Privacy

The new federal consumer privacy bill isn’t very consumer-friendly, critics say

Numerous privacy analysts who've read the SECURE Data Act said that in addition to preempting years of state policy work, it would omit crucial protections for consumers.

By Keely Quinlan

April 22, 2026

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Rep. Brett Guthrie, R-Ky., speaks during a news conference with House Republican leadership in the Capitol Visitor Center on Tuesday, November 18, 2025. (Tom Williams / CQ-Roll Call, Inc via Getty Images)

Privacy organizations and advocates are raising concerns about the SECURE Data Act, a piece of federal legislation introduced Wednesday that would preempt state privacy laws.

Introduced by Rep. John Joyce, a Republican from Pennsylvania, and Rep. Brett Guthrie, a Republican from Kentucky who chairs the Energy and Commerce Committee, the legislation aims to create a nationwide standard for protecting personal data. The lawmakers said it builds on the comprehensive consumer data privacy laws adopted in many states, passed in absence of a federal data privacy standard. But some data privacy advocates on Wednesday said that the federal measure would actually weaken protections.

According to its sponsors, the SECURE Data Act would establish a national privacy and data security standard to protect personal data, establish new rights for consumers and set new obligations for companies. The law would be enforced by the Federal Trade Commission and state attorneys general. It does not feature a private right of action that would allow people to bring lawsuits against companies found violating the law. Some experts this feature the hallmark of a strong data privacy law.

Similarly to a number of state privacy laws, the act would grant consumers rights, such as the right to access, delete or control how their personal data is used. This includes the ability to opt out of targeted advertising and requiring consent to collect sensitive data or children’s data. The bill’s sponsors also claim it would require businesses and data brokers that process large volumes of data to limit their data collection, disclose how data is shared, implement security safeguards and register with the FTC as part of a public system designed to increase transparency.

But the SECURE Data Act would also broadly preempt state laws covering the same data privacy and security concerns, which means states would generally be disallowed from enforcing any data privacy law overlapping with the federal framework.

‘Strongest’ possible bill

Joyce and Guthrie said in a joint statement that the bill was the product of a legislative working group that received more than 250 written responses and held meetings with at least 170 organizations. The feedback, they said, helped to form the “strongest” legislation possible.

“The Energy and Commerce Data Privacy Working Group was created to reset the discussion on comprehensive data privacy, taking wide ranging input from stakeholders and crafting a consensus bill that protects the privacy and security of Americans’ personal data,” the statement read. “This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping. We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

Cobun Zweifel-Keegan, managing director of IAPP, a data-privacy nonprofit, said that the work to gather feedback demonstrated the group’s commitment to finding middle ground on national data privacy protections. Over the past year, lawmakers from both parties and state leaders have clashed over proposals to preempt states’ artificial intelligence rules, measures that would have also impacted some state privacy laws.

“The working group’s plan for a consumer privacy law would embrace the baseline consensus standards from across the current state patchwork,” Zweifel-Keegan said. “It would deliver consumer privacy rights to all Americans, while preempting any states with rules above the baseline. The bill is just starting the long path to passage, but it represents a remarkable achievement for republicans in the working group, who have come together to embrace a unified vision for consumer privacy based in part on stakeholder input.”

‘Significant gaps’

Critics of the bill said it falls short in addressing the real-world consequences of weak data protections, particularly for people facing heightened risks. Eric Null, the director of a privacy and data program at the Center for Democracy and Technology, a nonprofit advocacy group, noted that past bipartisan bills, such as the American Data Privacy and Protection Act and the American Privacy Rights Act (attempted in 2022 and 2024, respectively), better addressed privacy needs.

“This new bill would federally codify industry-favored state privacy rules while preempting state laws that include stronger protections, including requirements to affirmatively minimize collection of data and bans on selling certain sensitive information like Americans’ precise locations,” Null wrote in an email. “Were this proposal to pass, it would cement the harmful online data practices that Americans need and want a privacy law to fix, resulting in more data breaches, more intrusive data collection, more creepy advertising practices, and more business for data brokers.”

Null added that any federal privacy law should include protections “against growing AI-related privacy harms,” like limiting how AI collects data for training purposes, and codifying protections against AI-based discrimination. As introduced, the bill does not set rules for how AI systems are built or maintained, but does require that companies disclose if they use automated decision making systems, and provide users the ability to opt out.

Justin Sherman, interim vice president of the Security Project at the Public Service Alliance, a network that supports government workers, said the nation lacks protections for some of the most serious harms caused by privacy laws that fall short. The group showed in a recent report that state consumer privacy laws already largely fail to protect public servants — including federal and state lawmakers, judges, local school board members and 911 operators — who have over the past decade faced rising threats, including harassment, doxxing and physical violence.

Before the bill’s text was published, he shared a statement Wednesday noting that “significant gaps across the patchwork of federal and state privacy laws leave America’s public servants, among many others, with weak or non-existent protections to protect themselves and their families. What we need is a strong national standard that would mitigate America’s data-to-violence pipeline, which currently leaves public servants at unnecessary and increased risk of doxxing, swatting, and other violent threats.”

Cody Venzke, a senior staff attorney with American Civil Liberties Union, noted in an emailed statement that while this is a consumer privacy bill, it is not consumer-friendly: “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents. Instead of building meaningful guardrails for data and AI, this bill instead opts for letting Big Tech and the government continue to invade our privacy and profit from even our most personal information.”