Brett Guthrie & John Joyce Introduce the SECURE Data Act

admin


On April 22, 2026, Rep. Brett Guthrie (R-KY), chairman of the House Committee on Energy & Commerce, and Rep. John Joyce (R-Pa.), leader of the Energy and Commerce Data Privacy Working Group and chairman of the Energy and Commerce Subcommittee on Oversight and Investigations, introduced HR 8413, the Securing and Establishing Consumer Uniform Rights and Enforcement Over Data Act (the “SECURE Data Act”).

The SECURE Data Act, the result of Guthrie’s Privacy Working Group, would establish a comprehensive federal consumer privacy standard that protects the privacy and security of Americans’ personal data. The Privacy Working Group received more than 250 written responses and held meetings with more than 170 different organizations “to create the strongest bill possible.”

The bill builds on the framework adopted by states in enacting comprehensive privacy and data security laws. It establishes new rights for consumers and obligations for companies, to be enforced by the Federal Trade Commission and state attorneys general. Previous bipartisan efforts, including the American Data Privacy and Protection Act (ADDPA), were unsuccessful. We discuss the protections of HR 8413 below.

Key Provisions

Preemption (Section 15)

The SECURE Data Act would preempt any state law or provision that “relates to the provisions of this Act.” It does not change federal obligations, for example, under the Children’s Online Privacy Protection Act (COPPA); Title IV of the Gramm-Leach-Bliley Act; Part C of Title XI of the Social Security Act; subtitle D of the HITECH Act; regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act (HIPAA); and more. The Act would generally take effect 2 years after enactment, with exceptions for sections 2 (Consumer privacy rights), 4 (Data security), and 5 (Data brokers). Section 15 would guarantee that certain state consumer protection and wiretap statutes—some of which impose stricter penalties, including private rights of action and fines—would no longer offer avenues for recourse. Additionally, the established body of jurisprudence interpreting these state laws would become largely irrelevant.

Applicability (Section 13)

The Act applies to any person subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.) and either (a) conducts business in the United States or offers for use or sale to a resident of the United States a product or service; or b) processes or engages in the sale of personal data of a resident of the United States. In addition, the following thresholds apply:

General threshold: Entities collecting and processing personal data of more than 200,000 U.S. consumers annually and having an annual gross revenue of $25 million or more; or collecting and processing personal data of 100,000 or more consumers annually and deriving 25 percent or more of the annual gross revenue of the person from the sale of such personal data. The bill contains a number of exemptions for governmental entities, financial institutions, covered entities or business associates under HIPAA, health information under HIPAA, nonprofits, higher education institutions, and more.

Consumer Privacy Rights (Section 2)

HR 8413 grants a consumer certain privacy rights with respect to a controller, which include:

  • To confirm whether a controller is processing the personal data of a consumer and to have a copy of such data (subject to trade secret limits);
  • To correct any inaccuracy in the personal data of the consumer;
  • To delete personal data provided by or obtained about the consumer;
  • If the data is available in a digital format and to the extent technically feasible, to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance;
  • To opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, and profiling to make a decision that has a legal or similarly significant effect on the consumer; and
  • To prohibit a comptroller from processing the sensitive data of a consumer without consent.

Controller and Processor Obligations (Sections 3 and 6); Data Security (Section 4); Data Brokers (Section 5); Deidentified and Pseudonymous Data (Section 7)

HR 8413 sets forth specific obligations for controllers, data brokers, and processors with respect to, for example, data minimization; compliance with federal anti-discrimination laws, data security, and registration with the Federal Trade Commission (FTC) (data brokers), contracts, deidentified and pseudonymous data.

Youth Privacy

Notwithstanding the consumer privacy rights above, HR 8413 would require that a controller process the sensitive data of a child in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. 6501 et seq., and that a controller may not process the sensitive data of a teen without obtaining the verifiable consent of a parent of the teen.

HR 8413 defines teen as an individual over 13 and under 16 (COPPA applies to children under 13). The legislation differs from a number of state statutes, e.g., Florida (which permits self-consent under age 18), Maryland, and Oregon (which ban certain processing outright for minors), and Colorado, Connecticut, and Montana (which adopt a duty-of-care model). Of note, HR 8413 removes the word “known” from the child-data provisions and will likely invite substantial stakeholder comment.

Sensitive Data Definition

The proposed legislation adopts Kentucky’s privacy law definition of sensitive data, which reflects categories recognized across all 21 existing state privacy statutes.

Codes of Conduct (Section 8)

HR 8413 would allow controllers or processors to submit to the Secretary of Commerce an application for approval of a code of conduct that meets or exceeds the requirements of the controller or processor (or the group of controllers or processors) under the Act. Additional provisions relate to secretary review, public comment, approval criteria, timelines, opportunity to cure, withdrawal of approval, and more.

Cross-Border Data Flows (Section 9)

8413 emphasizes the Secretary of Commerce’s role as the principal advisor to the president on policy relating to the international flow of personal data and the protection of personal data in international commerce. It sets out a number of duties, noting that the “Secretary shall take any action necessary and appropriate to support the international flow of personal data and the protection of personal data in interstate commerce.”

Enforcement (Section 12)

The bill contains no private right of action. Enforcement authority is vested in the Federal Trade Commission and state attorneys general; violations of the statute shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act regarding unfair or deceptive acts or practices.

Next Steps

The Energy and Commerce Committee press release notes several “Commonsense Obligations on Businesses.” Companies must:

  • Limit their collection of personal data to what is “adequate, relevant, and reasonably necessary” for the purposes disclosed to consumers.
  • Disclose what personal data they share with others, including any personal data processed in or sold to China, Russia, or other foreign adversaries.
  • Implement data security practices to protect the personal data they process.

Data brokers must:

  • Comply with the data minimization, disclosure, and data security requirements.
  • Register with the FTC and provide information about their privacy and data security practices and about the personal data they sell.
  • The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

Strategic Takeaways for In-House Counsel

  • Scope is broad. The 200,000-consumer threshold, combined with the $25M revenue floor, pulls mid-market companies into coverage at a rate that exceeds most state regimes.
  • Teen data becomes sensitive data. Entities serving consumers under 16 should revisit consent architectures, data inventories, and vendor flow-down obligations. The silence on knowledge standards is a risk to monitor.
  • Cross-border operations gain a federal anchor. Multinationals navigating post-Schrems II realities should evaluate cross-border privacy rules (CBPR) certification pathways given the statutory rebuttable presumption of compliance.
  • Codes of conduct as compliance strategy. Sector-specific trade associations and industry groups should begin evaluating whether to pursue recognized code of conduct status.

AI governance integration. The SECURE Data Act does not replace existing AI governance frameworks — NIST AI RMF, ISO/IEC 42001, the EU AI Act, OECD Principles — but layers a data-protection load-bearing joint into the broader architecture.

Introduction of HR 8413 has brought criticism as well as praise. We will continue to update our readers as the bill moves through the legislative framework. For a tailored briefing on how the SECURE Data Act would interact with your organization’s existing compliance framework, AI governance program, or cross-border data strategy, please contact the authors.

Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this post.



Source link

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *