GoKawiilis a senior policy reporter at The Verge, covering the intersection of Silicon Valley and Capitol Hill. She spent 5 years covering tech policy at CNBC, writing about antitrust, privacy, and content moderation reform.
Posts from this author will be added to your daily email digest and your homepage feed.
Congress is once again attempting to pass a national data privacy law. But while it would introduce new protections in some states, it would weaken privacy rights in others — and it’s missing several elements that privacy advocates deem necessary.
The SECURE Data Act is the product of a Republican data privacy working group led by Rep. John Joyce (R-PA), who introduced the bill alongside House Energy and Commerce Committee Chair Brett Guthrie (R-KY). The proposal would require companies to collect only the user data they really need to perform the tasks they promise, let users see what information websites have on them and request its deletion, and require explicit opt in for collecting sensitive data like location or sexual orientation.
The Federal Trade Commission and state attorneys general would be able to bring legal action against companies accused of violating the law. A separate bill, the GUARD Financial Data Act, deals specifically with consumer financial data.
This is the latest attempt in a years-long effort to pass federal privacy protections for digital consumers, after several prior iterations failed to get key congressional leaders on board. In 2024, a planned meeting to discuss the last major bipartisan privacy proposal was abruptly cancelled as the bill reportedly faced opposition from House Republican leadership. In a joint statement, Guthrie and Joyce said the working group aimed to “reset the discussion on comprehensive data privacy.”
The SECURE Data Act would provide some new protections for many Americans. Only about 20 states so far have comprehensive data privacy laws, and many of these have received poor grades from outside advocates.The SECURE Data Act would also create additional protections for data on teens aged 13 to 15, requiring parents’ consent to process their information.
But the bill does not let individuals sue over alleged privacy violations. It doesn’t require sites to recognize universal opt-out mechanisms, so users would need to proactively and continually limit collection. It also exempts pseudonymous data from certain protections, which some groups warn would create a loophole for targeted ads.
Moreover, the bill seeks to preempt state laws that already offer equal or stronger protections — like California’s, which created a new privacy agency and lets consumers take legal action against companies for certain data breaches, or Maryland’s, which bans the sale of sensitive data and serving targeted ads to teens under 18. The Future of Privacy Forum (FPF), whose members include tech platforms but says its work is independent of individual stakeholders, writes that the bill “selects particular narrow approaches used by only a handful of states.”
FPF (which neither supports nor opposes the bill) says while the proposal goes beyond some of the narrowest state laws, it’s “consistently narrower and less prescriptive” than California’s privacy requirements. Some definitions in the bill are also more limited than in many state laws, the group writes, such as that for “biometric data,” which doesn’t include data from audio or video recordings.
... continue reading