Introduction
The federal SECURE Data Act, recently released by House Republicans without bipartisan support, claims to protect consumer privacy but is widely considered a weak proposal that would undermine existing state safeguards. This guide walks you through the key flaws of the bill, from its inadequate opt-out defaults to its sweeping preemption of state laws. By following these steps, you will understand why the SECURE Data Act is not a serious piece of privacy legislation and how it could weaken your rights.
What You Need
- A copy of the SECURE Data Act (available on Congress.gov)
- Familiarity with existing state privacy laws (e.g., CCPA, CPRA, VCDPA)
- Basic understanding of privacy concepts (opt-out, consent, data minimization, preemption)
- Optional: the EFF’s Privacy Badger browser extension to see automatic opt-out signals in action
Step-by-Step Guide
Step 1: Understand the Bill’s Core Consumer Rights
The SECURE Data Act grants consumers rights to access, correction, deletion, and limited portability of their personal data. These are standard in modern privacy proposals but are not enough to provide meaningful control. Note that the bill does not include a private right of action – meaning you cannot sue companies for violations on your own behalf. Instead, enforcement is left to the Federal Trade Commission (FTC) and state attorneys general, which is a significant weakness.
Step 2: Examine Preemption of State Laws
Section 15 of the bill would preempt any state law that “relates to the provisions of this Act.” This would wipe out dozens, if not hundreds, of existing state protections, including all 21 state consumer privacy laws enacted in recent years (e.g., California, Virginia, Colorado). Unlike strong federal laws such as HIPAA or the Video Privacy Protection Act, the SECURE Data Act sets a ceiling—not a floor—for privacy rights. Compare this to state provisions like California’s data broker deletion tool or automatic opt-out signal requirements (e.g., the Global Privacy Control built into EFF’s Privacy Badger). Under the new bill, those state protections would be eliminated.
Step 3: Assess the Lack of Private Right of Action
Without a private right of action, consumers cannot directly sue companies for privacy violations. This removes a powerful deterrent against corporate abuse. The bill would leave enforcement to overburdened regulators, meaning most violations would go unpunished. As a result, companies have little incentive to comply with the law’s requirements.
Step 4: Scrutinize Opt-Out and Data Minimization Weaknesses
The bill allows you to opt out of (1) targeted third-party advertising, (2) the sale of your personal data, and (3) profiling that has legal, healthcare, housing, or employment effects. However, this is an opt-out system by default – meaning companies can continue these invasive practices until you actively unsubscribe. There is no requirement for data minimization to limit what companies collect in the first place. The bill also contains large definitional loopholes (e.g., vague exceptions for “internal business use”) that allow companies to keep processing data without your clear consent.
Step 5: Identify Loopholes Regarding Sensitive Data and Consent
The bill does require explicit consent before processing sensitive data (e.g., health, biometrics, precise location) or using personal data for a previously undisclosed purpose. That sounds positive, but the definition of sensitive data is narrow, and exceptions are broad. For example, data collected for “security purposes” or “product improvement” may bypass these protections. Online behavioral advertising—the engine of mass data collection—is not banned; it is merely subject to opt-out. This is a far cry from banning the practice altogether.
Step 6: Compare with Existing State Protections
Lay the SECURE Data Act side by side with laws from states like California, Colorado, and Connecticut. State laws typically provide stronger opt-out rights, broader definitions of sensitive data, and sometimes a private right of action. For instance, California requires companies to honor global opt-out signals and provides an automatic opt-out for data brokers. The SECURE Data Act would override these state enhancements, leaving consumers with a weaker federal standard that is harder to enforce.
Step 7: Consider the Bill’s Effect on Data Brokers
The bill requires data brokers that earn at least 50% of their profits from selling personal data to register in a public FTC database. While transparency is welcome, this provision does little to limit the underlying trade of personal information. Moreover, many companies can structure their operations to avoid the 50% threshold, leaving most data transactions unregulated. Compare this to California’s data broker registry and deletion tool, which would be preempted.
Tips
- Contact your representatives: Use the analysis above to explain why the SECURE Data Act is a step backward. Urge them to support bills that set a federal floor, not a ceiling—and that include a private right of action.
- Support stronger state laws: If you live in a state with existing privacy protections, advocate to preserve them. Encourage your state legislators to resist federal preemption that weakens local laws.
- Use privacy tools: Install browser extensions like EFF’s Privacy Badger to automatically send opt-out signals and protect yourself from tracking. The SECURE Data Act does not require companies to honor such signals, so individual action remains important.
- Stay informed: Follow organizations like the Electronic Frontier Foundation (EFF) for updates on federal privacy legislation and advocacy opportunities.
This guide is for educational purposes and reflects the views of privacy advocates. Always consult the actual text of the SECURE Data Act and legal experts for official interpretation.