What the SECURE Data Act Would Change — and Why Patchwork Is the Problem It Solves
The United States currently has no comprehensive federal privacy law. What it has instead is a proliferating patchwork: as of May 2026, 20 states have enacted comprehensive privacy statutes with varying definitions, thresholds, consumer rights portfolios, and enforcement mechanisms. A mid-sized e-commerce company that collects data from users across all 50 states must comply with California’s CCPA (as amended by CPRA), Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Texas’s TDPSA, and 15 additional state frameworks — each with different effective dates, different definitions of “sensitive data,” different revenue thresholds for applicability, and different cure periods before enforcement.
The SECURE Data Act — the Strengthening and Establishing Consumer Unified Rights for Electronic Data Act — was introduced on April 22, 2026 by members of the House Energy and Commerce Committee. It attempts to resolve this fragmentation through two mechanisms: a single federal standard applicable across all 50 states, and express preemption of all inconsistent state comprehensive privacy laws.
The strategic logic is straightforward: companies will have one compliance regime to implement instead of 20. The political debate is over whether that single standard should be stronger or weaker than what California, Colorado, and Connecticut have already enacted — and whether eliminating state privacy laws removes the laboratories-of-democracy pressure that has driven federal action.
The Four Core Obligations Every Covered Business Must Meet
The SECURE Data Act applies to any entity that: (a) collects, processes, or transfers personal data of more than 200,000 consumers annually, OR (b) collects data for more than 50,000 consumers and derives 25% or more of annual revenue from selling or sharing personal data, OR (c) has annual gross revenue of $25 million or more and collects any personal data. Small businesses below all three thresholds are explicitly excluded.
1. Data Minimization: Collect Only What You Need for a Stated Purpose
The bill mandates that covered businesses collect, process, and retain personal data only to the extent reasonably necessary for the specific, disclosed purposes for which consent was obtained. This is not a soft aspiration — the SECURE Act requires a written data processing policy that maps each data category to a legitimate purpose, with retention schedules for each category.
For businesses built on behavioral advertising models, this is the highest-friction obligation. If your current data architecture captures browsing history, location signals, purchase behavior, and cross-site tracking data with the stated purpose of “improving user experience,” the SECURE Act requires you to either (a) narrow your data collection to what demonstrably serves that stated purpose, or (b) obtain specific consent for each additional processing purpose. The FTC’s enforcement guidance, anticipated to follow within 18 months of enactment, is expected to take a skeptical view of broadly-worded purpose statements.
2. Universal Opt-Out from Targeted Advertising — Without Downgrading Service
Any consumer covered by the Act has the right to opt out of targeted advertising, the sale of their personal data to third parties, and automated profiling that produces legal or similarly significant effects. Critically, the SECURE Act prohibits service degradation as a consequence of exercising this right. A business cannot deny service, charge a higher price, or reduce functionality to consumers who opt out of data sale. This provision directly targets pay-to-privacy models — where companies offer a “premium” ad-free experience as a paid alternative to data collection — and applies them only where the service is genuinely distinct.
3. Opt-In Consent for Sensitive Data Categories
For sensitive data — defined to include health and genetic data, financial account data, biometric identifiers, precise geolocation (within a 1,750-foot radius), data about children under 17, citizenship and immigration status, sexual orientation and gender identity, and social security numbers — the bill requires affirmative opt-in consent before collection or processing. The opt-in must be specific to the purpose: a blanket “I agree to terms” is insufficient.
This is a higher standard than most current state laws, which typically require opt-out (not opt-in) for sensitive data. Colorado is the primary exception — its CPA requires opt-in for sensitive data. The SECURE Act effectively nationalizes Colorado’s approach for this category.
4. FTC Enforcement with $20,000 Per Violation Penalty Structure
The bill assigns enforcement to the Federal Trade Commission. The FTC can bring civil actions with penalties of up to $20,000 per violation, per day of violation. State attorneys general can also bring enforcement actions within their states, but the SECURE Act caps state AG penalties at the same $20,000 per-violation level and requires states to notify the FTC before filing. There is no private right of action — individual consumers cannot sue companies directly under the SECURE Act, which is a significant departure from CCPA/CPRA and several state laws that include limited private rights of action.
Advertisement
The Preemption Calculus: What 20 State Laws Are at Stake
Express preemption is both the bill’s most significant feature and its most contested provision. The SECURE Act would preempt all state comprehensive privacy laws, including:
Laws with existing effective dates that would be superseded: California CCPA/CPRA (effective 2018/2023), Virginia CDPA (effective January 2023), Colorado CPA (July 2023), Connecticut CTDPA (July 2023), Utah UCPA (December 2023), Texas TDPSA (July 2024), Oregon (July 2024), Montana (October 2024), Indiana (January 2026), Kentucky (January 2026), Rhode Island (January 2026), and Arkansas (July 2026).
