The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act — the SECURE Data Act — arrived in discussion draft form on April 22, 2026, from the House Energy and Commerce Committee. A companion draft followed from the House Financial Services Committee in mid-May. Taken together, they represent the most serious legislative attempt at comprehensive federal privacy law since COPPA passed in 1998.
The bill establishes a federal consumer rights framework, creates a national data broker registry at the Federal Trade Commission, and — most consequentially — would preempt more than twenty state privacy laws the moment it takes effect. That preemption provision is the bill’s defining feature, and the one most likely to determine whether it passes, fails, or is significantly rewritten before it ever reaches a floor vote.
For compliance teams currently operating multi-state privacy programs that span California, Colorado, Virginia, Connecticut, Texas, and a growing list of others, the SECURE Data Act raises immediate questions about resource allocation, program architecture, and what “monitoring the situation” actually requires right now. This analysis addresses each of those questions in turn.
What the Bill Actually Does
The SECURE Data Act establishes a federal floor for consumer data rights. Companies covered by the law must allow consumers to access the data held about them, correct inaccurate information, delete their data in most circumstances, and port their data to another service. Consumers also gain an opt-out right for targeted advertising and data sales.
Coverage thresholds matter here. The bill applies to entities that process personal data of 200,000 or more consumers annually and generate at least $25 million in annual revenue. It also covers entities that process data from 100,000 or more consumers where at least 25 percent of revenue derives from selling personal data. Companies below both thresholds are exempt — a carve-out that will exclude a large share of small businesses but leave most mid-size and large enterprises firmly within scope.
The rights themselves track closely with what most state comprehensive privacy laws already require. Access, correction, deletion, and portability are now table stakes across the state landscape. The opt-out mechanisms for targeted advertising and data sales similarly echo CCPA and its successors. From a substantive rights perspective, there is nothing in the SECURE Data Act that would surprise a compliance professional already maintaining a mature multi-state program. The rights are real, but they are not novel.
What is novel — or at least more developed than anything the states have done — is the national data broker registry, which is addressed separately below.
The Preemption Question: Federal Floor or State Ceiling?
The SECURE Data Act’s preemption provision would supersede all state laws that relate to the data practices the bill covers. That language, depending on how courts ultimately interpret it, could reach not just the general comprehensive privacy statutes but also sector-specific state laws touching data collection and processing.
The operative debate has two clearly staked positions, and compliance teams need to understand both before they can assess the legislative risk.
The industry and Republican position holds that twenty-plus separate state privacy regimes impose enormous and largely redundant compliance costs on businesses operating nationally. These costs are not illusory. A company with customers in California, Colorado, Virginia, Connecticut, Texas, Montana, Iowa, Indiana, Tennessee, Oregon, Delaware, Florida, New Jersey, New Hampshire, Maryland, Minnesota, Kentucky, Nebraska, Rhode Island, and the growing list of states expected to follow in 2026 and 2027 must maintain separate consent infrastructure, data subject request workflows, privacy notice requirements, and audit trails tuned to the specific requirements of each jurisdiction. The patchwork is real, and the compliance overhead is substantial. A federal standard that harmonizes these requirements would reduce compliance costs across the economy and make it easier for smaller businesses to operate nationally without a dedicated privacy team for each state’s idiosyncrasies.
The California and consumer advocate position holds that federal preemption does not harmonize standards — it flattens them. California’s CCPA, as amended by CPRA, is materially stronger than what the SECURE Data Act proposes. The SECURE Data Act has no private right of action; CPRA has a limited one for security breach cases. California’s law includes specific obligations around sensitive data categories, children’s data, automated decision-making, and dark patterns that the federal draft does not replicate with the same precision. Colorado’s comprehensive law and Connecticut’s act similarly include enforcement provisions and rights architecture that exceed the federal floor in meaningful ways. For those states, preemption is not harmonization — it is a rollback dressed in the language of simplification.
California’s Attorney General has already signaled opposition. The California Privacy Protection Agency, created by CPRA, would be substantially defanged if a federal law stripped CPRA of its preemptive force, because the CPPA’s rulemaking authority would have no operative state law to implement. That is not a hypothetical concern; it is a structural consequence of preemption.
The honest answer is that both positions contain valid claims. The patchwork compliance burden is real. The rollback risk is also real. Which concern prevails in the final legislative text will depend on whether the final bill lifts the federal floor to match or exceed California’s standards — and whether private enforcement is included.
State-by-State: Who Loses Ground and Who Gains
The states where consumers and businesses would experience the most significant change under the SECURE Data Act fall into three categories.
States that lose ground. California is the obvious case. CPRA’s private right of action for security breaches — limited as it is — disappears under a federal preemption regime that routes all enforcement through the FTC. California’s dark pattern prohibitions, its specific automated decision-making disclosure requirements, and the CPPA’s ongoing rulemaking authority on sensitive data would all be superseded. Colorado and Connecticut similarly have enforcement provisions and rights architecture that the federal bill does not replicate. These are not marginal differences. For consumers in these states, preemption under the current federal draft would reduce their legal rights.
