SECURE Data Act: A Critical Analysis of the Latest Federal Privacy Bill

After years of stalled negotiations, false starts, and political gridlock, Congress is once again attempting to pass a comprehensive federal privacy law. The latest effort—the SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act)—has been positioned as a “reset” for federal privacy legislation. But for privacy professionals, regulators, and anyone paying close attention to enforcement trends, the reality is far less encouraging.

At a high level, the SECURE Data Act attempts to create a unified national standard for data privacy, replacing the fragmented state-by-state patchwork that currently defines the U.S. landscape. While that goal has merit, the execution raises serious concerns. The bill largely mirrors the weakest elements of existing state laws, preempts stronger protections, and—perhaps most critically—fails to include a private right of action.

In short, it risks becoming exactly what many critics fear: a lowest-common-denominator privacy law that prioritizes uniformity over meaningful protection.

What the SECURE Data Act Actually Does

On paper, the SECURE Data Act looks familiar. It adopts a framework that privacy professionals will immediately recognize from state laws like Virginia, Colorado, and Utah.

The bill includes baseline consumer rights:

• Access to personal data
• Correction of inaccurate data
• Deletion rights
• Data portability
• Opt-out rights for targeted advertising, data sales, and certain profiling

It also introduces standard controller and processor obligations, requires opt-in consent for sensitive data, and establishes enforcement through the Federal Trade Commission and state attorneys general.

From a structural standpoint, this is not groundbreaking. In fact, it largely codifies what has already become the de facto U.S. privacy baseline, as more than 20 states have implemented similar rights frameworks.

That is precisely the problem.

A Federal Law That Recycles State-Level Weaknesses

Rather than raising the bar, the SECURE Data Act effectively locks in the current U.S. approach—an approach that has been widely criticized for its reliance on consumer opt-outs instead of meaningful data restrictions.

The bill’s data minimization requirement is particularly illustrative. It requires companies to limit data collection to what is disclosed in their privacy policies. In practice, this is largely meaningless. Companies already operate under similar obligations through FTC enforcement tied to deceptive practices.

This creates a circular standard:

If a company discloses broad data collection practices, it can continue collecting broadly.

That is not data minimization. It is disclosure-based permission.

Contrast this with more aggressive frameworks—such as elements of the GDPR or emerging state laws—that impose affirmative limits on what data can be collected in the first place. The SECURE Data Act avoids that entirely.

The Preemption Problem: Undermining Stronger State Laws

One of the most controversial aspects of the bill is its preemption clause. The SECURE Data Act would override existing state privacy laws, including those that provide stronger protections.

This is not a theoretical concern. States like California, Maryland, and Washington have moved toward stricter requirements around:

• Data minimization
• Sensitive data protections
• Restrictions on location tracking and biometrics
• Recognition of universal opt-out signals

By replacing these frameworks with a weaker federal standard, the SECURE Data Act risks rolling back progress that states have spent years developing.

For businesses, this may simplify compliance. But for consumers, it represents a net loss in protection.

The Most Critical Flaw: No Private Right of Action

If there is one issue that defines the SECURE Data Act’s shortcomings, it is the absence of a private right of action.

Under the bill, enforcement authority is limited to:

• The Federal Trade Commission
• State attorneys general

Consumers themselves cannot bring lawsuits for violations.

This is a fundamental weakness.

In practice, regulatory enforcement is limited by resources, political priorities, and agency bandwidth. Without a private right of action, companies face significantly reduced litigation risk—particularly in areas like:

• Improper data sharing
• Tracking technologies and pixel litigation
• Failure to honor opt-out requests

Compare this to laws like the California Consumer Privacy Act (CCPA), which—while limited—does provide a private right of action for certain violations. Or consider the explosion of litigation under statutes like CIPA, where private enforcement has become a primary driver of compliance behavior.

The SECURE Data Act removes that pressure entirely.

No private right of action means no real deterrent.

Comparing the SECURE Data Act to Prior Federal Privacy Bills

The American Data Privacy and Protection Act (ADPPA) – 2022

The ADPPA represented the closest the U.S. has come to passing a comprehensive federal privacy law. It included several provisions that the SECURE Data Act notably lacks:

• Stronger data minimization requirements
• A limited private right of action
• More robust protections for sensitive data
• Greater accountability mechanisms

While ADPPA ultimately failed due to disagreements over preemption and enforcement, it at least attempted to strike a balance between industry concerns and consumer protection.

By comparison, the SECURE Data Act shifts that balance decisively toward industry.

The American Privacy Rights Act (APRA) – 2024

The APRA was another ambitious attempt to move federal privacy legislation forward. It expanded on ADPPA concepts and introduced:

• Enhanced transparency obligations
• Stronger enforcement mechanisms
• Continued debate around private litigation rights

However, like its predecessor, it failed to gain sufficient traction to pass.

The SECURE Data Act appears to be a reaction to these failures—but instead of refining stronger proposals, it retreats to a more industry-friendly baseline.

Earlier Efforts and the Long History of Failure

Federal privacy legislation has been attempted for over a decade, dating back to early proposals in the 2010s. Each attempt has stalled over the same core issues:

• Preemption of state laws
• Private right of action
• Scope of data minimization

The SECURE Data Act does not resolve these tensions. It sidesteps them—largely by weakening the provisions that have historically caused disagreement.

Why This Matters in the Age of AI

The timing of this bill is particularly concerning given the rapid rise of artificial intelligence.

AI systems are fundamentally data-driven. They rely on:

• Massive datasets for training
• Continuous data ingestion for optimization
• Behavioral tracking for personalization

Weak privacy laws create a permissive environment for these practices.

At the same time, global regulators are moving in the opposite direction. The EU AI Act, for example, imposes strict requirements on high-risk AI systems, including:

• Data governance controls
• Transparency obligations
• Human oversight requirements
• Risk management frameworks

In contrast, the SECURE Data Act does little to address AI-specific risks. It does not meaningfully regulate:

• AI training data practices
• Algorithmic decision-making transparency
• Profiling at scale

This creates a growing gap between U.S. and international standards—one that privacy professionals will need to navigate carefully.

The Business Reality: Easier Compliance, Higher Risk

From a corporate perspective, the SECURE Data Act offers clear advantages:

• A single national standard
• Reduced complexity compared to state laws
• Lower litigation exposure

But these benefits come with trade-offs.

A weaker federal standard does not eliminate risk—it shifts it:

• Increased scrutiny from regulators and advocacy groups
• Continued exposure under state laws not fully preempted
• Heightened reputational risk as consumer expectations evolve

More importantly, it may create a false sense of compliance.

Organizations that align solely with the SECURE Data Act could find themselves underprepared for:

• International regulations (GDPR, AI Act)
• Future federal reforms
• Litigation under alternative legal theories

A Missed Opportunity (AGAIN)

The SECURE Data Act had the potential to finally establish a meaningful federal privacy framework. Instead, it represents a compromise that prioritizes political feasibility over substantive protection.

It standardizes—but does not strengthen.

It simplifies—but does not modernize.

And most critically, it enforces—but does not empower.

For privacy professionals, the takeaway is clear:

This bill is not the finish line. It is another step in an ongoing—and unfinished—debate.

Until federal legislation includes stronger data minimization, meaningful enforcement mechanisms, and a private right of action, the U.S. will continue to lag behind global privacy standards.

And organizations that want to stay ahead of risk will need to build their programs accordingly—not to the lowest bar, but to the highest one.