What preemption means in practice: A company that has already built CCPA compliance infrastructure — privacy notice templates, opt-out mechanisms, data subject request workflows, deletion pipelines — would see those obligations partially superseded by the federal standard. Where the SECURE Act is stronger than state law (opt-in for sensitive data in most states), state law disappears and the federal standard applies. Where the SECURE Act is weaker (no private right of action, compared to CCPA’s $100–$750 per incident for data breaches), state law disappears entirely.
The California carve-out debate: California’s privacy advocacy coalition has argued — consistently, since the first federal privacy bill proposals in 2019 — that federal law should set a floor, not a ceiling: states should be able to maintain stronger protections. The SECURE Act as introduced does not include this carve-out. Whether California’s congressional delegation succeeds in amending the bill to preserve state floors is the central legislative fight to watch.
Colorado fines as a benchmark: Colorado’s CPA enforcement has produced fines of $20,000 to $50,000 per violation in its first enforcement cycle — roughly aligned with the SECURE Act’s federal penalty scale, suggesting the drafters calibrated enforcement intensity to Colorado’s established track record.
What Global Businesses with US Operations Must Do Now
The SECURE Act is at the House Energy and Commerce Committee stage — not yet law. But legislative momentum is real: this is the furthest any comprehensive federal privacy bill has advanced since the failed American Data Privacy and Protection Act (ADPPA) in 2022. For businesses with US operations or US customer data, three actions are immediately valuable regardless of whether the bill passes in its current form:
1. Map Your State Privacy Compliance Obligations Against the Federal Draft
Conduct a gap analysis between your current state compliance posture and SECURE Act requirements. Focus particularly on: (a) whether your current consent mechanism for sensitive data is opt-in or opt-out — the SECURE Act requires opt-in, which many state-compliant programs do not currently implement; (b) whether your opt-out mechanism for targeted advertising meets the “universal” standard — meaning a single signal (Global Privacy Control or equivalent) must be honored across all your data processing systems; and (c) whether your retention schedules are documented per-data-category with mapped purposes, or rely on broadly-worded retention policies.
2. Audit Third-Party Data Sharing Arrangements for SECURE Act Alignment
The SECURE Act’s data minimization and opt-out requirements apply to data sale and data sharing with third parties. Businesses that share data with advertising technology platforms — DSPs, DMPs, identity resolution vendors, programmatic advertisers — must audit these arrangements against the bill’s consent framework. Many current data sharing arrangements that are permissible under state laws will require renegotiation or re-consent if the SECURE Act passes.
3. Model the Preemption Upside: One Compliance Regime Is a Cost Reduction
For companies currently maintaining compliance with 8 or more state privacy laws, the SECURE Act represents a significant operational cost reduction. Build the business case now: quantify current multi-state compliance spend (legal review, technical implementation, consent management platform licensing, data subject request fulfillment labor). A federal standard eliminates most of this redundancy. This analysis matters both for internal planning and for informing where your company should invest in lobbying for or against specific bill provisions.
Frequently Asked Questions
Does the SECURE Data Act apply to non-US companies that collect data from US consumers?
Yes, the SECURE Act uses an effects-based jurisdiction test: any entity that collects, processes, or transfers personal data of US consumers is potentially covered, regardless of where the entity is incorporated or physically located. An Algerian app with US users that crosses the 200,000-consumer threshold would be a covered business. The FTC’s extraterritorial reach for unfair or deceptive practices is well-established — SECURE Act enforcement would follow the same precedent.
Will the SECURE Data Act eliminate California’s right to sue companies for data breaches?
For data breach cases where the breach involves data covered by the SECURE Act, the preemption provision would likely eliminate CCPA’s private right of action for breach claims. This is one of the most contested provisions: California’s privacy advocacy community argues this removes a significant deterrent against data security negligence. The bill’s sponsors argue that FTC enforcement and state AG actions provide adequate deterrent without the litigation cost and class-action risk associated with private rights of action. The final bill’s treatment of breach-specific private rights of action will be a major negotiation point.
What is Global Privacy Control and how does it relate to the SECURE Act’s opt-out requirement?
Global Privacy Control (GPC) is a browser-level signal that consumers can enable to automatically communicate opt-out preferences to every website they visit. California and Colorado already require businesses to honor GPC signals as equivalent to a consumer opt-out request. The SECURE Act’s universal opt-out provision is expected to require GPC compliance at the federal level — meaning any website or app operating under the SECURE Act must detect and honor GPC signals across all its data processing systems, including third-party advertising integrations. Implementing GPC compliance is typically a 2-4 week engineering task if you already have a consent management platform.
—
Sources & Further Reading
- SECURE Data Act Text and Committee Actions — House Energy and Commerce Committee
- State Privacy Law Tracker: 2026 Effective Dates — International Association of Privacy Professionals
- Colorado Attorney General Privacy Enforcement Actions — Colorado Department of Law
- ADPPA vs. SECURE Act: Federal Privacy Preemption Compared — Future of Privacy Forum
- Global Privacy Control Technical Specification — GPC.EFF.org
