The EFF Tore Apart the SECURE Data Act

A federal privacy bill that would replace 21 state laws with something weaker. The loopholes are the point.

Person signing a document at a desk with papers and a pen

TL;DR:

  • What: The EFF published a detailed teardown of the SECURE Data Act (HR 8413), the House Republican privacy bill introduced April 22, 2026
  • The verdict: "Weaker than congressional proposals in prior years, as well as most of the 21 state consumer privacy laws already on the books"
  • Biggest problems: No private right of action, 45-day penalty-free cure period, fake data minimization, government contractor loophole for surveillance companies, and preemption of all 50 state breach notification laws
  • What you'd lose: California's Global Privacy Control, Oregon's third-party disclosure rights, Illinois's biometric protections, and Minnesota's right to contest automated decisions
  • What to do: Contact your representatives. This bill is still in committee and hasn't been marked up yet

The Sales Pitch vs. the Fine Print

House Republicans have a pitch: Americans deserve one clear, national privacy law instead of a patchwork of 21 state laws. Makes sense on the surface. Nobody wants to navigate 21 different privacy regimes.

But the SECURE Data Act doesn't replace state laws with something better. It replaces them with something worse. And that's not a side effect. It's the design.

The EFF's May 5 analysis ripped through the bill's 200-plus pages and found a pattern: every provision that sounds protective has a loophole wide enough to drive a surveillance economy through. Data minimization that isn't. Opt-out rights that burden consumers instead of companies. A biometric data definition that excludes facial recognition from security cameras.

The bill was introduced on April 22 by the House Energy and Commerce Committee's Privacy Working Group, backed by Committee Chair Brett Guthrie and Financial Services Chair French Hill. It hasn't been marked up or voted on. There's still time to kill it, or fix it.

The Preemption Wrecking Ball

Section 15 of the SECURE Data Act would preempt any state "law, rule, regulation, requirement, standard, or other provision" that "relates to" the federal bill's provisions. That's not targeted preemption. That's a wrecking ball.

Here's what gets demolished:

  • 21 state comprehensive privacy laws: California's CCPA, Colorado's CPA, Connecticut, Virginia, all of them
  • All 50 state data breach notification laws, built over two decades of hard-won legislative fights
  • Illinois BIPA: the strongest biometric privacy law in the country, responsible for billions in enforcement actions against companies like Facebook and Google
  • California's data broker deletion tool: the one that actually forces data brokers to delete your information
  • Vermont, California, Nevada, Texas, and Oregon data broker registries: gone
  • Washington's My Health My Data Act: protections for health data outside HIPAA

The Future of Privacy Forum's analysis found the bill's preemption wouldn't be automatic: each state law would need to be challenged individually in court. But the "relates to" language is so broad that courts would likely strike down most state provisions that offer stronger protections than the federal baseline.

Six Loopholes That Gut the Bill

1. "Data Minimization" That Minimizes Nothing

The bill limits data processing to what companies have "disclosed to the customer." Read that again. If a company puts invasive data practices in its privacy policy (the one nobody reads) those practices become legal under the SECURE Data Act. That's not minimization. That's permission laundering.

2. The 45-Day Get-Out-of-Jail Card

Companies that violate the law get 45 days to "cure" violations with zero penalties. Imagine a data broker selling your location data illegally. They get caught. They stop, for now. No fine. No consequences. Try again next quarter.

3. The Government Contractor Escape Hatch

Section 13(b)(2) could allow data brokers to escape sale restrictions when selling to government entities. The EFF flagged this as a potential lifeline for surveillance companies like Clearview AI, which scrapes billions of facial images and sells access to law enforcement. Under this bill, that might not count as a "sale."

4. Biometric Data With a Blind Spot

Section 16(4) excludes "data generated from photographs or video or audio recordings" from the definition of biometric data. Security camera footage used for facial recognition? Not biometric data under this bill. That gutting of biometric protections would erase years of enforcement under Illinois's BIPA.

