For the past decade, federal privacy legislation in the United States has been a graveyard of good intentions. Bills get introduced, hearings happen, lobbyists descend, and nothing passes. The American Data Privacy and Protection Act (ADPPA) came close in 2022 before dying in the Senate. The cycle repeats.

On April 22, 2026, House Republicans tried again — this time with the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or the SECURE Data Act. Introduced by Rep. John Joyce (R-PA) with backing from the Chairs of the House Energy and Commerce Committee and the House Financial Services Committee, this bill is the most substantive federal privacy push since ADPPA. And unlike some of its predecessors, it has real teeth — and a preemption clause that has privacy advocates deeply divided.

What the SECURE Data Act Would Do

The bill establishes a national consumer data privacy framework, applying to any business that:

  • Conducts business in the U.S.
  • Processes or sells personal data of U.S. residents
  • And either processes data of over 200,000 consumers annually with at least $25 million in gross revenue, or processes data of 100,000+ consumers and derives at least 25% of gross revenue from selling personal data

In plain English: large platforms, data brokers, ad tech companies, and most consumer-facing tech businesses are in scope. Small businesses and nonprofits largely are not.

Consumer Rights Under the Bill

The SECURE Data Act would grant Americans four core rights:

1. Right of Access — You can request a copy of what a company holds on you.

2. Right of Correction — You can demand that inaccurate personal data be corrected.

3. Right of Deletion — You can request that your data be erased.

4. Right to Opt Out — You can opt out of the sale of your personal data, targeted advertising, and certain profiling activities.

These rights mirror what Californians already have under CCPA and what Europeans have under GDPR — but extended to every American regardless of which state they live in.

Sensitive Data and Teens

The bill gives special treatment to sensitive categories: biometric identifiers, health data, financial data, precise geolocation, and — notably — personal data of anyone under 16. Teens’ data would be classified as sensitive, requiring opt-in parental consent rather than just an opt-out option. This is a meaningful distinction. Most state laws treat teen data as just another category with opt-out rights; requiring opt-in flips the default.

Enforcement: FTC and State AGs

The SECURE Data Act would empower two enforcement bodies:

  • The FTC as the primary federal enforcer
  • State attorneys general as concurrent enforcers

Critically, there is no private right of action in the current draft. You cannot sue a company yourself for violating your data rights under this law. You have to wait for regulators to act. This is a major limitation — and a deliberate one, given business community opposition to litigation risk.

The Preemption Problem

Here is where the SECURE Data Act gets complicated — and where the privacy community is most divided.

The bill includes broad preemption language, rendering invalid any state law that “relates to” its provisions. If enacted as drafted, it would preempt:

  • California’s CCPA/CPRA (widely considered the strongest state privacy law in the country)
  • Virginia’s CDPA
  • Colorado’s Privacy Act
  • All 20 state comprehensive privacy laws currently in effect
  • State data broker registries
  • Potentially some sectoral state laws

Supporters argue this creates certainty. Businesses currently face a patchwork of 20 different state regimes with varying thresholds, rights, and enforcement mechanisms. A single national standard reduces compliance costs and confusion.

Critics argue it’s a race to the bottom — the federal bill’s protections are weaker than California’s in several key ways, including the lack of a private right of action and narrower enforcement powers. If the SECURE Data Act passes and preempts California’s law, California residents would actually lose rights they currently have.

The ACLU, EFF, and many state attorneys general have flagged this concern. California’s AG has been particularly vocal, arguing that federal preemption would strip millions of Californians of rights they’ve had since 2018.

What’s Exempted

The bill explicitly carves out several categories, meaning those areas would not be covered:

  • HIPAA-covered entities and data — healthcare providers and their data remain under HIPAA
  • GLBA-covered entities — financial institutions remain under Gramm-Leach-Bliley
  • Institutions of higher education
  • Nonprofits
  • Employee data and B2B representative data — data exchanged in commercial contexts between businesses

This is a narrower scope than GDPR, which covers nearly all personal data of EU residents regardless of context. U.S. privacy law has always used a sectoral approach, and the SECURE Data Act continues that tradition.

Timeline and What Happens Next

The bill as introduced is a discussion draft — a starting point for negotiation, not a finished product. If enacted, provisions would go into effect within one to two years of passage to give businesses time to build compliance programs.

The committee markup process is the next key step. That’s where amendments get added, preemption language gets negotiated, and the private right of action debate resurfaces. Past federal privacy bills have died in markup; this one needs to survive that gauntlet.

Watch for three pressure points:

1. Preemption: California and other states with strong laws will fight hard against provisions that roll back their laws. Any bill with broad preemption faces an uphill battle in the Senate.

2. Private Right of Action: Civil society organizations and plaintiff attorneys will push to add one. Business groups will fight to keep it out.

3. Teen Protections: The opt-in consent requirement for under-16s is genuinely strong. Whether it survives lobbying from ad-dependent platforms remains to be seen.

Why This Matters Now

The U.S. has spent the better part of a decade watching states fill the vacuum left by federal inaction. Twenty states now have comprehensive privacy laws on the books — each with different thresholds, rights, and enforcement mechanisms. That patchwork is becoming genuinely unmanageable, both for businesses trying to comply and for consumers trying to understand what rights they actually have.

The SECURE Data Act represents a real attempt at resolution. Its consumer rights provisions are meaningful. Its teen protections are among the strongest proposed at the federal level. Its FTC and state AG enforcement structure is more robust than many past proposals.

But preemption cuts both ways. A federal floor is valuable. A federal ceiling — one that locks out stronger state protections and eliminates private rights of action — would be a significant step backward for American privacy rights.

The next few months of committee deliberations will determine which version wins.