States where the federal floor represents an improvement. Several states have enacted privacy laws with weaker consumer rights or higher applicability thresholds. States with laws that primarily address data sales without granting a full suite of subject access rights would see their residents gain meaningful new protections under the federal bill. Similarly, states that have not yet enacted any comprehensive privacy law — and there are still several — would see federal protections applied to their residents for the first time.
States where the change is lateral. Virginia’s CDPA, the model on which many subsequent state laws were built, aligns closely enough with the SECURE Data Act framework that the substantive consumer experience would be similar. The primary change in Virginia would be enforcement channel — state AG authority replaced by FTC primacy.
For compliance teams, the state-by-state analysis matters because any transition from a multi-state program to a single federal standard will require mapping current obligations against the federal requirements to identify both gaps to fill and obligations to sunset. That mapping exercise takes months, and it cannot wait until the day of enactment.
The Data Broker Registry: Genuinely New Territory
The provision establishing a national data broker registry at the FTC deserves more attention than it has received in most early coverage of the bill.
State data broker laws exist — Vermont was the first in 2018, California’s Delete Act followed, and a handful of other states have registration requirements. But these laws are fragmented, use different definitions of “data broker,” impose different fee structures, and create different disclosure obligations. There is no uniform federal registry, and the FTC currently has no systematic authority to require data brokers to identify themselves.
The SECURE Data Act’s registry provision would require entities that meet the data broker definition — which generally covers companies whose primary business involves collecting and selling personal data about individuals with whom they have no direct relationship — to register with the FTC, disclose their data collection and sales practices, and comply with the consumer deletion rights that the bill establishes for the broader data ecosystem.
This is the area where the SECURE Data Act breaks genuinely new ground at the federal level. The FTC has brought enforcement actions against data brokers under its Section 5 authority, but those cases have been reactive and fact-specific. A proactive registration regime would give the Commission, researchers, and journalists a structured view of the data broker ecosystem for the first time.
The practical compliance implication for data brokers is significant. Companies currently operating with registration obligations only in Vermont, California, and a small number of other states would face a federal registration requirement that brings FTC scrutiny and public disclosure. For companies that have deliberately avoided states with registration requirements by limiting certain business activities, the federal registry closes that option.
For companies that use data broker services — purchasing consumer data for marketing, analytics, or lead generation — the registry creates a new due diligence obligation. If your vendors appear on the federal registry, their data practices are now disclosed and the relationship carries regulatory visibility it did not have before.
Enforcement Without Private Rights: The FTC’s Expanded Role and Its Limitations
The SECURE Data Act designates the FTC as its primary enforcer. The Commission would have rulemaking authority to implement the law’s requirements, investigation authority to examine compliance, and civil penalty authority when violations are found.
What the bill does not include is a private right of action. Individuals harmed by violations of the SECURE Data Act cannot sue the company that violated their data rights directly. Their only avenue is to file a complaint with the FTC and hope the Commission has the resources and prioritization to pursue it.
This is a significant weakening of enforcement compared to what California has enacted. CPRA’s private right of action is narrow — it applies specifically to security breaches involving certain sensitive data categories, not to all CPRA violations — but it exists. It has produced settlements and class actions that create direct financial accountability for companies that fail to protect consumer data. The SECURE Data Act’s exclusive reliance on FTC enforcement eliminates that mechanism nationally.
The comparison to GDPR is instructive. The General Data Protection Regulation created individual rights that are directly enforceable by data subjects through supervisory authorities and, in many member states, through civil litigation. The GDPR also created the supervisory authority framework that makes enforcement consistent across the EU’s single market — a model the SECURE Data Act does not replicate, because it routes all enforcement through a single federal agency rather than creating a dedicated data protection authority.
The FTC’s current resources are not calibrated for comprehensive national privacy enforcement. The Commission handles a wide mandate covering consumer protection across the entire economy, antitrust oversight, merger review, and numerous other areas. Adding primary enforcement responsibility for a comprehensive federal privacy law without a corresponding resource expansion would create a significant capacity gap. Industry knows this, and it is one reason the absence of a private right of action is attractive to businesses supporting the bill — the effective enforcement rate under an FTC-only model will be substantially lower than under a regime that includes private litigation.
Consumer advocates and state AGs have made this argument explicitly, and they are not wrong. The question for compliance teams is not whether to exploit the enforcement gap — it is to note that companies operating in good faith should not calibrate their programs to the probability of enforcement. The legal obligations are the obligations regardless of how often they are enforced.
Legislative Outlook: Why This Time Might Be Different, and Why It Might Not
Federal comprehensive privacy legislation has failed repeatedly over the past decade. The American Data Privacy and Protection Act (ADPPA) passed the House Energy and Commerce Committee in 2022 with bipartisan support before dying over — predictably — California’s objection to preemption and the private right of action. The SECURE Data Act arrives in a different political moment, but with the same core tensions unresolved.
Factors favoring passage. House Republicans control the agenda, and there is genuine business community pressure for a federal standard. The current administration has been less deferential to state regulatory authority than its predecessor, and the political appetite for reducing regulatory burden on business aligns with the federal preemption approach. The Senate landscape is more complicated, but the existence of a companion bill from the House Financial Services Committee signals coordination between committees — a structural improvement over previous attempts where competing jurisdictional claims between committees delayed action indefinitely.
