Federal privacy legislation has spent a decade stuck in the same loop: A bill drops, a hearing happens, the draft stalls, and companies go back to stitching compliance programs across the patchwork of state laws. What we’re left with is a quilt stitched by 20 different hands with no two squares quite lining up.
Into that frayed picture comes the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, or SECURE Data Act, introduced last month by Rep. John Joyce (R-Pa.). It may follow the same script as the bills before it, but the operational reality has already shifted in a direction that rewards preparation over patience.
The question is no longer whether a federal privacy law will emerge, but when and in what form. Privacy programs were once designed to respond to individual laws; increasingly, they have to be built to withstand change. Companies that prepare for a federal framework will be ready when Congress finally is. The ones that wait will be the ones rebuilding under deadline.
A patchwork approaching its limits. The strain of the current system is no secret. Each new state law arrives with its own definitions, consumer rights, and enforcement mechanisms, and privacy teams have spent years reconciling them. The whole exercise rests on a bet that fragmentation will continue.
The SECURE Data Act breaks the assumption with its strong preemption language, which would moot any state law that “relates to” its requirements, combined with a one-to-two-year effective date, means organizations will need to revisit privacy programs they have spent five years assembling.
Additionally, the bill draws largely from the Washington-state model that Virginia adopted and Kentucky refined, preserving baseline rights to access, correct, delete, and port personal data and to opt out of sales, targeted advertising, and consequential profiling. Programs heavily indexed to obligations specific to California, Colorado, or Texas will need a hard second look; the controls and contracts baked into them reflect choices a national standard may render redundant or wrong. Compliance maturity, in this scenario, becomes a liability.
Preemption is an operational question. Preemption is a budget question dressed up as a legal one. If the SECURE Data Act’s “relates to” language holds, companies can consolidate the patchwork of policies, contracts, and workflows they have built across more than 20 states into one framework.
If the language narrows in the committee process, state and federal programs could run in parallel for the foreseeable future. Either outcome demands the same preparation of companies: a map of which parts of their current privacy programs are state-specific and which are portable, so their teams know what moves and what must be rebuilt.
Who enforces it, and who has to comply. The SECURE Data Act would let the Federal Trade Commission and state attorneys general bring enforcement actions, but it wouldn’t let consumers sue companies directly. That tracks with how most state privacy laws already work and removes one of the biggest fights from previous federal proposals. The trade-off: Everything depends on how aggressively the FTC writes rules and which cases state attorneys general bring; and those two groups haven’t always pulled in the same direction.
The more immediate question for most companies is whether the law would apply to them at all. The bill covers any business that handles the personal data of more than 200,000 US consumers in a year, unless the company earns less than $25 million in annual revenue. A separate rule sweeps in data brokers: companies that handle data on more than 100,000 consumers and earn at least a quarter of their revenue from selling personal information.
That 200,000-consumer line is lower than it sounds. Adjusted for state population, it’s broader than every state trigger except Texas and Nebraska. Plenty of mid-sized businesses that have stayed below state thresholds would suddenly be in scope.
Right now, privacy enforcement is split among state attorneys general, regulators, and the courts, creating a fragmented and sometimes unpredictable risk landscape. A federal law could simplify that, or it could just add another layer on top. Which one happens depends almost entirely on how the FTC uses its new authority and whether state attorneys general coordinate with it or compete with it.
Watch the gaps, not just the text. Some of the most consequential points to pay attention to are what the bill leaves out. The draft contains no Data Protection Impact Assessment requirements, no express treatment of automated decision-making or artificial intelligence beyond a narrow opt-out from fully automated profiling, and no requirement to honor universal opt-out mechanisms. It instead tasks the Secretary of Commerce with studying opt-out signals and reporting within three years.
If strong preemption holds, companies may lose state-level DPIA and AI analysis obligations without inheriting federal replacements. Separately, the bill treats data on teens younger than 16 years old as sensitive and requires verified parental consent, expanding upon the requirement laid out by the Children’s Online Privacy Protection Act by three years. Any business touching teen users should start scoping that work now.
What to do now. Even with the bill newly introduced, four moves are worth starting this quarter.
Audit program dependencies. Identify where state-specific requirements sit in templates, workflows, vendor contracts, and training materials, so a pivot is a rewrite of pieces, not the whole document.
Refresh data flows. As with international expansion, knowing your data flows is often the difference between a manageable transition and a disruptive one.
Pressure-test the 200,000 threshold. Companies outside state regimes may still cross the SECURE Data Act’s coverage line, and in-scope companies should verify whether the data-seller or sensitive-data rules capture processing they treat as routine.
Treat privacy as strategic. Organizations that frame privacy as strategic rather than reactive will have the advantage when the next markup lands or the next deal requires a clean data story.
Watch the framework, not the vote. Whether the SECURE Data Act passes is the wrong question to focus on. The American Privacy Rights Act died in committee last year. The American Data Privacy and Protection Act died the year before. The SECURE Data Act may well join them, and the same coverage thresholds, preemption fights, and teen-sensitivity standards will reappear in whatever bill comes next.
Each draft is less a discrete proposal than the latest iteration of a converging template, and that template is what compliance teams should be reading. Betting on whether any single bill clears Congress is a coin flip; betting that the underlying framework will keep narrowing toward consensus is closer to a sure thing.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Alexandra Sumner is chief privacy officer and corporate counsel for Microhealth, an international medical device company.
Interested in writing? Review our author guidelines, and submit pitches to Insights@bloombergindustry.com.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.