The Electronic Privacy Information Center is urging Congress to reject the proposed Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, arguing that the federal privacy bill would weaken existing state privacy protections by broadly preempting state laws.
The SECURE Data Act has been promoted by House Republicans as an effort to create a national consumer privacy framework. Supporters argue that a federal standard would simplify compliance, reduce the growing patchwork of state privacy laws, and give consumers more consistent data rights across the country.
EPIC sees the bill differently. Ahead of a House Committee on Energy and Commerce hearing, EPIC Deputy Director Caitriona Fitzgerald warned that the proposal could override state privacy laws that already provide stronger consumer protections. According to MediaPost, Fitzgerald raised concerns that the bill could impact states’ “existing protections” and give companies a “permission slip” to sell sensitive personal information for profit.
Why the Preemption Fight Matters
The central dispute is preemption. A federal privacy law can either create a national floor, allowing states to enact stronger protections, or a national ceiling, blocking states from going further. Privacy advocates generally support a strong federal baseline but oppose federal legislation that wipes out stronger state laws.
That distinction matters because states have led much of the privacy law movement in the United States. California, Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Maryland, New Jersey, and other states have enacted consumer privacy laws with different rules around sensitive data, targeted advertising, opt-out rights, data minimization, and enforcement.
If Congress passes a federal privacy bill with broad preemption and weaker protections than leading state laws, businesses may gain more uniformity, but consumers could lose rights they already have under state law.
Business Compliance Could Become Simpler, But Not Necessarily Safer
For businesses, a single federal standard may sound appealing. Multi-state privacy compliance is difficult. Companies must track different definitions of sensitive data, consumer rights processes, opt-out obligations, data protection assessments, universal opt-out signals, children’s privacy rules, and enforcement deadlines.
But uniformity is not the same as risk reduction. If a federal law lowers the standard in key areas, companies may still face consumer trust issues, state attorney general scrutiny, litigation risk, contractual pressure, and reputational exposure. A weaker national law could also create confusion if courts, regulators, and states challenge the scope of preemption.
This is why companies should not wait for Congress to settle the issue before improving their privacy programs. Whether the SECURE Data Act advances or stalls, businesses still need operational privacy controls that work in practice. That includes cookie scanning, consent management, privacy notice updates, opt-out workflows, data inventory, vendor oversight, and documentation.
What Companies Should Watch Next
The SECURE Data Act enters a crowded and politically difficult debate. Federal privacy legislation has repeatedly stalled over two major issues: whether individuals should have a private right of action and whether federal law should override state privacy laws.
Those same issues are likely to define the current debate. Business groups may support federal uniformity, while privacy advocates and some state officials are likely to resist any bill that displaces stronger state laws without replacing them with equally strong protections.
For compliance teams, the practical takeaway is straightforward: keep watching Congress, but keep building for today’s state privacy obligations. Companies should assume the privacy patchwork remains active until a federal law is actually enacted and its preemptive effect is clear.
Captain Compliance helps businesses manage that uncertainty by supporting website privacy compliance, consent management, cookie scanning, privacy notice automation, and opt-out workflows across evolving state and federal privacy requirements.
