“Hey Rocky, Watch Me Pull a Rabbit Out of My Hat!”. Is This the Year the Federal Government Passes Comprehensive Privacy Legislation?
Every few years, Congress reaches into the same battered top hat and promises to pull out a comprehensive federal privacy law. Sometimes it produces a discussion draft. Sometimes it produces a bipartisan framework. Sometimes it produces hearings, press releases, stakeholder letters, and a great deal of well-catered concern. What it has not yet produced is a national privacy law.
The latest rabbit is the SECURE Data Act, formally the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, H.R. 8413, 119th Cong. (discussion draft Apr. 21, 2026). Released by House Republicans on April 22, 2026, the bill is designed to establish a national framework for consumer privacy rights and personal data protection. The House Energy and Commerce Committee described it as a national privacy and data security standard creating consumer rights, business obligations, FTC enforcement, state attorney general enforcement, data minimization, sensitive-data consent, data security duties, and a national data broker registry.
So, is this the year Congress finally passes comprehensive privacy legislation? Probably not in its current form. But the bill matters anyway.
The SECURE Data Act would apply to entities subject to the Federal Trade Commission Act, 15 U.S.C. §§ 41–58, and common carriers subject to Title II of the Communications Act of 1934, 47 U.S.C. §§ 201–276, if they conduct business in the United States, offer products or services to U.S. residents, or process or sell U.S. residents’ personal data, and meet either of two thresholds. The first threshold captures entities that collect and process personal data of more than 200,000 consumers annually and have an annual gross revenue of at least $25 million. The second captures entities that collect and process personal data of at least 100,000 consumers annually and derive at least 25% of annual gross revenue from selling personal data. SECURE Data Act § 13(a).
That scope is broad, but not universal. The bill exempts government entities, processors acting on behalf of government entities, GLBA financial institutions, HIPAA covered entities and business associates, nonprofits, certain anti-fraud nonprofits, and institutions of higher education. SECURE Data Act § 13(b)f. In other words, like much of American privacy law, the bill begins with a claim of comprehensiveness and then immediately resumes the national habit of carving out regulated sectors.
Substantively, the SECURE Data Act borrows the familiar architecture of state consumer privacy laws. Consumers would receive rights to confirm processing, access personal data, correct inaccuracies, delete personal data, obtain portable copies of data they provided, and opt out of targeted advertising, sale of personal data, and certain profiling used for decisions having legal or similarly significant effects. SECURE Data Act § 2(a). Controllers would need consent before processing sensitive data, and parental consent would be required for teens’ sensitive data. SECURE Data Act § 2(b).
The bill also imposes a data minimization obligation, but a narrower one than California’s. A controller must limit collection to what is “adequate, relevant, and reasonably necessary” for disclosed processing purposes, and may not process personal data for materially incompatible secondary purposes without consent. SECURE Data Act § 3(a)–(b). It requires privacy notices disclosing categories of personal data processed, purposes of processing, consumer rights, categories of personal data shared with other controllers or government entities, and whether personal data is transferred to, processed in, stored in, or sold to a “covered nation.” SECURE Data Act § 3(g).
The data broker provisions are politically important. Data brokers would have to comply with minimization, disclosure, and security obligations, register with the FTC, and provide information about privacy and data security practices and the personal data they sell. The FTC would then operate a searchable public data broker registry. That sounds substantial, but it is weaker than California’s Delete Act approach because it does not create California’s centralized deletion mechanism for consumer requests across registered data brokers.
That is where California enters the story. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100–1798.199.100 is not merely a privacy notice statute. It imposes data minimization, purpose limitation, retention limitation, opt-out rights, sensitive personal information limits, contractual requirements, and enforcement by the California Privacy Protection Agency. California also enacted the Delete Act, Cal. Civ. Code §§ 1798.99.80–1798.99.89, requiring a mechanism for consumers to request deletion across registered data brokers.
