TL;DR:
- HR 8413, the SECURE Data Act, gets its first hearing on Wednesday, June 3, 2026 at 10:15 a.m. EDT in the Rayburn House Office Building. Subcommittee on Commerce, Manufacturing, and Trade.
- It would preempt every state privacy law: all 21 comprehensive state laws (CCPA, CPRA, Texas, Virginia, etc.), Illinois's BIPA, Washington's My Health My Data Act, and state data broker registries in California, Texas, Nevada, Oregon, and Vermont.
- It has no private right of action. Only the FTC and state AGs can enforce it. Individuals cannot sue. There's a 45-day cure period with no penalties.
- It's weaker than most of the laws it would replace. EFF: "Not a serious piece of privacy legislation." California Privacy Protection Agency: opposed.
- 40 million Californians would lose the Delete Request Platform (DROP) that lets them tell every registered data broker to delete their data in one click.
- Sponsors: Reps. Brett Guthrie (R-KY, Energy & Commerce chair) and John Joyce (R-PA, Vice Chair). Introduced April 22, 2026.
The Hearing Is in Three Days. The Stakes Are Twenty-One State Laws.
On Wednesday morning, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing called "Examining Legislation to Establish a Federal Comprehensive Privacy and Data Security Law." The room is John D. Dingell, 2123 Rayburn House Office Building. The time is 10:15 a.m. EDT [1].
The bill on the table is HR 8413, the SECURE Data Act, sponsored by Reps. Brett Guthrie (R-KY) and John Joyce (R-PA). It was introduced on April 22, 2026 [2]. Wednesday's hearing is its first major legislative test.
If you live in California, Illinois, Texas, Colorado, Connecticut, Utah, Virginia, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Nebraska, Rhode Island, Kentucky, or any other state that has passed a comprehensive privacy law in the last seven years, your state's law could be wiped out by this bill [3].
All of them. One federal vote.
"Relates to the Provisions of This Act"
The preemption clause is in Section 15. It's six words that erase a decade of state privacy work.
The bill voids any state law that "relates to the provisions of this Act." That's not a typo. "Relates to" is the broadest preemption language in U.S. statutory drafting, broader than "conflicts with," broader than "is inconsistent with." Courts interpret it to mean: if your state law touches the same subject matter at all, it's gone [4].
EFF Senior Staff Attorney Mario Trujillo, who literally wrote the EFF analysis on this bill, listed what disappears [4]:
- All 21 state comprehensive privacy laws.
- All 50 state data breach notification laws, including ones that require faster notification than the federal floor.
- Illinois's Biometric Information Privacy Act (BIPA), the strongest biometric privacy law in the country, currently being used to fight ICE's Mobile Fortify in court.
- Washington's My Health My Data Act: protections for reproductive and mental health data.
- State data broker registries in California, Texas, Nevada, Oregon, and Vermont.
- California's Delete Request and Opt-out Platform (DROP): the one-click data broker deletion tool 40 million Californians can use today.
- California's state constitutional privacy rights and common-law privacy torts.
- State-specific bans on location data sales and biometric surveillance.
This isn't tightening the rules. It's pulling them up by the roots.
The Replacement Is Weaker Than What It Replaces
That would be tolerable if the federal bill set a higher floor. It doesn't.
No private right of action. Under California's CCPA, you can sue a company that leaks your data. Under Illinois's BIPA, you can sue a company that scans your face without consent. Under HR 8413, you can't sue at all. Only the FTC and state AGs can bring cases, and as EFF puts it, "regulators do not have the resources to catch every violation" [4].
A 45-day cure period with no penalties. If a company violates the law, it gets 45 days to fix it before anything happens. Then nothing happens, because the cure provision wipes the penalty [4].
Opt-out, not opt-in. The burden is on you to find the right buttons to click. The bill requires consumers to opt out of targeted advertising, data sales, and profiling individually. Privacy is the default off-switch, not the default on-switch [4].
Loopholes large enough to drive a surveillance company through. The bill's definition of "biometric data" excludes face scans from photos and video, exactly the kind of data Clearview AI, Mobile Fortify, and every commercial facial recognition vendor uses. The data minimization requirement only limits processing to data "disclosed to the customer," which means anything buried in a privacy policy is fair game [4].
AI gets a free pass. The bill explicitly prevents states from restricting data use for AI development or model improvement [4].
"The bill is weaker than congressional proposals in prior years," EFF wrote in May 2026, "as well as most of the 21 state consumer privacy laws already on the books" [4].
California Is Saying No
Jennifer Urban, chair of the California Privacy Protection Agency, sent a formal opposition letter on April 2026 [5]. The position is unambiguous: "We cannot support any law that has a broad preemption provision in it. We believe that all Americans should have privacy rights" [3].
