Why the SECURE Data Act Fails to Deliver Genuine Consumer Privacy

Introduction

Despite its promising name, the SECURE Data Act introduced by House Republicans last month is far from a robust privacy law. Critics argue that the legislation would actually weaken existing protections, particularly by overriding stronger state laws and omitting essential consumer safeguards. This article examines the bill's major shortcomings and what they mean for everyday users.

Core Flaws in Consumer Protections

The bill grants consumers standard rights—such as access, correction, deletion, and limited portability—but these are now considered basic rather than advanced. More troubling is the bill's failure to address the real driver of data exploitation: online behavioral advertising. Instead of banning this practice, the bill merely allows consumers to opt out, placing the burden on individuals.

Other deficiencies include weak opt-out defaults that require proactive action, inadequate data minimization rules, and large definitional loopholes that exempt many companies. Perhaps most critically, the bill does not include a private right of action, meaning consumers cannot sue companies for violations. This leaves enforcement solely to the Federal Trade Commission, which has limited resources.

No Private Right of Action

Without the ability to sue, companies face little deterrent against misuse. State laws like those in California provide citizens with direct legal recourse, but this federal bill would preempt those stronger protections.

Preemption: A Retreat from State Progress

Section 15 of the SECURE Data Act would preempt any state law that "relates to the provisions of this Act". This sweeping language could nullify 21 state consumer privacy laws enacted in recent years, along with dozens of other regulations. Historically, federal privacy laws (e.g., HIPAA, VPPA) have allowed states to build upon a federal floor, but this bill turns that model upside down.

Impact on Existing State Laws

For example, California requires data brokers to maintain a deletion tool and mandates that companies honor automatic opt-out signals (such as those in the EFF's Privacy Badger). Under the SECURE Data Act, these state-level innovations would be wiped out, leaving consumers with a weaker national standard.

Limited Opt-Out and Consent Provisions

The bill does require affirmative consent before processing sensitive data (e.g., health, biometrics) or using personal data for a previously undisclosed purpose. However, for other invasive activities—targeted third-party advertising, sale of data, and profiling with legal or employment effects—consumers must opt out to stop them. This passive model means companies can continue collecting and using data until a user takes action, which many may not know how to do.

Additionally, the bill mandates that data brokers (those earning at least 50% of profits from selling personal data) register in a public FTC database. While a positive step, it does not address the core problem of data overcollection.

Conclusion

The SECURE Data Act presents itself as a federal solution, but its provisions would likely set back consumer privacy by overriding stronger state laws, omitting a private right of action, and failing to curb behavioral advertising. Unless significant changes are made, the act would be a step backward for everyone seeking meaningful data protection.