What it is: A House Republican bill that would create a national privacy law, preempt state laws, and put the FTC in the enforcement seat.

Why it matters: A narrower “sale” definition and broad pseudonymous-data carveout would shrink opt-out obligations across digital advertising. Teens under 16 become subject to COPPA’s consent rules. A new code-of-conduct framework could change how compliance gets evidenced.

Will it pass? Probably not this Congress, but it’s serious enough to track, not dismiss.

If you’ve been working in privacy compliance for any length of time, you’ve seen this movie before. Congress floats a comprehensive federal privacy bill, it generates buzz, and then it quietly fades away. Remember the American Data Privacy and Protection Act of 2022 and the American Privacy Rights Act of 2024? Both failed to get across the finish line.

Now House Republicans have introduced a bill entitled the SECURE Data Act (the “Bill”), and the first question many compliance professionals are asking is: Is this one any different?

The short answer is yes and no. The SECURE Data Act is a serious attempt at a national privacy framework, and in some ways, it is more aligned with the existing US State privacy laws than prior federal efforts. But it also enters the same political environment that has defeated earlier bills, and some of its more business-friendly features are likely to become points of controversy.

You can read the full text here.

What the Bill is trying to do

At a high level, the SECURE Data Act would create a national comprehensive privacy law and preempt state privacy laws with a single federal standard. Enforcement would primarily sit with the FTC, while state attorneys general are authorized to bring civil enforcement actions under the Bill in federal district courts.

The structure of the Bill will look familiar to anyone who already works with state privacy laws. It includes consumer rights to access, correct, delete, and port personal data, as well as rights to opt out of targeted advertising and the sale of personal data. It also includes controller and processor obligations, data minimization rules, restrictions on secondary uses, sensitive data consent requirements, data broker registration, and privacy notice obligations.

In other words, this is not a brand-new compliance model. It is mostly a federal remix of concepts from state comprehensive privacy laws that businesses already know.

Where the Bill is notably different

The most important thing about the SECURE Data Act is that it does not simply copy the current state-law trend. In several places, it takes a meaningfully narrower approach than laws like the CCPA, CPA, or CTDPA.

First, the Bill defines “sale” narrowly. It applies only to exchanges of personal data for monetary consideration. That is a much tighter definition than the “monetary or other valuable consideration” standard used in California and many other states. For companies in ad tech and digital marketing, that matters a lot because many common data-sharing arrangements would no longer fall within the definition of “sale.”

Second, the Bill appears to create a broad carveout for pseudonymous data. Consumer rights, such as opt-outs, do not apply to pseudonymous data when the controller can demonstrate that identifying information is kept separately and protected by appropriate measures. Because a large share of digital advertising relies on pseudonymous identifiers, this could substantially narrow the real-world reach of opt-out rights.

Third, the Bill does not require businesses to honor universal opt-out mechanisms such as Global Privacy Control. Instead, it calls for a study on whether such a requirement is feasible. That puts it behind a number of state laws that already require recognition of universal opt-out signals.

Fourth, the Bill does not require data protection assessments or privacy impact assessments. That’s a major departure from the direction of state law, especially in California and Colorado.

Why the pseudonymous data issue matters so much

The pseudonymous data provision may be the single most consequential feature of the Bill.

In practice, much of the data used for advertising, measurement, attribution, and frequency capping is handled in pseudonymous form. If that data sits outside the consumer rights framework, then the Bill could narrow opt-out obligations much more than its headline rights language would suggest.

That issue could become a major battleground if the Bill advances. Critics will argue that the Bill gives consumers formal rights with one hand while taking away much of their practical effect with the other. Supporters, meanwhile, are likely to argue that the provision reflects how modern advertising and analytics ecosystems actually operate and that it avoids overregulating lower-risk data uses.

Sensitive data and COPPA-style parental consent for teen data

While more permissive in some areas, the Bill gets much stricter when it comes to younger users.

