Congress is making a fresh start on comprehensive federal privacy legislation, with the recent introduction of the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act). The new legislation builds on roughly eight years of state legislative activity and federal work toward harmonizing the fragmented U.S. data privacy law landscape to create a nationwide standard. There appears to be strong interest in the bill, creating momentum that can enable it to make it through the legislative process.
Background and Development of the SECURE Data Act
The SECURE Data Act is the product of an effort led by the House Committee on Energy and Commerce Privacy Working Group (Working Group), which was tasked with evaluating privacy frameworks adopted in over 20 states, reviewing stakeholder input, and identifying areas of common ground. The Working Group was created to "reset the discussion on comprehensive data privacy," according to lawmakers, "taking wide ranging input from stakeholders and crafting a consensus bill that protects the privacy and security of Americans' personal data. The SECURE Data Act is the result."
According to the sponsors, the proposal reflects lessons learned from nearly a decade of state legislative activity, designed to build on areas of alignment that have emerged among state laws rather than introduce an entirely new regulatory model.
Key Provisions of the Proposed Federal Privacy Law
The SECURE Data Act would establish a preemptive national standard that aligns with many existing state privacy requirements, while containing a few unique provisions of its own. The core provisions include:
- Applicability. In general, the SECURE Data Act would apply to entities that conduct business in the United States, offer products or services to U.S. residents, or process or sell personal data of U.S. residents and meet certain thresholds of data processing volumes. As with many state consumer privacy laws, the bill would not apply to nonprofit entities.
- Consumer Rights. The bill adopts a familiar consumer rights-based approach consistent with those under state privacy laws, including rights to know, access, correct, delete, and obtain a portable copy of personal data, as well as to opt out of certain processing activities, such as targeted advertising and data sales.
- Data Minimization. The bill would impose data minimization requirements tied to the purposes disclosed to consumers, requiring covered entities to limit data collection to what is adequate, relevant, and reasonably necessary to the disclosed purposes and obtain consent for other non-disclosed secondary uses. This approach mirrors common data minimization principles under state laws.
- Consent for Sensitive Data Processing. The bill would require affirmative consent before processing sensitive data, which includes, for example, race/ethnicity, health information, precise geolocation, and personal data collected from a child (under 13) or teen (13-15).
- New Requirements for Teen Data. In addition to requiring parental consent for children's data in accordance with the Children's Online Privacy Protection Act (COPPA), the bill also seeks to establish a similar parental consent standard for personal data collected from teens.
- National Data Broker Registry. The SECURE Data Act would create a national data broker registry that requires data brokers to publicly register with the Federal Trade Commission (FTC) and provide disclosures regarding their data practices. The bill would define a "data broker" as a controller that (1) collects and processes personal data concerning a consumer who is not a client of or a user of a product or service provided by the controller; and (2) derives at least 50% of its annual gross revenue from personal data sales.
- Regulatory Enforcement. The bill would entrust enforcement to the FTC and state attorneys general. The bill also would establish a 45-day cure period. As is generally the case under all state privacy laws, the SECURE Data Act would not provide consumers a private right of action.
- Preemption. The SECURE Data Act would create a single federal standard and preempt state laws that "relate" to the bill's provisions, while preserving many of the existing federal sectoral privacy laws.
What This Means for Businesses
The SECURE Data Act represents renewed momentum toward a comprehensive federal privacy framework grounded in widely adopted state law concepts, transforming years of state-level policymaking into a cohesive national approach applicable to all individuals in the country.
Companies should continue to monitor the legislative process. If you have questions about this development and what it could mean for your organization, please reach out to Venable's Privacy and Data Security Group for assistance.