Understanding the SECURE Data Act: What the Federal Privacy Bill Means for You

On April 22, 2026, the House Energy and Commerce Committee introduced the SECURE Data Act -- the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act. If enacted, it would be the first comprehensive federal privacy law in the United States, replacing the growing patchwork of state-level privacy regulations with a single national standard. Here is what the bill includes, how it would affect your privacy rights, and what it means for the data broker industry.

What Is the SECURE Data Act?

The SECURE Data Act is a proposed federal privacy bill that would establish uniform consumer data protection rights across all 50 states. Right now, Americans rely on a fragmented system of state privacy laws -- California's CCPA, Virginia's VCDPA, Colorado's CPA, and roughly 20 others -- each with different rules, thresholds, and enforcement mechanisms. The SECURE Data Act would replace that patchwork with a single federal framework, giving every American the same privacy rights regardless of which state they live in.

The bill was introduced by House Republicans on the Energy and Commerce Committee, and it follows years of failed attempts to pass comprehensive federal privacy legislation, including the American Data Privacy and Protection Act (ADPPA) that stalled in 2022.

Key Consumer Rights Under the SECURE Data Act

The bill grants consumers a core set of privacy rights that mirror what exists under the strongest state laws:

• Right to access: You can request a copy of the personal data a company has collected about you.
• Right to correct: You can ask companies to fix inaccurate personal data they hold.
• Right to delete: You can request that a company erase your personal data from their systems.
• Right to data portability: You can obtain your data in a portable format and transfer it to another service.
• Right to opt out: You can opt out of targeted advertising, the sale of your personal data, and profiling that produces legal or similarly significant effects.

These rights would apply uniformly nationwide, eliminating the current situation where your protections depend entirely on your state of residence.

Enhanced Protections for Sensitive Data and Minors

The SECURE Data Act draws a clear line around sensitive categories of personal information. Companies would be required to obtain opt-in consent before collecting or processing sensitive data, including:

• Health and medical information
• Precise geolocation data
• Biometric data
• Financial account information
• Social Security numbers

The bill also includes specific protections for teenagers. For individuals aged 13 to 16, companies must obtain verifiable parental consent before collecting their personal data. This goes beyond the existing COPPA framework, which only covers children under 13, and acknowledges that teens are particularly vulnerable to data exploitation by social media platforms, ad networks, and data brokers.

Data Minimization Requirements

One of the bill's most significant provisions is a data minimization standard. Companies would be restricted from collecting personal data beyond what they have disclosed to consumers as necessary for their services. While privacy advocates have noted this standard is tied to what a company "disclosed" rather than what is strictly necessary -- a meaningful distinction -- it still represents the first federal data minimization requirement and would limit the widespread practice of companies hoarding data far beyond what their core products require.

A National Data Broker Registry

For the first time at the federal level, the SECURE Data Act would directly regulate data brokers. The bill requires:

• Mandatory FTC registration: Within 12 months of enactment, all data brokers must register with the Federal Trade Commission and pay a registration fee.
• Public registry: Within 18 months, the FTC must create a publicly searchable central registry of all registered data brokers, including their legal names, contact information, categories of personal data they sell, and links to their opt-out mechanisms.
• Disclosure requirements: Registered brokers must describe the categories of data they collect and sell, and disclose any unauthorized access incidents they have experienced.

This national registry would function similarly to what California established under the DELETE Act, but would apply to data brokers operating in every state. Consumers would finally have a single, authoritative source to identify which brokers hold their data and how to request removal.

Which Businesses Would Be Covered?

The SECURE Data Act does not apply to every business. The bill establishes two coverage thresholds:

1. Businesses that process the personal data of 200,000 or more U.S. consumers annually and have at least $25 million in annual gross revenue.
2. Businesses that derive 25% or more of their gross revenue from the sale of personal data and process data from at least 100,000 consumers.

This means small local businesses would generally be exempt, while large data brokers, tech platforms, advertising networks, and major retailers would fall squarely within scope. The second threshold specifically targets companies whose primary business model revolves around selling consumer data -- the data broker industry at its core.

Enforcement: FTC and State Attorneys General

The bill assigns enforcement authority to the Federal Trade Commission and state attorneys general. The FTC would develop regulations, maintain the data broker registry, and bring enforcement actions against companies that violate the law. State AGs could also bring cases under the federal standard.

Notably, the SECURE Data Act does not include a private right of action. Consumers would not be able to sue companies directly for privacy violations under this law. This has drawn criticism from consumer advocacy groups who argue that FTC enforcement alone is insufficient, particularly given the agency's limited resources relative to the scale of the data economy. Proponents of the bill counter that eliminating private lawsuits reduces frivolous litigation and creates a more predictable regulatory environment for businesses.

State Law Preemption: The Biggest Debate

Perhaps the most controversial aspect of the SECURE Data Act is its broad preemption of state privacy laws. The bill would supersede state laws that "relate" to its provisions, which in practice means:

• California's CCPA/CPRA would be preempted, including its private right of action for data breaches
• The California DELETE Act and its DROP platform for one-click data broker removal would be preempted
• State data broker registries in California, Vermont, Oregon, and Texas would be replaced by the federal registry
• All other comprehensive state privacy laws -- more than 20 as of 2026 -- would be superseded

Supporters argue that a single national standard reduces compliance costs for businesses and eliminates consumer confusion caused by inconsistent state rules. Critics, particularly California lawmakers and privacy advocates, contend that the federal bill would weaken protections that states have already established. California's CCPA, for example, includes a private right of action for data breaches and has stronger enforcement provisions than the federal proposal.

What This Means for Your Privacy Right Now

The SECURE Data Act is a bill, not yet a law. It must pass the full House, the Senate, and be signed by the President. Previous federal privacy bills have failed to clear this path, and significant opposition from both privacy advocates who consider it too weak and industry groups who consider it too burdensome could stall progress. The preemption debate alone has killed earlier proposals.

In the meantime, your privacy protection depends on the tools and services available to you today. Regardless of whether the SECURE Data Act passes, data brokers are actively collecting and selling your personal information across hundreds of sites right now.

PrivacyOn removes your data from 100+ data broker sites and runs 24/7 continuous monitoring to catch and re-remove listings as they reappear. With dark web monitoring, family plans for up to 5 people, and starting at just $8.33/month, PrivacyOn provides the comprehensive, hands-off protection that no single law -- federal or state -- can guarantee on its own. Privacy legislation sets the floor. Active monitoring and removal keeps your data off the market.