The House Energy & Commerce Committee released the SECURE Data Act on April 22, a comprehensive federal consumer privacy bill that reaches businesses subject to the FTC Act or common carriers under Communications Act title II.
The bill sets a two-track coverage test. Track one: businesses collecting and processing data on 200,000 or more consumers annually with $25 million or more in gross revenue. Track two: businesses that process data for 100,000 or more consumers and derive 25 percent or more of annual gross revenue from selling personal data. Either threshold triggers the full compliance framework.
Under Section 2, consumers get rights to access, correct, delete, and copy their personal data. They can also opt out of targeted advertising, data sales, and profiling decisions with “legal or similarly significant” effects. Controllers can’t process sensitive data without consent.
The preemption clause is the structural play. The act would preempt any state law that “relates to” its provisions, ending the patchwork that includes California’s CPRA. State AGs retain the right to bring civil actions in federal court for injunctions and damages, but state legislatures don’t get to run a parallel regime.
For companies that built CCPA/CPRA compliance programs, the data minimization rule demands re-examination: collection must be “adequate, relevant, and reasonably necessary.” The act also includes a data broker registration requirement. Businesses deriving more than 25 percent of revenue from data sales face the steepest exposure.
The bill is in committee with no markup date announced.
— James Okafor