The federal [SECURE Data Act](https://d1dth6e84htgma.cloudfront.net/SECURE_Data_Act_for_introduction_7c80a347ac.pdf) is under scrutiny for its potential impact on consumer privacy. Concerns are rising that the bill, if enacted, would represent a significant retreat from current, albeit insufficient, state-level protections. Republicans on the [House Energy and Commerce Committee](https://energycommerce.house.gov/posts/committees-on-energy-and-commerce-and-financial-services-introduce-pair-of-privacy-bills-to-establish-comprehensive-data-protections-for-all-americans) introduced the draft legislation late last month without bipartisan consensus. Critics argue the bill is weaker than previous congressional proposals and many of the [21 state consumer privacy laws](https://iapp.org/resources/article/us-state-privacy-legislation-tracker) already in effect. ### Preemption Concerns A major point of contention is the bill's potential to preempt numerous state privacy laws. Section 15 of the bill would preempt any “law, rule, regulation, requirement, standard, or other provision [that] relates to the provisions of this Act.” This could effectively nullify the existing consumer privacy laws in 21 states. For example, California maintains a [data broker deletion tool](https://privacy.ca.gov/drop/) and requires companies to comply with [automatic opt-out signals](https://www.eff.org/gpc-privacy-badger)—including one that is built into **EFF’s** [Privacy Badger](https://privacybadger.org/#What-is-Global-Privacy-Control). Because the SECURE Data Act has provisions that relate to data privacy and security, it could preempt [all 50 state data breach laws](https://www.ncsl.org/technology-and-communication/security-breach-notification-laws) and [many others](https://www.congress.gov/crs-product/R48667). It could also preempt state laws related to specific pieces of sensitive data, like bans on the sale of [biometric](https://www.ilga.gov/Legislation/ILCS/Articles?ActID=3004&ChapterID=57) or [location](https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/privacy-law-faqs-for-consumers/) information. Some [states like California](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CONS&sectionNum=SECTION%201.&article=I) have constitutional provisions that protect an individual’s right to privacy, which can be enforced [against companies](https://btlj.org/wp-content/uploads/2025/01/39-2_Ozer.pdf). That constitutional provision, as well as [state privacy torts](https://scholarship.law.bu.edu/faculty_scholarship/628/), could also be in danger if this bill passed. ### Lack of Private Right of Action Another significant concern is the absence of a private right of action, which would allow individuals to sue companies for privacy violations. Critics argue that this omission undermines the bill's effectiveness, as regulatory agencies may lack the resources to enforce compliance comprehensively. Instead, the **FTC**, along with state attorneys general, would have primary enforcement authority. The law also gives companies 45 days to “cure” any violation with no penalty after they are caught. ### Weak Privacy Defaults and Data Minimization The bill is also criticized for its weak privacy defaults, placing the onus on consumers to opt out of invasive data practices. While the bill requires consent for processing sensitive data, critics argue this could lead to manipulative consent requests. Section 3 of the bill uses the term “data minimization,” but it is done in name only. The provision does not limit a company’s processing of data to only what is necessary to provide the customer with the good or service they asked for. Instead, the provision limits processing of data to only what a company “disclosed to the customer”—meaning if it is in the confusing privacy policy that nobody reads, it is okay. And the bill would not even allow you to restrict certain uses of your data. As companies seek more data for AI systems, many internet users do not want their private personal data to be used to train those models. However, the bill makes clear that “nothing in this Act may be construed to restrict” a company from collecting, using, or retaining your data to “develop” or “improve” a new technology. ### Other Concerns * **Government contractors**: Under Section 13(b)(2), government contractors are exempt from the bill, which could be wrongly interpreted to exempt certain data brokers from sale restrictions when those sales are made to the government. This type of exemption could benefit surveillance companies like **Clearview AI**, which