The House Energy and Commerce Committee’s Republican data privacy working group filed H.R. 8413, the SECURE Data Act, on April 22. The bill’s preemption clause could gut the Illinois Biometric Information Privacy Act, California’s Delete Act, and 12 states’ opt-out preference signal mandates.
The bill covers FTC Act entities with either $25 million in annual revenue plus 200,000 consumers’ data processed, or 100,000 consumers’ data when at least 25% of gross revenue comes from data sales. Enforcement falls to the FTC and state attorneys general. No private right of action, and controllers get a 45-day cure period before enforcement begins.
Preemption won’t be automatic. The bill’s “relates to” standard is deliberately broad, but each state law would face individual federal court challenges. The CCPA may resist full preemption because it covers employee and B2B data the federal bill exempts.
The bill doesn’t require data protection impact assessments — every state framework except Alabama, Iowa, and Utah mandates them. It’s also silent on opt-out preference signals like Global Privacy Control, directing the Secretary of Commerce to study feasibility only.
Novel additions include a federal FTC data broker registry, teen data (ages 13-15) classified as sensitive with verifiable parental consent required, a COPPA-modeled Code of Conduct certification granting a rebuttable presumption of compliance, and repeal of the Video Privacy Protection Act, 18 U.S.C. § 2710.
The SECURE Data Act was released alongside the GUARD Financial Data Act from the House Financial Services Committee. The 119th Congress has no markup date set.
— James Okafor