with a single national standard. Here is what the bill proposes, how it compares to existing state laws like the CCPA, and what it would mean for your privacy rights if enacted.

What Is the Consumer Data Privacy and Security Act?

The Consumer Data Privacy and Security Act, designated S.4211, is a federal bill that would establish national standards for protecting Americans' personal data. Unlike sector-specific federal laws that cover only health data (HIPAA) or financial data (GLBA), this bill is comprehensive -- it would apply broadly to how companies collect, use, share, and secure personal information across all industries.

The bill has a companion in the House: the SECURE Data Act, which mirrors many of the same provisions. Together, these bills represent a coordinated push to move federal privacy legislation forward after years of stalled efforts, including the American Privacy Rights Act (APRA), which advanced through committee in 2024 but never reached a floor vote.

As of mid-2026, S.4211 is in the committee consideration stage, meaning it has been referred to the relevant Senate committee for review, hearings, and potential markup before it could advance to a full Senate vote.

Key Provisions of the Bill

Consumer Rights

The bill would grant Americans a core set of privacy rights that apply regardless of which state they live in:

  • Right to access: You could request to see what personal data a company has collected about you and how it is being used
  • Right to correct: You could demand that a company fix inaccurate personal information in its records
  • Right to delete: You could request that a company erase your personal data from its systems
  • Right to data portability: You could obtain a copy of your personal data in a usable, transferable format

These rights closely mirror what California residents already have under the CCPA and what Europeans have under the GDPR. The critical difference is that the Consumer Data Privacy and Security Act would extend these rights to all Americans, not just those in states that have passed their own privacy laws.

Clear Consent Rules and Privacy Policies

Companies would be required to follow clear consent rules governing how they collect and use personal data. The bill mandates written privacy policies that are transparent and accessible -- not the dense, legalistic documents that most consumers never read. Organizations would need to clearly explain what data they collect, why they collect it, how they use it, and who they share it with.

Mandatory Security Programs

Beyond privacy, the bill addresses data security directly. Companies would be required to implement and maintain mandatory security programs to protect the personal data they hold. This provision responds to the ongoing wave of data breaches that exposed billions of records in 2024 and 2025 -- many of which occurred because companies failed to implement basic security measures.

Service-Provider Contract Requirements

When companies share personal data with service providers, the bill would require formal contractual protections. These contracts must specify how the service provider can use the data, what security measures it must maintain, and what happens to the data when the contract ends. This closes a major gap in current law, where companies often hand off consumer data to third parties with minimal oversight.

Accountability for Very Large Data Holders

The bill includes additional accountability steps for very large data holders -- companies that process personal data on a massive scale. These heightened requirements recognize that the largest data processors pose the greatest privacy risks and should face proportionally greater obligations to protect consumer information.

What Federal Preemption Means for You

One of the most significant aspects of S.4211 is that it would preempt the current patchwork of state privacy laws. This means that instead of your privacy rights depending on whether you live in California, Colorado, Virginia, or a state with no privacy law at all, you would have the same baseline protections everywhere in the country. For the roughly 30 states that currently have no comprehensive privacy law, this would be a transformative improvement.

How It Compares to CCPA and State Privacy Laws

As of mid-2026, more than twenty states have enacted their own comprehensive privacy laws, with California's CCPA/CPRA remaining the strongest. This state-by-state approach creates real problems:

  • Inconsistent rights: A consumer in California has robust privacy protections, while a consumer in a state without a privacy law has almost none
  • Compliance burden: Businesses must navigate a maze of different requirements across states, which is especially difficult for small and mid-sized companies
  • Enforcement gaps: Data brokers can exploit jurisdictional gaps, operating in states with weaker or nonexistent privacy laws

The Consumer Data Privacy and Security Act would replace this patchwork with a single federal standard. Compared to the CCPA specifically:

  • Broader coverage: The CCPA applies only to California residents and only to businesses meeting certain revenue or data-volume thresholds. S.4211 would cover all Americans.
  • Security requirements: While the CCPA includes some security provisions, S.4211 goes further by mandating formal security programs and service-provider contracts.
  • Enforcement: The CCPA is enforced by the California Privacy Protection Agency and the California Attorney General. S.4211 would be enforced at the federal level by the FTC and at the state level by state attorneys general under coordinated rules.

