Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 25, 2026 · 5 min read

SECURE Data Act 2026: What Federal Preemption Means for CCPA

In 2026, Congress made another attempt at a federal privacy law — this time with two coordinated bills: the Senate's Consumer Data Privacy and Security Act (S.4211) and the House's SECURE Data Act (HR 8413). Both would create national consumer rights. Both would also preempt every state privacy law, including California's CCPA, replacing stronger state protections with a federal standard critics describe as weaker.

Key Takeaways

  • The SECURE Data Act (HR 8413) and S.4211 are companion federal privacy bills introduced in spring 2026 and currently moving through committee.
  • Both bills would create national rights: access, correction, deletion, portability, and opt-out from targeted advertising and data sales.
  • The preemption clause is the most contested provision — it would eliminate CCPA and all state privacy laws, replacing them with a federal ceiling states cannot exceed.
  • Neither bill contains a private right of action for consumers; enforcement would rest with the FTC and state attorneys general.
United States Capitol building at dusk with digital network overlays representing federal privacy legislation debate

What Are These Bills?

S.4211, the Consumer Data Privacy and Security Act, was introduced in the Senate on March 25, 2026, by Senator Jerry Moran. HR 8413, the SECURE Data Act, was introduced in the House on April 22, 2026, by Representative John Joyce. The two bills are coordinated efforts to establish a single national framework for consumer data privacy, ending the patchwork of state laws that companies currently must navigate.

Both bills are still in committee as of June 2026 and have not passed. The United States has tried and failed to pass a comprehensive federal privacy law many times — most recently with the American Data Privacy and Protection Act (ADPPA) in 2022, which cleared committee but died on the floor. The SECURE Data Act and S.4211 represent the latest attempt in a cycle that has repeated for more than a decade.

What Rights Would the Bills Create?

The SECURE Data Act and S.4211 would establish a national set of consumer rights over personal data:

  • Access: The right to know what personal data a company holds about you.
  • Correction: The right to correct inaccurate information in your file.
  • Deletion: The right to request that companies delete your personal data.
  • Portability: The right to receive your data in a usable format and transfer it to another service.
  • Opt-out from targeted advertising and data sales: The right to direct companies not to sell your data or use it for targeted advertising.

Data belonging to people under 16 would receive enhanced protection, requiring opt-in consent with verified parental approval rather than just opt-out. Companies handling data would be categorized as controllers or processors, with distinct legal responsibilities for each. Data brokers would be required to register with the Federal Trade Commission.

Why Is Preemption the Core Controversy?

Federal preemption means the federal law becomes the ceiling, not the floor. States could no longer pass privacy laws that are stronger than the federal standard. This is the provision that has broken earlier federal privacy bills and is expected to generate the same conflict in 2026.

The practical impact would be significant. California's CCPA is the strongest state privacy law in the US, covering businesses that meet lower revenue thresholds, granting stronger rights, and creating a private right of action for consumers in data breach cases. If the SECURE Data Act passes with full preemption, California cannot exceed its protections. The same applies to Illinois, Texas, Virginia, Colorado, and the 15 other states that have comprehensive privacy laws in effect.

Critics from privacy advocacy groups note that the SECURE Data Act most closely mirrors Virginia and Kentucky's state privacy laws — among the weakest in the country — rather than California's model. The Electronic Frontier Foundation and other organizations have argued that a federal law that preempts CCPA is worse than no federal law at all for California residents. For businesses, a single national standard is appealing because it eliminates the compliance overhead of managing 20 different state requirements.

What Is Missing From These Bills?

Privacy analysts have identified several significant gaps. Neither bill requires privacy impact assessments before companies deploy high-risk data practices. Neither mandates a universal opt-out mechanism — the technology-standardized signal that some state laws already require, letting users broadcast a single preference to all websites rather than opting out platform by platform. Both bills are silent on artificial intelligence risks, a notable omission given that generative AI privacy concerns are the dominant policy conversation in 2026.

The absence of a private right of action is a structural limitation. Without the ability for individual consumers to sue companies that violate their rights, enforcement depends entirely on the FTC's limited bandwidth and state attorney general capacity. Critics note that the FTC has historically been slow to pursue consumer privacy cases under its existing authority, and there is no reason to expect additional resources to come with this bill.

What Should Compliance and Privacy Teams Do Now?

These bills are not law and may not become law. The ADPPA failed in 2022 despite bipartisan support and full committee approval; there is no guarantee the current bills fare better. Compliance teams should track their progress but not restructure programs around legislation that may not pass in its current form.

If one of these bills does pass with broad preemption, the compliance picture simplifies in some ways — one national standard instead of 20 state frameworks — but the net result for consumer protection could be negative if the federal floor is set lower than existing state laws. The correct response is to build privacy programs around the strongest applicable current law (CCPA for businesses serving California residents) and monitor federal developments as a potential shift that could reduce rather than increase the compliance bar.

For the current state of regulations already in effect, see our overview of 3 state privacy laws taking effect July 1, 2026 and the broader GDPR enforcement trends through 2026.

Sources: S.4211 — Consumer Data Privacy and Security Act, Osano — SECURE Data Act analysis, IAPP — SECURE Data Act analysis.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.