Digital Policy

House Republicans Introduce Weak SECURE Data Act on Privacy

House Energy & Commerce Committee Republicans have introduced the SECURE Data Act, a draft federal privacy bill that critics say represents a step backward in protecting consumer privacy.

The legislation largely mirrors weak privacy laws in states like Kentucky and Virginia, allowing companies to set much of their own data handling rules. The bill mainly relies on user consent through privacy policies, perpetuating the unrealistic expectation that consumers can fully understand and control complex data practices themselves.

Limited Privacy Protections and Broad Exemptions

The SECURE Data Act’s data minimization requirements only obligate companies to limit data collection to purposes disclosed in privacy policies—a standard that is already mandated under current federal and state laws. The bill does not prohibit manipulative design practices known as dark patterns, which can influence how users make privacy choices.

Several significant exemptions weaken the bill further. Data processing related to consumer-requested products or services and data used for internal research to develop or improve technology—activities often involving AI training—are excluded from regulation. Industry advocates sought to exclude these categories, which critics argue could render the bill ineffective.

Preemption of Stronger State Laws

The Act includes broad preemption clauses preventing states from enacting or enforcing privacy laws “related to the provisions” of the Act. This could block states like Maryland, Virginia, Oregon, California, Texas, and Illinois from maintaining tougher data privacy and civil rights protections.

Such sweeping preemption concerns privacy advocates, who point to the ongoing development of state laws that address biometric privacy and AI transparency, which are not covered or are explicitly undermined by this federal proposal.

Enforcement and Civil Rights Protections

The bill lacks a private right of action, removing an important enforcement mechanism that allows individuals to sue for privacy violations. Previous bipartisan privacy bills included limited private rights of action designed to balance enforcement with business concerns.

Moreover, the SECURE Data Act does not include meaningful civil rights protections related to data use. It simply reaffirms that illegal discrimination remains unlawful under existing laws but does not address how data and AI-driven decisions could perpetuate bias, a topic covered in earlier bipartisan proposals.

Why it matters

The SECURE Data Act’s approach risks entrenching inadequate privacy standards at the federal level and could stifle ongoing state-level innovations in data protection. Its broad exemptions, lack of private enforcement, and preemption clauses may undermine consumer privacy and allow continued discriminatory data practices amid increasing concerns about AI and data ethics.

Read more Digital Policy stories on Goka World News.

Sources

This article is based on reporting and publicly available information from the following source:

Nora Lindholm
About the editor

Nora Lindholm

Nora Lindholm Role: Digital Policy Editor Nora Lindholm writes about digital rights, online safety, data privacy, internet regulation, and technology policy. Her articles focus on how digital rules affect users, platforms, companies, and public institutions. She emphasizes official documents, clear sourcing, and balanced explanations.

View all posts by Nora Lindholm