Alston & Bird Privacy, Cyber & Data Strategy Blog

One Federal Privacy Bill to Rule Them All?

By , and

On April 21, 2026, Republican lawmakers on the House Energy & Commerce Committee, including Congressman Brett Guthrie and Congressman John Joyce, M.D., Leader of the Energy and Commerce Data Privacy Working Group, introduced the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act”, the SECURE Data Act (the “Act”). The Act is designed to create a comprehensive nationwide framework governing consumer privacy and personal data protection in the United States. If enacted, the Act would significantly reshape the U.S. privacy landscape by establishing uniform consumer rights, clarifying obligations for businesses nationwide, and displacing much of the current state‑by‑state regime.

The House Financial Services Committee and the House Energy & Commerce Committee jointly also recently announced an effort to promote the SECURE Act and the GUARD Financial Data Act “to provide Americans more control over their personal data, create a uniform national framework to promote competition, and improve consumer choice by increasing access to financial products and services for all Americans.” This legislation suggests a renewed interest by Congress to provide uniform and consistent rights across the U.S. rather than the current piecemeal approach.

Who’s Covered (and Who’s Not)

In general, the Act follows applicability formulas favored by comprehensive state privacy laws, which include revenue and data processing thresholds. Specifically, the Act would apply to persons subject to the Federal Trade Commission (“FTC”) Act, or common carriers subject to Title II of the Communications Act that:

  • do business in the U.S. or offer products or services to U.S. residents, or
  • process or sell the personal data of U.S. residents; and
  • collect and process the personal data:
    • of more than 200,000 U.S. consumers per year[1], and has annual gross revenue of at least $25 million (subject to annual CPI adjustment), or
    • collect and process the personal data of at least 100,000 U.S. consumers per year1 and earns at least 25% of its annual gross revenue from selling that personal data.

Also similar to existing state privacy laws, the Act would exempt several categories of entities and types of data regulated under other laws. For example, the Act would exempt governmental entities, certain processors acting for government entities, financial institutions subject to the Gramm-Leach Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act (“HIPAA”) regulated entities, nonprofits, and institutions of higher education. The Act would also exempt specific types of data, including employment-related data, and various types of regulated data, such as public health data subject to HIPAA, information related to credit and creditworthiness, and data subject to the Family Educational Rights and Privacy Act (“FERPA”).

Consumers Rights

Under the Act, individuals acting “in an individual or household capacity” (not a commercial or employment capacity) (“consumers”) would be entitled to a familiar and enforceable set of rights which have been traditionally provided under state privacy law regimes, including the right to:

  • Access their personal data
  • Correct inaccurate data
  • Delete personal data
  • Transfer data to another company (when technically feasible)
  • Opt-out of:
    • targeted advertising
    • the sale of personal data
    • automated decision‑making that has legal or similarly significant effects

Sensitive Data

The Act would also require a controller to obtain the consumer’s consent before processing Sensitive Data. “Sensitive Data” includes personal data revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data used to uniquely identify a person, personal data collected from a child or teen, and precise geolocation data.

If the controller is processing personal data from a child under 13, the controller must process sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998 (“COPPA”). For a teen (a minor between 13 and 16 years old), the controller may not process sensitive data without first obtaining verifiable consent from a parent, which echoes the same requirements found under COPPA.

Business Obligations

Controllers would have similar requirements as those that are generally set forth under the 20 state comprehensive state laws that have been enacted to date. Those include:

  • Implementing data minimization;
  • Prohibiting controllers from using personal data for secondary purposes without obtaining consumer consent;
  • Requiring clear privacy notices explaining what data is collected, why, and with whom it’s shared which must be posted and available prior to the collection of personal data; and
  • Prohibiting retaliation against consumers for exercising privacy rights .

The Act also introduces strict timelines to respond to privacy requests from consumers, introduces appeal processes consumers can use when their requests are denied or rejected, and imposes limits on when fees can be charged.