Factors against passage. The preemption provision remains the principal obstacle. Democratic Senators from California, Connecticut, Colorado, and other states with robust privacy laws are unlikely to vote for a bill that strips those protections. The filibuster means sixty Senate votes are required in the absence of reconciliation, and a privacy bill does not fit the reconciliation process. The absence of a private right of action will make the bill unacceptable to the consumer advocacy coalition that could otherwise support a comprehensive federal framework. These are structural barriers, not tactical ones.
The more realistic scenario may be that the SECURE Data Act in its current form does not pass as written, but that the markup process produces a revised draft with a narrower preemption provision — one that preempts state laws only to the extent they impose conflicting, not merely additional, requirements — and some limited private right of action. That version would be more passable in the Senate and would represent a more defensible balance between federal harmonization and state-level protection.
Compliance teams should not assume either full passage or failure. The range of outcomes includes the current bill, a substantially amended bill, and no bill. Each outcome has different compliance implications, and programs need to be built to adapt to any of them.
What Compliance Teams Should Do Right Now
The SECURE Data Act is in discussion draft and markup phase. It has not passed either chamber, and it may not pass in its current form. The question for compliance leadership is not “should we dismantle our multi-state program?” — the answer to that question is unambiguously no — but rather “how do we build our program to handle the range of possible outcomes?”
Do not dismantle state compliance programs. This should require no elaboration, but the discussion around the SECURE Data Act has already generated premature talk of consolidating multi-state programs down to a single federal standard. That consolidation is not warranted, and any executive who acts on it before enactment is creating legal exposure without getting any of the cost savings they anticipate. State laws remain in full force until the moment of federal preemption, if it ever comes. CCPA fines are real. CPRA enforcement by the CPPA is active. Dismantling compliance infrastructure before preemption takes effect is straightforwardly imprudent.
Map your current program against the SECURE Data Act framework. Even if the bill does not pass, this mapping exercise has value. The SECURE Data Act articulates a reasonable baseline of consumer rights that aligns with where federal law will eventually land. Understanding where your current program already meets or exceeds the federal draft — and where it falls short — prepares you for the transition regardless of timing. Document that mapping now, while state laws are in effect, so you understand the delta between your current obligations and the potential federal floor.
Identify your data broker relationships. The registry provision is the least anticipated operational challenge. Companies that purchase data from third parties for any purpose — marketing, analytics, risk scoring, identity verification — need to audit those relationships now. When a federal registry is established, your vendors will appear on it. Your due diligence obligations around those relationships will be visible. Any contractual representations your vendors have made about their data practices will be tested against their registry disclosures. Audit those relationships before the registry forces the issue.
Participate in the markup process. The House Energy and Commerce Committee is actively soliciting input on the discussion draft. If your organization is large enough to have government affairs capacity or trade association representation, this is the moment to engage. The preemption provision’s scope, the private right of action question, and the data broker registry’s definitional boundaries are all still open for influence. Organizations that wait for a final bill lose the ability to shape those definitions.
Brief your board. The SECURE Data Act is a material legislative development that affects data governance strategy. If privacy compliance is a board-level concern at your organization — and at any company with significant consumer data operations, it should be — the board needs to understand that federal legislation may substantially change the compliance landscape within the next twelve to twenty-four months, depending on how the legislative process unfolds. That briefing should also make clear that action is premature and that the organization is monitoring developments rather than reacting to them.
Prepare for a phased transition scenario. If the SECURE Data Act passes, there will be an effective date and a transition period. The ADPPA in 2022 proposed an eighteen-month transition period; the SECURE Data Act’s current draft does not yet specify one. But a transition period exists in virtually every major privacy law enactment, and the window is rarely as long as organizations want. Companies that have done the mapping work, audited their data broker relationships, and identified gaps against the federal framework will be positioned to execute a transition efficiently. Companies that wait for enactment to begin that work will spend their transition period catching up.
Conclusion
The SECURE Data Act is not yet law, and there are legitimate reasons to doubt it will pass in its current form. But it represents the most serious federal comprehensive privacy effort in nearly three decades, and the structural conversation it has opened — about preemption, enforcement, data broker accountability, and the appropriate federal role in consumer data protection — will not close even if this particular bill fails.
The preemption debate is not simply a legal technicality. It determines whether the United States ends up with a genuine national standard that protects all Americans consistently, or a federal floor that is weaker than the protections California, Colorado, and Connecticut residents already have. That distinction matters for individuals. It also matters for compliance programs, because a genuinely protective federal standard creates a stable, durable compliance obligation, while a weaker one that leaves strong states dissatisfied creates pressure for renewed state action and continued patchwork.
For compliance professionals navigating this period, the discipline required is exactly the discipline that good compliance work always demands: monitor carefully, act deliberately, build programs that can adapt, and never dismantle protections before you have to. The SECURE Data Act will either reshape the compliance landscape or fail and leave it intact. Either way, the program you have built to navigate the current state patchwork is the right program for the moment. Treat this as a planning horizon, not a fire drill.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations.