However, the preemption question is the same one that sank APRA in 2024. Privacy advocates and states like California argue that a federal law should set a floor, not a ceiling -- meaning states should be free to enact stronger protections. The bill's supporters, including industry groups like the National Apartment Association (NAA), the National Multifamily Housing Council (NMHC), and the Real Estate Technology and Transformation Center (RETTC), argue that a uniform standard benefits both businesses and consumers by eliminating confusion and ensuring consistent protections nationwide.

Your Rights Today Are Not Guaranteed Tomorrow

Federal preemption is a double-edged sword. If S.4211 passes with strong provisions, Americans in states without privacy laws gain significant new protections. But if the federal standard is weaker than what states like California already provide, residents of those states could lose rights they currently have. The final text of the bill -- and any amendments made during committee markup -- will determine whether federal preemption helps or hurts consumers. Regardless of the outcome, taking proactive steps to protect your personal data remains essential.

Skip the manual opt-outs

One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.

Start your free scan

Enforcement: FTC and State Attorneys General

The bill establishes a dual enforcement framework:

  • Federal Trade Commission (FTC): The FTC would serve as the primary federal enforcer, with authority to investigate violations and impose civil penalties on companies that fail to comply with the law's privacy and security requirements.
  • State Attorneys General: State AGs would have enforcement authority under coordinated rules, allowing them to bring actions against companies that violate the law within their states. This ensures that enforcement is not solely dependent on federal resources.

This dual approach addresses a common criticism of relying only on the FTC: the agency has limited resources and cannot pursue every violation. By empowering state attorneys general, the bill creates additional enforcement capacity while maintaining national consistency through coordinated rules.

Who Supports the Bill?

S.4211 has drawn support from several industry groups, particularly in the real estate sector. The National Apartment Association (NAA), National Multifamily Housing Council (NMHC), and Real Estate Technology and Transformation Center (RETTC) have publicly endorsed the bill, arguing that a uniform federal framework would simplify compliance for property managers and real estate technology companies that operate across multiple states.

The breadth of industry support -- and opposition -- will become clearer as the bill moves through committee consideration. Consumer advocacy groups will be closely scrutinizing the preemption provisions and whether the bill includes a private right of action that would allow individuals to sue companies directly for violations.

What This Means for You Right Now

The Consumer Data Privacy and Security Act is still in the early stages of the legislative process. Even under the most optimistic timeline, it would not take effect for months or years after passage. In the meantime, your personal data continues to be collected, sold, and shared by hundreds of data brokers with little federal oversight.

Here is what you can do today, regardless of which privacy laws exist or are pending:

  • Use a data removal service: PrivacyOn monitors and removes your personal information from 100+ data broker sites -- providing the kind of comprehensive protection that a federal law would make easier but that you do not have to wait for
  • Exercise your existing state rights: If you live in California, Colorado, Virginia, Connecticut, or one of the other states with privacy laws, use your right to request data deletion from companies and data brokers
  • Enable Global Privacy Control: This browser-level setting automatically tells websites not to sell or share your data, and it is legally recognized in California and several other states
  • Freeze your credit: Contact Equifax, Experian, and TransUnion to freeze your credit files, preventing identity thieves from opening accounts in your name
  • Stay informed: Follow the progress of S.4211 and its House companion, the SECURE Data Act, and contact your representatives to let them know federal privacy protection matters to you

The Bottom Line

The Consumer Data Privacy and Security Act of 2026 represents a meaningful step toward giving all Americans consistent privacy rights and data security protections. Its core provisions -- the rights to access, correct, delete, and port personal data, combined with mandatory security programs and FTC enforcement -- would fill gaps that state laws alone cannot address. But legislative progress is slow, and the preemption debate that derailed APRA in 2024 remains unresolved.

Until federal privacy legislation becomes law, your best defense is taking action now. Services like PrivacyOn help you exercise your privacy rights today by removing your personal data from the data broker ecosystem -- no matter which bills pass or fail in Congress.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.