5. Deletion Requests Downgraded to Opt-Outs

When you ask a company to delete your data from a third party, Section 2(d)(5) treats that as an opt-out, not an actual deletion. Your data stays. They just promise not to use it for certain things. Pinky swear.

6. AI Training Gets a Free Pass

Nothing in the bill prevents companies from collecting your personal data to "develop or improve a new technology." That's a blank check for AI training. Every photo, every voice recording, every browsing pattern, fair game as long as a company calls it R&D.

What State Laws Do That the SECURE Data Act Won't

The Future of Privacy Forum ran a side-by-side comparison. The results are damning.

Global Privacy Control: California, Colorado, Connecticut, and nine other states require companies to honor universal opt-out signals like Global Privacy Control. The SECURE Data Act doesn't. It tells the Commerce Secretary to "study feasibility." You already know how those studies end.
Third-Party Disclosure: Oregon, Delaware, Maryland, and Minnesota give you the right to know exactly which third parties received your data. The federal bill? Silent.
Contest Automated Decisions: Minnesota and Connecticut let you challenge adverse decisions made by algorithms: denied a loan, flagged as a fraud risk, rejected for housing. The SECURE Data Act includes a "profiling" definition so narrow that adding even minimal human review makes any automated decision legal.
Youth Protections: Connecticut, Colorado, and Montana require heightened privacy protections and risk assessments for minors. The federal bill has no equivalent duty of care.

Every single state comprehensive privacy law except Alabama, Iowa, and Utah requires data protection impact assessments for high-risk processing. The SECURE Data Act requires none.

No Private Right of Action Means No Accountability

This is the kill shot. The SECURE Data Act does not give you the right to sue companies that violate your privacy.

Enforcement falls entirely to the FTC and state attorneys general. The EFF's argument is straightforward: "regulators do not have the resources to catch every violation." The FTC has roughly 1,100 employees overseeing the privacy practices of every company in America. State AGs have their own resource constraints.

Without a private right of action, there's no class action lawsuit when Clearview scrapes your face. No individual claim when a data broker sells your location to a stalker. No legal recourse at all except hoping an overworked regulator takes your case.

Illinois's BIPA works precisely because it includes a private right of action. That's how Meta paid $1.4 billion for storing biometric data without consent. Under the SECURE Data Act, that lawsuit couldn't have happened.

Self-Regulation Theater

The bill includes provisions for industry "codes of conduct" that would grant companies presumptions of compliance. In practice, this means trade associations write their own rules, companies follow those rules (or claim to), and regulators face a higher bar to prove violations.

We've seen this movie before. The ad industry's self-regulatory "AdChoices" program was supposed to give consumers control over tracking. Fifteen years later, the average website drops 50+ trackers before you've read the first paragraph.

What You Can Do

Contact your House representative: The bill is in the Energy and Commerce Committee. It hasn't been marked up yet. Tell them preemption without a private right of action is a dealbreaker. Find your rep here.
Support your state AG: State attorneys general are the last line of defense for state privacy laws. Many have publicly opposed federal preemption. Their offices accept public comments.
Use your state rights while you have them: If you're in California, exercise your CCPA deletion rights. In Illinois, your BIPA rights. In any state with a privacy law, file data access requests now, before federal preemption potentially eliminates them.
Install Global Privacy Control: Use browsers or extensions that send GPC signals. Twelve states currently require companies to honor them. Build the habit now, even if the federal bill tries to make them optional.

The Bottom Line

The SECURE Data Act is the third attempt by Congress to pass a federal privacy law. The previous two (the American Data Privacy and Protection Act and the American Privacy Rights Act) were both stronger than this bill. They failed because they couldn't get enough votes.

So Congress came back with something weaker. Not because Americans need less privacy, but because the data industry lobbyists who killed the stronger bills wanted more loopholes. They got them.

A real federal privacy law would set a floor, not a ceiling. It would let states go further. It would give you the right to sue. It would actually minimize data collection instead of legalizing whatever appears in a privacy policy.

This bill does none of that. The EFF called it "not a serious piece of privacy legislation." Based on what's in the text, that's generous.

Sources

Published: May 15, 2026