House subcommittee splits on SECURE Data Act that preempts state privacy laws

Members of a House Energy and Commerce subcommittee split along party lines during a hearing Wednesday to consider the SECURE Data Act, with Republicans touting the bill as a long‑overdue national privacy framework, and Democrats warning it would strip away a number of hard‑won state protections.

The partisan divisions, which echoed a number of prior debates about a federal data privacy standard, predictably saw Republicans on the Commerce, Manufacturing, and Trade Subcommittee — particularly, the two authors of the bill, GOP Reps. John Joyce of Pennsylvania and Brett Guthrie of Kentucky — pushing the SECURE Data Act as a pro‑innovation and small business-friendly bill that incorporated the best of the over 20 state comprehensive privacy laws.

Meanwhile, Democrats and a civil-liberties advocates argued against the bill fiercely, stating that the standard the SECURE Data Act would set would be “weaker than the weakest state law,” and wipe out not only those over 20 state comprehensive privacy laws, but the stronger state protections in places like California’s Delete Act, Connecticut’s new law that was inspired by the Delete Act, the Illinois Biometric Information Privacy Act, or BIPA, and Washington’s My Health, My Data Act.

‘Red states, blue states, and purple states’

The legislation aims to create a nationwide standard for protecting personal data, while barring states from enforcing any data privacy law that overlaps with the federal framework. It follows extensive work by the Energy and Commerce Data Privacy Working Group, which gathered more than 250 written submissions and consulted with at least 170 organizations over the past year to help design the bill.

“Reaching this consensus was only possible with strong collaboration between members of the working group, who are all original co‑sponsors of this legislation,” Joyce said in his opening remarks. “This legislation is built on the foundations laid by more than 20 states: red states, blue states, and purple states. … The states have sketched a path forward for us that protects consumers, provides certainty for businesses and offers a strong foundation for bipartisan federal privacy legislation.”

“We’re not looking to compete with Europe to regulate; we’re looking … to compete against China to innovate. We have to innovate and also protect individuals’ data,” added Guthrie, who chairs the House Energy and Commerce Committee. “And so, how do we strike that balance? That’s what we’ve worked hard [on], and we strongly believe that we have.” 

Tyler Bridegan, a partner at the Womble Bond Dickinson law firm and a former privacy enforcer in the Texas Attorney General’s office, testified that while the SECURE Data Act is based on a number of U.S. state laws, it also shares some similarities with the General Data Protection Regulation, or GDPR, which is Europe’s consumer privacy protection law.

However, another witness, Ashli Watts, president and CEO of the Kentucky Chamber of Commerce, pointed to the GDPR’s negative impact on innovation. She also said that based on her work with the Kentucky legislature on their state’s data privacy law — which inspired the SECURE Data Act — small and mid-sized businesses can’t “realistically navigate 50‑state legal strategy” for privacy compliance.

Cobun Zweifel-Keegan, managing director of IAPP, a data-privacy nonprofit, told StateScoop prior to the hearing that because the bill and its “very aggressive preemption language” were designed by Republicans, the lingering question isn’t whether a federal framework will proceed — as most on both sides of the aisle still want one — but what Democrats’ priorities will be for it, and how they will navigate the preemption proposal.

“Republicans are in favor of broad, strong preemption for this type of law to have a single uniform federal standard,” he said. “Sometimes you’ll hear from industry … ‘what’s the point of having a federal standard if you don’t get rid of things like BIPA? Why should industry support something if it’s just going to be the opportunity to have to continue to have more complexity?’ That’s the argument that brings people to the table.”

‘Appalling betrayal of hardworking Americans’

Democrats responded very plainly Wednesday, laying out not only their legislative priorities in reworking the bill, but their disinterest in working on legislation that outright neutralizes state privacy laws without substantive changes first.

“The partisan SECURE Data Act is not the strong enforceable standard its sponsors describe,” said Rep. Frank Pallone, Jr., D-N.J. “Instead, this bill locks in the failed notice and consent status quo, and then compounds loophole upon loophole to water down its provisions. And then, to make matters worse, it adds expansive preemption that will leave many Americans with fewer privacy protections than they have today.” 

Rep. Kathy Castor, D-Fla., delivered an even harsher critique.

“Well, Mr. Chairman, I’m not going to mince words. I think this bill is an appalling betrayal of hardworking Americans, their ability to safeguard their personal information,” she said. It “would just allow violation of their privacy to continue. It wipes away laws across the country that protect privacy. It will lead to higher costs for consumers. It will further unleash insidious AI surveillance pricing. It will end state laws relating to unwanted robocalls and spam text messages, and it will gut online privacy protections for kids.”

A number of other Democratic members also pointed to the peripheral laws that will be impacted by the SECURE Data Act if it proceeds, including those that have to do with kids’ online safety, AI‑driven discrimination, surveillance pricing and location or health data being sold. They also said it relies on pop‑up consent mechanisms online that really don’t give consumers a choice, because if they choose to opt-out, they cannot proceed to using the website or digital asset like others who opt-in.

Caitriona Fitzgerald, deputy director and policy director of the nonprofit research organization Electronic Privacy Information Center, or EPIC, testified against the bill. She critiqued its reliance on models from the states, claiming that large technology companies often influenced them via lobbying, resulting in weaker laws.

“Those bills originated from a draft that was written by tech giants in Washington state. It ultimately did not pass in Washington state, but they took it to Virginia first … and then brought it to … these now 22 states, or 21 I guess, because California followed a different path, and pushed their weak model with the hopes of getting exactly to this moment — coming to Congress and saying this is the consensus in the states, please pass this at the federal level, and preempt states from doing anything for all of time on privacy,” she said. “Those state laws are far too weak to adequately protect privacy, and Congress should not be emulating that model.”

Electronic Frontier Foundation Senior Staff Attorney Mario Trujillo told StateScoop that the U.S. has needed a strong, comprehensive privacy law for about a decade. And while the laws states passed to fill in that gap are imperfect, even the weak ones are stronger than what’s on the table federally.

“When you’re trying to make a decision on if we should have a federal law that preempts all state laws, you have to ask … ‘how strong is the federal law?”’ she said. “And if the federal law is weaker than the state privacy laws, you have to ask yourself, ‘what is the federal privacy law doing?”’