Why the SECURE Data Act Falls Short as Consumer Privacy Legislation

When lawmakers introduced the SECURE Data Act in late 2023, it was billed as a federal solution to America's patchwork of state privacy laws. But a closer look reveals a proposal that not only fails to strengthen protections but actually rolls back progress made at the state level. This article examines the bill's key provisions, its troubling preemption clause, and why privacy advocates consider it a step in the wrong direction.

Key Provisions and Their Limitations

The SECURE Data Act grants consumers several familiar rights over their personal information, including the ability to access, correct, delete, and port data. These rights have become standard in modern privacy frameworks. However, the bill's implementation contains significant weak points that limit their effectiveness.

Consumer Rights Without Real Empowerment

Consumers would gain the right to see what data companies hold about them, fix inaccuracies, request deletion, and transfer their data to another service. While these provisions mirror those found in laws like the GDPR and California's CCPA, the bill does not provide a mechanism for individuals to enforce these rights in court. Without a private right of action, violations would rely solely on Federal Trade Commission enforcement—an agency already stretched thin.

Consent and Opt-Out Mechanisms

The bill requires companies to obtain explicit consent before processing sensitive data (such as health information or biometrics) or using personal data for a previously undisclosed purpose. That sounds positive, but the opt-out provisions for other invasive practices are far weaker. Consumers can opt out of third-party targeted advertising, the sale of their personal data, and profiling that affects legal, healthcare, housing, or employment decisions. However, the default setting allows companies to continue these practices until an individual actively opts out. Many privacy experts argue that opt-in systems are necessary to truly protect consumer privacy, especially given how rarely people navigate complex privacy settings.

Data Broker Registration

One relatively bright spot is the requirement that data brokers—companies generating at least 50% of their revenue from selling personal data—must register in a public database maintained by the FTC. This transparency measure could help consumers identify which businesses are trading in their information. Still, the threshold is high enough that many smaller data dealers could escape oversight.

Preemption: A Major Threat to State Protections

Perhaps the most contentious aspect of the SECURE Data Act is its preemption clause in Section 15. The language would invalidate any state law that "relates to the provisions of this Act"—an extremely broad sweep. This would wipe out more than 20 state consumer privacy laws enacted in recent years, including California's comprehensive CCPA and CPRA. While those state laws are not perfect—advocates agree they could be stronger—they include important features absent from the federal bill, such as California's data broker deletion tool and mandatory recognition of automatic opt-out signals (like the Global Privacy Control built into EFF's Privacy Badger).

Federal privacy laws have traditionally set a floor, allowing states to build stronger protections on top. For example, the Health Insurance Portability and Accountability Act (HIPAA), the Video Privacy Protection Act (VPPA), and the Electronic Communications Privacy Act (ECPA) all permit states to enact more stringent rules. The SECURE Data Act would break this model, creating a ceiling rather than a floor—and that ceiling sits lower than existing protections in many states.

Absence of Private Right of Action and Other Flaws

The bill does not allow consumers to sue companies that violate their privacy rights. This means that even if your data is mishandled, you cannot take a company to court. Enforcement rests entirely with the FTC and state attorneys general, a system that historically struggles to keep pace with widespread violations. Without the threat of individual lawsuits, companies have less incentive to comply.

Beyond the private right of action, the bill suffers from additional shortcomings:

• Weak opt-out defaults: As mentioned, consumers must proactively opt out of invasive practices. Studies show that defaults have an enormous impact on behavior; opt-in systems lead to far more privacy protection.
• Inadequate data minimization: The bill does not require companies to collect only the data necessary for a specific purpose. Instead, it allows broad collection as long as companies disclose their practices—a disclosure that few users read or understand.
• Large definitional loopholes: The bill's definitions of terms like "personal data" and "sensitive data" contain carve-outs that exempt common data practices, reducing overall protection.
• No ban on behavioral advertising: The core business model of many tech giants—online behavioral advertising—is left untouched. This practice drives the relentless collection of personal information, and the bill offers no meaningful restriction.

Conclusion: A Step Backward

The SECURE Data Act, despite its name, does not deliver real security or privacy for consumers. By preempting stronger state laws, eliminating the private right of action, and maintaining weak default protections, it represents a retreat from existing safeguards. Privacy advocates argue that any federal privacy law should serve as a floor, not a ceiling—and should empower individuals, not just regulators. Until Congress crafts a bill that genuinely protects consumers, state-level efforts remain the best hope for meaningful data privacy.