Congress Wants One Privacy Law to Replace All 20 State Laws—The ACLU Says It's a Privacy Bill in Name Only

What the Bill Does

The SECURE Data Act is the product of 14 months of work by a Republican only Privacy Working Group within the House Energy and Commerce Committee. It is paired with a companion bill, the GUARD Financial Data Act, covering financial services companies. Together they would create a single national standard for how companies collect, process, and share personal data.

On paper the consumer rights look familiar: access your data, correct inaccuracies, request deletion, opt out of targeted advertising, and opt out of the sale of your personal information. The bill also requires data minimization, limiting collection to what is "adequate, relevant, and reasonably necessary" for the stated purpose. Sensitive data, including biometric identifiers, precise geolocation, and health information, requires opt in consent before processing.

The bill also creates an FTC managed data broker registry that would let consumers search for and opt out of data brokers in one place, and it treats teen data as sensitive, requiring opt in consent for anyone under 17.

What the Bill Takes Away

The most significant provision is not what the bill adds but what it removes. The SECURE Data Act would preempt at least 20 state privacy laws, including California's CCPA, Colorado's CPA, Connecticut's CTDPA, and every other comprehensive state privacy statute currently in effect. Any state law that "relates to" the bill's provisions would be superseded by the federal standard.

Several of those state laws are stronger than the federal bill in specific areas. California's CCPA gives consumers a private right of action for data breaches and has established enforcement precedents through the California Privacy Protection Agency. Connecticut's law protects neural data. Montana's recently strengthened law allows enforcement without a cure period. All of those protections would be replaced by the federal floor.

No Right to Sue

The SECURE Data Act does not include a private right of action. If a company collects your data in violation of the law, ignores your deletion request, or sells your information after you opt out, you cannot take them to court. Your only recourse is to file a complaint with the FTC and hope they prioritize your case among the thousands they receive.

This is a step backward from both the existing California law and the American Privacy Rights Act, the previous bipartisan privacy bill that died in the last Congress. The ADPRA included a private right of action that would have allowed consumers to sue for violations starting in 2027. That provision is gone entirely in the SECURE Data Act.

Without a private right of action, enforcement depends entirely on the FTC's willingness and capacity to pursue cases. The FTC is a small agency with a broad mandate, and its enforcement priorities shift with each administration. A federal privacy law without a private right of action is a law that only works when the government decides it should.

The AI Training Loophole

The bill exempts data collected for "product improvement activities" from its data minimization requirements. In 2026, that category covers AI model training. A company that collects your behavioral data, purchasing patterns, or browsing history can argue that feeding it to a machine learning model counts as product improvement, sidestepping the requirement to limit data collection to what is "reasonably necessary."

The bill also exempts data collected when users request services and data governed by existing contracts. Combined with the product improvement exemption, these carve outs create broad pathways for companies to continue collecting data at current volumes while technically complying with the law.

What Privacy Advocates Are Saying

Eric Null of the Center for Democracy and Technology argues that the protections are substantially weakened compared to both existing state laws and the prior federal proposal. The bill's definition of health data excludes period tracking apps and non-diagnostic health information. It does not protect consumer communications or financial data held by non-financial entities. And the "adequate, relevant, and reasonably necessary" standard is vague enough that most current data practices could be justified under it.

Cody Venzke of the ACLU was more blunt, calling it "a 'privacy' bill in name only" that "burdens individuals while denying court access." The ACLU's position is that a federal bill that preempts state laws while offering weaker protections and no enforcement mechanism is worse than having no federal law at all.

Industry groups have been more supportive, arguing that a patchwork of 20 different state laws creates compliance burdens for companies operating nationally. The bill's supporters frame preemption as simplification, not weakening.

How This Affects Email Privacy

Several existing state privacy laws have been used to challenge email tracking practices. California's CCPA has supported enforcement actions against companies that collect data through email interactions without proper disclosure. The CIPA wiretap framework has been used in lawsuits against companies embedding tracking pixels in marketing emails without consent.

If the SECURE Data Act passes with its current preemption language, those state level legal theories may no longer be available. The federal bill's opt out mechanism for targeted advertising could theoretically cover email tracking, but without a private right of action, enforcing that opt out depends on a consumer's ability to get the FTC interested in their specific complaint.

What Happens Next

The SECURE Data Act still needs to pass the House Energy and Commerce Committee, survive a full House vote, and then get through the Senate, where previous privacy bills have stalled. The bill's lack of bipartisan support, it was drafted by a Republican only working group, makes Senate passage unlikely without significant amendments.

But even if this specific bill does not become law, the preemption debate is now on the table for the rest of this Congress. Any future federal privacy bill will face the same fundamental question: should a national standard replace state laws that are, in many cases, already stronger? The answer to that question will determine whether the 20 state privacy laws that currently protect more than 150 million Americans survive or get overwritten by a law that privacy advocates say protects no one.