Processors Obligations

The Act would also extend obligations to persons who process personal data on behalf of a controller (“processors”), including:

  • Following controller instructions;
  • Assisting the controller in complying with its obligations, including complying with consumer rights requests and assisting in the controller’s data security obligations;
  • Executing contracts with the controllers which set our instructions for processing, the nature and purpose of processing, the type of personal data involved, the duration of the processing, and the parties’ other rights and obligations, including to maintain confidentiality of the personal data and require any subprocessors to meet the same obligations; and
  • Permitting reasonable assessments by the controller to confirm the processor’s compliance with the Act.

Data Brokers

Data Brokers[2] would have additional obligations under the Act. These obligations are similar to the data broker-specific laws passed in California, Vermont, Oregon, and Texas, including:

  • Mandatory registration with the Federal Trade Commission;
  • Public disclosure that they are data brokers; and
  • A searchable public registry so consumers can see what Data Brokers are selling what kinds of personal data.

Safe Harbor for Data Security

Controllers would be required to implement reasonable administrative, technical, and physical security measures. The Act offers a rebuttable presumption of compliance if businesses follow approved codes of conduct, recognized frameworks, or obtain certification pursuant to the Global Cross Border Privacy Rules System.

Enforcement: FTC, States, and a Right to Cure

The FTC would enforce the Act, treating violations like unfair or deceptive practices under Section 5 of the FTC Act, unless it is related to a civil rights violation in which case the FTC must transfer the matter to an agency with enforcement action relating to that alleged violation.

State attorneys general also could bring enforcement actions where a state attorney general has reason to believe that residents’ interests have been or are threatened or adversely affected by a violation.

In either case, the Act would provide a mandatory right-to-cure period of 45 days following notice of a violation of the Act. If, during that period, the controller or processor cures the alleged violation and provides a written statement saying the violation has been cured and will not recur, then there is no violation with respect to that allegation. If the entity fails to cure, or cures and then continues violating the Act, the FTC or state attorney general may proceed with an enforcement action.

Unlike the CCPA, there is no private right of action giving rise to litigation. Companies that suffer data breaches would still be subject to state data breach notification laws and further under scrutiny under state unfair and deceptive acts claims.

Timeline

The Act’s requirements related to consumer privacy rights, data security, and data brokers would take effect a year following enactment, and the rest of the Act would become effective two years after enactment.

Looking Back to Look Ahead

This is not the first time a federal privacy bill has been introduced. In 2024, the American Data Privacy and Protection Act (ADPPA) was introduced in the House of Representatives but never gained bipartisan traction. More recently, the House Committee on Energy & Commerce announced the creation of a data privacy working group (for more details see the A&B blog post here).

The Act was just recently introduced in the House so it is still early in the legislative process, and states with comprehensive privacy laws are likely to push back on any preemption of their current laws (particularly as it relates to private rights of action). California’s Privacy Protection Agency (“CalPrivacy”) has already sent a letter to the House Energy and Commerce Committee opposing the Act, noting that it is weaker than existing state privacy laws and that preemption would “strip away a substantial amount of important privacy protections that individuals have today under state privacy laws.”

Regardless, the introduction of the Act signals that Congress is renewing its focus on state-to-state privacy discrepancies and the business disruptions caused by the patchwork of state laws.

[1] The number excludes data handled solely to complete payment transactions,

[2] A “Data Broker” is a controller that (1) collects and processes personal data about a consumer who is not the controller’s customer or client and is not a user, reader, or subscriber of the controller’s product or service, and (2) derives 50% or more of its annual gross revenue from the sale of that personal data; the definition expressly excludes a person acting as a processor.

LinkedIn
Jennifer Everett

About Jennifer Everett

Jennifer Everett focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations.

[Read Bio]

Jennifer Pike

About Jennifer Pike

When clients face health information privacy and security issues, they trust Jen’s ability to craft strategic and practical solutions to the most challenging problems.

[Read Bio]

Sara Pullen

About Sara Pullen

Sara’s practice focuses on privacy compliance, technology transactions, and intellectual property, with a strong focus on health care and medical technology and is recognized for her ability to bridge legal, technical, and clinical domains. Drawing on her background as an ICU nurse and her MBA, she brings a unique, practical perspective to advising clients across industries.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly