In a rather surprising development, House Republicans introduced last week the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act). While the bill has a long way to go paved by multiple negotiations, it can be seen as the first step to revive the long-stalled push for a comprehensive national privacy law. So far, the narrative around U.S. privacy regulations has been a patchwork of multiple state laws. While each state law varies in requirements, definitions, and enforcement mechanisms, California’s CPRA Act is effectively seen as the default standard.

As businesses are navigating the complexities of multiple state privacy laws, it would be interesting to see how a single nationwide framework affects their operations. Therefore, let us understand the SECURE Data Act, what it proposes, and how it fares against the existing landscape.

Key Provisions of the SECURE Data Act

Establishing a federal privacy law is going to be an arduous task requiring consensus across a wide range of political, economic, and regional interests. Here are the provisions that the bill has been introduced with:

• Pre-emption of State Laws: The bill would override most state privacy laws that fall within its scope, replacing the current patchwork with a single federal standard. This is a strong pre-emption approach, meaning businesses would primarily follow one nationwide framework instead of multiple state-specific rules.
• Enforcement Structure: Enforcement would rest with the Federal Trade Commission and state attorneys general, with no private right of action for individuals. This means only regulators and not consumers would be responsible for investigating and penalizing violations.
• Thresholds and Exemptions: The bill sets clear size-based thresholds to decide who it applies to, while also carving out several exemptions. It covers companies handling data of over 200,000 consumers (a relatively broad scope), and also captures data sellers under a separate revenue-based test. At the same time, it excludes smaller businesses below $25 million in revenue and provides them a gradual compliance path.
• Standardized Data Rights: Pretty much mirroring the widely adopted Washington model, the Act grants consumers a familiar set of rights, including access, correction, deletion, data portability, and the ability to opt out. It also incorporates common structural elements from state laws, such as defined roles for controllers and processors, opt-in requirements for processing sensitive data, and data broker registration.
• Teen Data Privacy: The bill treats data of individuals under 16 as sensitive, requiring opt-in consent and verified parental approval. While states handle teen privacy differently, this strict parental-consent model stands out, alongside a standardized (Kentucky-based) definition of sensitive data.
• Cross-Border Data: The bill emphasizes enabling cross-border data flows while maintaining privacy protections, reinforcing the Commerce Department’s role in global data policy. It also introduces voluntary, enforceable codes of conduct, where companies following approved frameworks can benefit from a presumption of compliance.

Missing Pieces: SECURE vs. CPRA

While the act is said to have kept up with the baseline requirements in various state laws, it misses some major provisions, especially from California’s CPRA, which is effectively seen as the standard. Here are some points from the CPRA absent in the SECURE Data Act:

• No DPIA Requirement: SECURE Data Act does not include any comparable obligation like DPIA where a business is required to conduct risk assessments for certain high-risk data processing activities.
• No Framework for Automated Decision-Making: Unlike California’s CPRA, which introduces detailed rules around automated decision-making technologies, the SECURE Data Act does not explicitly address ADMT or AI at all.
• Private Right to Action: CPRA provides a limited private right of action that allows consumers to sue businesses in cases of certain data breaches. In contrast, the SECURE Data Act does not include any private right of action, leaving enforcement entirely to regulators like the FTC and state attorneys general.
• DELETE Act: California has a centralized deletion mechanism for data brokers, allowing one deletion request through DROP. The SECURE article says its data broker registration does not include California DELETE Act-style innovations.

Preparing for a Moving Target

At this stage, businesses do not need to take any immediate action specific to the SECURE Data Act, given that the bill is likely to evolve through the legislative process. The most practical approach is to continue complying with existing state privacy laws, particularly more mature frameworks like California’s CPRA, which already set a high baseline for compliance.

At the same time, organizations should focus on building adaptable, privacy-by-design programs that can accommodate regulatory changes without significant rework. Keeping a close watch on federal developments with regard to preemption, enforcement, or automated decision-making will definitely help stay prepared if and when a unified national framework begins to take shape.

A Federal Framework in the Making

The SECURE Data Act, in its current form, reflects a pragmatic attempt to build a consensus-driven federal privacy framework by aligning with the most commonly accepted elements across state laws. However, when benchmarked against California’s CPRA, the bill clearly stops short of adopting some of the more evolved and stringent provisions that are beginning to define the next phase of privacy regulation. Whether this lighter, more harmonized approach is enough to gain bipartisan support or not remains to be seen.