The SECURE Data Act: A Critical Examination of Its Privacy Provisions

The SECURE Data Act, recently proposed by House Republicans, has sparked significant debate over its potential impact on consumer privacy. While it aims to create a federal standard, critics argue that it falls short of existing state protections and may even weaken them. Below, we explore key questions about this controversial bill.

What is the SECURE Data Act and why is it considered weak?

The SECURE Data Act is a federal privacy bill drafted by Republicans on the House Energy and Commerce Committee. It was released without bipartisan support and is widely seen as a step backward from both prior congressional proposals and existing state laws. The bill grants consumers rights such as access, correction, deletion, and limited data portability, but these have become standard in privacy legislation. More concerning, it would preempt over 20 state consumer privacy laws—many of which are stronger—and fails to provide a private right of action, meaning individuals cannot sue companies for violations. Additionally, it does not ban behavioral advertising outright, a practice that drives excessive data collection. Overall, the bill is viewed as insufficiently protective of consumer privacy.

The SECURE Data Act: A Critical Examination of Its Privacy Provisions — Source: www.eff.org

What specific rights does the SECURE Data Act grant to consumers?

The bill provides consumers with several basic rights over their personal data, including access, correction, deletion, and limited portability. These are now common in most privacy proposals. It also requires companies to obtain explicit consent before processing sensitive data—such as health or financial information—or using personal data for purposes not previously disclosed. Additionally, consumers can opt out of targeted third-party advertising, the sale of their personal data, and profiling that leads to legal, healthcare, housing, or employment impacts. However, the burden is on the consumer to opt out; companies can continue these invasive practices unless individuals actively object. This default-to-permission approach is seen as a weakness compared to stronger, opt-in models.

How does the SECURE Data Act affect existing state privacy laws?

One of the most criticized aspects of the SECURE Data Act is its broad preemption clause. Section 15 would override any state law that "relates to the provisions of this Act," effectively wiping out the 21 state consumer privacy laws passed in recent years. These state laws are not perfect, but many offer stronger protections than the federal bill—for example, California’s data broker deletion tool and mandatory compliance with automatic opt-out signals like the Global Privacy Control. Federal privacy laws like HIPAA allow states to build on top of a federal floor, but this bill would create a ceiling, preventing states from enacting stronger measures. Critics argue this undermines innovation and consumer protection.

Why is the absence of a private right of action a major flaw?

A private right of action allows individuals to sue companies directly for privacy violations, rather than relying solely on government enforcement. The SECURE Data Act omits this provision, meaning only the Federal Trade Commission (FTC) or state attorneys general can take action. This is problematic because government agencies often lack resources to pursue every violation, leaving many victims without recourse. Without the threat of private lawsuits, companies have less incentive to comply with the law. Similar gaps exist in other federal privacy frameworks, but states like California have included private rights of action for certain breaches. The absence in this bill is seen as a significant retreat from meaningful enforcement.

Does the SECURE Data Act address online behavioral advertising?

No, the bill does not ban online behavioral advertising—a practice that tracks users across sites to serve targeted ads. Instead, it only allows consumers to opt out of targeted advertising from third parties, but continues to permit first-party behavioral advertising without an opt-out. Moreover, the bill’s definition of "targeted advertising" contains loopholes, potentially excluding many common tracking practices. This is a major shortcoming because behavioral advertising fuels the massive data collection that privacy advocates oppose. Stronger proposals have called for a ban or stricter limits, but the SECURE Data Act fails to curb the core driver of data exploitation.

What other flaws are present in the SECURE Data Act?

Beyond preemption and lack of private right of action, the bill has several other weaknesses. It sets weak opt-out defaults—consumers must actively request privacy protections rather than being protected by default. Data minimization requirements are inadequate, allowing companies to collect more data than necessary. The bill also includes large definitional loopholes that could exempt many companies from compliance. For example, data brokers with less than 50% of profits from data sales are not required to register. These flaws collectively make the bill a "retreat" from insufficient state protections, as the original article notes. Instead of setting a strong federal floor, it risks creating a low ceiling that hinders future progress.

Are there any positive aspects to the SECURE Data Act?

While heavily criticized, the bill does contain some consumer-friendly provisions. It grants rights like access, correction, deletion, and portability, which are standard in modern privacy laws. The requirement for consent before processing sensitive data or using data for new purposes is also a positive step. Additionally, the bill mandates a public database for certain data brokers, increasing transparency. However, these positives are overshadowed by the bill’s preemption of stronger state laws and its reliance on opt-out rather than opt-in consent. Many advocates argue that even weak federal legislation is harmful if it blocks states from innovating. The net effect is seen as a loss for consumer privacy.

Tags: