House Republicans want a single federal privacy standard. The officials who actually enforce state privacy law have a different word for it: preemption.
The push for a comprehensive federal privacy law in the United States is older than most of the state privacy statutes it would now seek to replace. For years, the argument for federal legislation was that the country needed a unified national standard to cut through the patchwork of state laws creating compliance complexity for businesses and inconsistent protections for consumers. It was a reasonable argument — in theory.
In practice, something different happened. Congress didn’t act. States did. Twenty-one states have now enacted comprehensive privacy laws, built out by legislatures, shaped by enforcement experience, and — critically — championed by the attorneys general who are responsible for making them work. And now that a federal framework has arrived, in the form of the SECURE Data Act introduced by House Republicans last month, the officials who spent years building that state-level infrastructure are not inclined to watch it get dismantled.
The collision that’s coming is about more than jurisdictional turf. It’s about what a federal privacy floor actually means for consumers — and whether a baseline that was designed to be achievable at the federal level is the right ceiling for states that have already gone further.
What the SECURE Data Act Would Do
The SECURE Data Act establishes a national privacy framework — baseline protections for data collection, use, and sharing that would apply across the country. On paper, that sounds like progress. Many of its provisions mirror requirements already found in state laws: limits on data collection, requirements for privacy notices, and some consumer rights around access and deletion.
The problem is the preemption clause. The bill would override state privacy provisions that go beyond what the federal framework establishes. That means states with stronger protections — more expansive consumer rights, broader enforcement tools, overlapping AI and social media regulations — would see those protections effectively nullified for any conduct the federal law covers.
In states like Connecticut, that is not a minor adjustment. Connecticut’s privacy law includes a universal opt-out mechanism, giving consumers a streamlined way to opt out of the sale and sharing of their data across all covered companies at once, without having to navigate each company’s individual opt-out process separately. The SECURE Data Act does not require this. Under the bill’s preemption structure, Connecticut could not require it either.
Connecticut Attorney General William Tong, who also serves as president of the National Association of Attorneys General, has called the bill “a disaster” for his state. “It purports to preempt and utterly gut state laws like the ones passed by Connecticut,” he said. “Ours are robust, and we’re seeking to make them even more robust.”
The States as Privacy Laboratories
The framing that state attorneys general are invoking — and that several decades of federalism doctrine support — is that states function as laboratories for policy innovation. When federal action is slow or absent, states experiment. Some experiments fail. Many succeed and become models for others. The network of state privacy laws that now covers a significant portion of the U.S. population was built exactly this way.
“What we really have seen is that the federal legislature has not been able to come to decisions about what privacy compliance has looked like, so the states have moved forward with that,” noted Daniel Goldberg, a partner at Frankfurt Kurnit Klein & Selz. The state laws that federal lawmakers are now citing as models for the SECURE Data Act are, in several cases, already more protective than the federal bill those lawmakers are proposing.
That’s the core irony of the current moment: the federal legislation is being partially justified by the success of state experimentation, while simultaneously proposing to prevent further state experimentation from occurring. States with strong laws become the baseline justification; states with stronger aspirations become the collateral damage.
New Mexico Attorney General Raúl Torrez put it directly: “States have long served as laboratories for consumer protection, and New Mexicans should not be denied stronger protections because Congress chose the lowest common denominator.”
What Attorneys General Can Actually Do About It
The National Association of Attorneys General has signaled it will actively oppose the bill. Tong said the attorney general community will “deploy all of our resources to try to protect data privacy laws in our states and to protect data that belongs to citizens.”
That resource deployment takes several forms. Attorneys general advise legislatures on enforcement authority, submit draft legislation, testify before legislative bodies, and lobby for changes to federal law. Several are expected to make the case directly in Washington. California’s Privacy Protection Agency — which enforces the CCPA — is already urging Congress to reconsider and has officials heading to the capital to lobby against the proposal.
Beyond political opposition, there are legal options if the bill passes. Preemption litigation is a well-worn path when states believe federal law has overreached. The strength of any such challenge would depend on the specific preemption language in the final statute, the scope of the federal regulatory scheme, and whether courts find that states retain authority over particular aspects of privacy regulation that Congress hasn’t fully occupied. None of that is simple, and outcomes would be uncertain. But given how fiercely states have defended their regulatory authority in other technology-adjacent domains — Connecticut recently sent cease-and-desist letters to prediction market operators despite federal warnings, triggering a CFTC lawsuit — the willingness to litigate is clearly there.
The AI and Social Media Dimension
The stakes of the preemption fight extend beyond general consumer privacy. Many state privacy laws include provisions specifically addressing AI systems, automated decision-making, and social media platforms. These are areas where the pace of harm is outrunning federal regulatory capacity and where states have moved aggressively to fill the gap.
Connecticut, notably, sent AI legislation to the governor’s desk this week — described by supporters as the nation’s most comprehensive AI bill — in explicit defiance of a Trump administration warning against state AI regulation. The SECURE Data Act’s preemption structure creates ambiguity about how a federal privacy framework would interact with state AI laws that address data practices as part of a broader AI governance mandate.
If the federal bill’s preemption language is read broadly — and opponents argue it would be — it could limit states’ ability to impose privacy-related requirements on AI systems that go beyond what the SECURE Data Act covers. At a moment when AI governance is still being actively developed at every level of government, locking in a federal ceiling on AI-related privacy protections would have significant and lasting consequences.
What if SECURE Data Act Becomes Law?
The SECURE Data Act is a long way from becoming law. It has been introduced, not passed, and federal privacy legislation has a long history of stalling at various stages of the legislative process. ADPPA, the previous major attempt, cleared committee with bipartisan support and went nowhere. The SECURE Data Act faces similar dynamics.
But the legislative trajectory is worth watching — not just the outcome, but the evolution of the bill as it moves through Congress. The preemption provisions are the central point of conflict, and there is genuine political pressure to find language that addresses industry’s interest in a unified national standard while preserving meaningful state authority. Whether that balance is achievable is the question the legislative process will determine.
For compliance teams managing multi-state privacy obligations, the practical implications are significant either way. If the bill passes with broad preemption, organizations currently complying with stronger state requirements — California, Connecticut, Colorado — will need to reassess which obligations remain and which have been displaced. If the bill fails or passes with narrow preemption, the state law patchwork continues to expand, and the compliance infrastructure built around it remains in effect.
The one thing that seems unlikely is a clean resolution that makes everyone’s compliance picture simpler. Federal privacy legislation is genuinely difficult precisely because it requires reconciling interests — industry uniformity, consumer protection, state autonomy — that don’t naturally converge. The attorneys general lining up against the SECURE Data Act are, in part, ensuring that their states’ interests are not quietly traded away in the process of trying to find that convergence.
SECURE Data Act Vetoed
Twenty-one states built comprehensive privacy laws because Congress couldn’t agree on one. Those laws are now being enforced, amended, and extended — with attorneys general at the center of that process. A federal bill that treats those laws as a problem to be preempted rather than a foundation to be built on is going to face the full weight of that enforcement community pushing back.
Whether that pushback is enough to reshape the SECURE Data Act, defeat it, or lose to it is an open question. But the fight is real, the stakes are high, and compliance professionals should be paying close attention to how it unfolds.
A federal privacy law that weakens existing state protections is not the win for consumers that federal privacy legislation is supposed to be. And the attorneys general who built those protections — on both sides of the aisle — are making sure that point is heard before any vote is taken.