The California Privacy Protection Agency opposes the SECURE Data Act because its preemption clause would preempt state laws “relat[ing] to the provisions” of the Act. SECURE Data Act § 15. CPPA argues that this would strip away protections available to more than 100 million Americans, eliminate or weaken universal opt-out rights, undermine California’s data broker deletion mechanism, reduce data broker disclosure obligations, allow more friction in consent mechanisms, cap free privacy requests, weaken minimization, omit retention limits, narrow sensitive-data coverage, and omit risk assessments. California Privacy Protection Agency, Letter re H.R. 8413, SECURE Data Act 1–6 (Apr. 27, 2026).
That is the core political problem. Industry wants one national rule. California wants a federal floor, not a federal ceiling. Privacy advocates generally agree with California. EFF called the bill weaker than prior congressional proposals and weaker than most existing state privacy laws. EPIC similarly argued that the bill is not a strong federal privacy law. EPIC, America Needs a Strong Privacy Law.
GDPR Lite?
Compared to the GDPR, the SECURE Data Act is much less ambitious. Regulation (EU) 2016/679, General Data Protection Regulation, 2016 O.J. (L 119) 1, is built around lawful bases for processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability, data protection impact assessments, privacy by design, processor-controller contracting, cross-border transfer restrictions, supervisory authorities, and administrative fines of up to €20 million or 4 percent of worldwide annual turnover. The SECURE Data Act instead follows the American consumer-rights model: notice, access, deletion, correction, portability, opt-out, consent for sensitive data, data security, and government enforcement.
That does not make the SECURE Data Act meaningless. It would be the most significant general federal privacy statute in U.S. history. It would create national rights where many consumers currently have none. It would bring common carriers under FTC privacy enforcement for these purposes. It would create a federal data broker registry. It would impose a general data security obligation. It would require some sensitive-data consent. It would create a uniform compliance baseline for national companies.
But what it does not do is just as important. It does not create a GDPR-style comprehensive data protection authority. It does not appear to create a private right of action. It does not preserve stronger state privacy laws as a floor. It does not fully replicate California’s global data broker deletion mechanism. It does not appear to impose California-style retention limitation. It does not require universal opt-out mechanisms immediately; instead, it calls for a study. It does not adopt GDPR-level accountability obligations or penalty architecture. It does not solve all sectoral fragmentation because it exempts or preserves major regimes including GLBA, HIPAA, FCRA, FERPA, and other federal privacy statutes.
The enforcement structure is also comparatively restrained. A violation would be treated as a violation of an FTC rule defining unfair or deceptive acts or practices under Section 18 of the FTC Act, 15 U.S.C. § 57a. The FTC would enforce the statute, and state attorneys general could sue in federal court as parens patriae to enjoin violations, enforce compliance, and obtain damages, restitution, or other compensation. SECURE Data Act § 12. But the bill includes a cure mechanism: neither the FTC nor a state attorney general may initiate an action until the covered entity has notice and an opportunity to cure.
The effective dates also matter. If enacted, most of the Act would take effect two years after enactment, but the consumer rights provisions, data security section, and data broker section would take effect one year after enactment. SECURE Data Act § 18.
So, will it pass?
The better answer is that the bill is a serious marker, not yet a likely final statute. The bill departs significantly from previous bipartisan efforts, includes broad preemption, and deepens divides on key issues, making bipartisan agreement difficult. Prior privacy efforts have repeatedly stalled over state-law preemption and enforcement, the same fault lines embedded in this bill.
The practical advice for companies is not to wait for Bullwinkle’s rabbit. Build privacy programs around the highest common denominator now. That means mapping personal data, honoring access, deletion, correction, portability, opt-out, and sensitive-data rights, implementing purpose limitation and retention controls, recognizing universal opt-out signals where required, preparing for data broker registration obligations, documenting security controls, and treating California, Colorado, Connecticut, Virginia, Utah, and the growing state-law patchwork as operational reality rather than temporary inconvenience.
The SECURE Data Act may not be the rabbit Congress finally pulls from the hat. It may be another springtime rehearsal. But the trick is getting closer. The question is not whether the United States will eventually have a federal privacy law. The question is whether that law will be a floor that raises privacy protection nationally, or a ceiling that knocks California and the other states back into the hat.