The CPPA letter is detailed. It walks through what California consumers would lose: the right to deletion under CCPA, the Delete Act's broker deletion platform, the constitutional right to privacy that California voters wrote into their state constitution in 1972 [5].
The political math here is significant. Every prior federal privacy bill (including ADPPA in 2022 and APRA in 2024) collapsed partly because California refused to accept preemption. The SECURE Data Act faces the same dynamic, but in a more polarized Congress and with a sponsor (Guthrie) who controls the Energy and Commerce gavel.
Illinois has also signaled it will defend BIPA in court if the bill passes. The state's biometric law is currently the basis for both the Mobile Fortify lawsuit against ICE and a parallel wave of private litigation against employers, retailers, and tech companies. Preemption would gut all of it.
Who Wants This?
The bill's backers are clearer about their motivation than its critics give them credit for: large platforms and trade groups want one federal standard instead of 21 state ones. NetChoice, the trade association whose members include Google, Meta, and Amazon, has been the loudest pro-preemption voice in the privacy debate for years. The Chamber of Commerce has aligned with similar positions [3].
The argument has appeal in the abstract: a single federal rule is easier to comply with than a patchwork. But the "compliance burden" framing obscures what's actually happening. Companies aren't asking for unified strong rules. They're asking for unified weak rules. The SECURE Data Act delivers exactly that [4].
Rep. Guthrie's privacy working group, established in February 2025, did consult with the privacy community during drafting. The community pushed for a private right of action and narrower preemption. Neither made it into the bill [2].
What to Watch on Wednesday
- The witness list. Not published as of May 31. Watch for industry-heavy testimony with token consumer advocate balance, a signal that the hearing is theater for a bill the sponsors already plan to push.
- Questions about preemption from Democrats. Frank Pallone (D-NJ, ranking member) and Jan Schakowsky (D-IL, longtime privacy advocate) are the names to watch. If they get explicit commitments to narrow preemption, the bill could become negotiable. If sponsors stonewall, expect a partisan markup.
- Any mention of a private right of action. This is the single biggest sticking point. The 2022 ADPPA included one. The SECURE Data Act doesn't. Bringing it back would change the political calculus instantly.
- State AG responses post-hearing. California AG Rob Bonta, Illinois AG Kwame Raoul, and New York AG Letitia James have all signaled willingness to file briefs opposing federal preemption. Watch for joint statements within 48 hours of the hearing.
- Whether the chair schedules a markup. If a markup gets scheduled within two weeks of Wednesday's hearing, the bill is on a fast track. If not, it's likely going to slow-walk through the summer.
What You Can Do Before Wednesday
- Call your representative, especially if they're on Energy and Commerce. Tell them: no federal privacy bill should preempt stronger state laws. The committee roster is at energycommerce.house.gov.
- Read the bill text yourself. The full text of HR 8413 is on Congress.gov. Section 15 is the preemption clause. It's worth seeing in plain language.
- Submit a comment for the hearing record. The Energy and Commerce Committee accepts written statements at energycommerce.house.gov. Statements submitted before the hearing close are included in the official record.
- Watch the hearing live. The Energy and Commerce Committee streams hearings at energycommerce.house.gov/news/hearings. Wednesday, June 3, 10:15 a.m. EDT.
- Support state attorney general offices. If federal preemption passes, state AG litigation will be the front line of defense. California, Illinois, Washington, and Vermont AGs need political cover and resources to fight in court.
- Demand your state representative goes on the record opposing federal preemption, even if they're a Republican. State Republicans have an institutional interest in protecting state authority. Use it.
The Bottom Line
For seven years, state legislatures have been the only place where U.S. privacy law actually got better. California passed CCPA in 2018. Illinois has had BIPA since 2008. Vermont built the country's first data broker registry. Twenty-one states now have comprehensive privacy laws. None of them are perfect. All of them are stronger than what HR 8413 would replace them with.
The pitch for the SECURE Data Act is uniformity. The reality is preemption. Companies that have spent the last decade lobbying state legislatures and losing have a new strategy: ask Congress to delete the losses.
Wednesday at 10:15 a.m. is the first test of whether that strategy works.
Sources
- House Energy and Commerce Democrats: "Hearing on Examining Legislation to Establish a Federal Comprehensive Privacy and Data Security Law" (June 3, 2026)
- IAPP: "SECURE Data Act: Analysis of the new federal privacy bill"
- ManageEngine Insights: "The SECURE Data Act would preempt all state privacy laws, undermining legislation like California's CPRA"
- EFF: "The SECURE Data Act is Not a Serious Piece of Privacy Legislation" (May 2026)
- California Privacy Protection Agency: Opposition Letter on HR 8413 (April 2026)
- Congress.gov: HR 8413 Full Text
Published: May 31, 2026