Like many state laws (with California as a notable exception), it requires consent before processing sensitive data. But it goes further by treating the personal data of teens ages 13 to 15 as sensitive data and requiring verifiable parental consent to process it. That effectively extends a COPPA-style parental consent model to all consumers under the age of 16.

However, unlike COPPA’s “actual knowledge” standard for general audience sites, the Bill does not include a clear knowledge qualifier for teen status. Without changes, this requirement creates challenges for businesses and a strong incentive to consider age assurance, age screening, or reduced personalization for younger users. This could end up being one of the most disruptive parts of the Bill.

Codes of conduct could become a real compliance tool

One of the more interesting features of the Bill is its voluntary code-of-conduct framework.

The Bill would allow controllers, processors, and industry groups to submit proposed codes of conduct to the Secretary of Commerce. If approved and properly administered, compliance with a code of conduct would create a rebuttable presumption of compliance with the portions of the Bill that the code addresses.

If the Bill moves forward, businesses may need tools not just for rights management and notice updates, but also for certification support, control mapping, audit readiness, and evidence collection tied to approved codes of conduct.

While the code-of-conduct framework offers benefits, it is not without risks. Participants must publicly certify their compliance, which may expose the company to FTC scrutiny if they claim adherence without actually meeting the standard.

Preemption is broad, but not simple

The Bill clearly aims to displace the state privacy patchwork. Its preemption clause is written broadly and would almost certainly wipe out comprehensive state privacy laws to the extent they cover the same territory.

But preemption questions will not end there. Politically, the preemption approach will be opposed by states that already have stronger privacy laws and are building enforcement capabilities. California, in particular, has invested considerable resources into its privacy enforcement infrastructure and has already criticized the Bill.

Substantively, it remains unclear if the preemption clause applies to subject-specific state laws such as biometric privacy statutes, health privacy laws, or state wiretap laws that are materially different in scope.

Other practical points for businesses

A few other features of the Bill stand out from an operational perspective:

  • It includes a data broker registration regime, but one lighter than California’s Delete Act model.
  • It takes a relatively light-touch approach to data security, focusing on reasonable administrative, technical, and physical safeguards.
  • It does not harmonize state data breach notification laws, so that patchwork of 50 states isn’t going anywhere.
  • It preserves a role for state attorneys general, but under a federally coordinated enforcement structure. No private right of action is contemplated.
  • It includes a 45-day cure period before FTC or state enforcement can proceed.

The effective dates also matter. Consumer rights, data security, and data broker provisions would take effect one year after enactment, while most other provisions would take effect two years after enactment.

What this means for privacy compliance teams

For businesses already living under state privacy laws, the SECURE Data Act would not mean starting from scratch. Most companies with mature privacy programs would recognize the basic architecture immediately.

But the Bill could still force some important recalibration. Businesses would need to revisit how they classify pseudonymous data, how they assess “sale” activity, how they manage teen data, and whether they want to align with future codes of conduct. Companies operating in digital advertising, publishing, ad-supported apps, and data brokerage would need to pay especially close attention.

The real question: is this Bill likely to fail, too?

The current political environment does not favor its passage in the near term, due to its pro-business approach that will draw criticism from many of the states – and candidates from those states – whose privacy laws are more stringent than the Bill.

However, the SECURE Data Act is more than a messaging bill. It is detailed, structured, and clearly designed to appeal to businesses that want a national standard and less exposure to divergent state rules. The strong preemption clause, promotion of self-regulatory codes of conduct, and carve-out for pseudonymous data all hint at strong lobbying efforts behind the Bill.

So the safest read right now is this: the Bill matters, and it is worth tracking closely, but no one should assume that federal privacy legislation has suddenly become easy. Congress has produced serious privacy bills before. The SECURE Data Act may prove more durable than ADPPA or APRA, but it still has to survive the same legislative gauntlet that stopped the bills before it.