House Republicans introduced the SECURE Data Act on April 21, 2026 - a sweeping federal privacy bill that would eliminate every state-level consumer privacy law in the United States through broad federal preemption. If enacted, the legislation would instantly void California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, and the privacy frameworks of roughly 20 other states, replacing them with a single federal standard enforced exclusively by the FTC and state attorneys general - with no right for individual citizens to sue.
What Is the SECURE Data Act
The "Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act" was introduced by Representative Joyce of Pennsylvania on behalf of House Republicans. On paper, the bill grants consumers five core rights: access to their personal data, correction of inaccurate records, deletion of data, portability of data in a usable format, and the ability to opt out of targeted advertising and data sales. It also imposes data minimization requirements and mandates consent for processing sensitive categories of personal information. A new FTC-administered registry for data brokers is included.
The bill applies to entities that handle data for 200,000 or more consumers annually and have revenues of $25 million or more, or to smaller entities where at least 25% of revenue comes from selling personal data. This $25 million threshold is notably lower than the $40 million floor proposed in APRA, meaning the SECURE Data Act would technically cover more small businesses - though in practice, critics argue its weaker substantive protections offset this broader scope.
The Preemption Problem: 20 States Lose Their Privacy Laws
The most consequential and controversial element of the SECURE Data Act is its preemption clause. The bill would void any state law or provision that "relates to" its subject matter. This is intentionally broad language - broad enough to eliminate not just dedicated consumer privacy statutes like the CCPA, but potentially state data broker registries, biometric privacy laws, and certain sectoral regulations as well.
California's CCPA and its stronger successor the CPRA represent the gold standard of US consumer privacy law. They give California residents the right to know what data companies collect, the right to delete it, the right to opt out of its sale, and critically, a private right of action for certain data security failures. The SECURE Data Act would strip all of that away, replacing California's protections with a weaker federal floor and removing citizens' ability to independently enforce their rights through litigation.
For privacy advocates, federal preemption in this form represents a step backward, not forward. The argument for a federal standard is consistency for businesses operating across state lines - but that logic only holds if the federal standard is at least as protective as the strongest state laws. The SECURE Data Act is not. It is designed to reduce the compliance burden on large technology companies and data brokers, not to strengthen individual privacy rights.
No Private Right of Action: The Enforcement Gap
Under the SECURE Data Act, enforcement authority rests entirely with the FTC and state attorneys general. There is no private right of action - meaning a US citizen whose data rights are violated cannot file a lawsuit against the company responsible. This is a deliberate choice by Republican drafters and mirrors the approach taken in previous federal privacy proposals like APRA.
The practical effect of removing private litigation as an enforcement mechanism is significant. The FTC is chronically underfunded relative to the scale of the data economy it would be tasked with policing. State attorneys general have limited resources and must prioritize the most egregious cases. Without the threat of class action lawsuits brought by citizens directly, companies face far lower financial risk for privacy violations - and the incentive structure for compliance weakens accordingly.
What This Means for Your Digital Privacy
If the SECURE Data Act passes in its current form, Americans in states that currently have strong privacy protections would find themselves with fewer enforceable rights and fewer legal remedies when those rights are violated. The bill's opt-out model for targeted advertising - where your data is collected by default and you must actively request exclusion - is weaker than the opt-in consent regimes some states have begun exploring.
From a practical privacy perspective, this legislative push underscores a reality that VPN users already understand: legal frameworks are one layer of privacy protection, but they are not the only one, and they are not permanent. A VPN encrypts your internet traffic and masks your browsing activity from your ISP, preventing the data collection at the network level that privacy laws attempt to regulate after the fact. As federal privacy legislation tilts toward weaker standards under industry pressure, network-level privacy tools become increasingly important as a baseline defense.
The bill must still pass through committee and both chambers of Congress. It faces opposition from digital rights organizations and states that have invested heavily in their own privacy frameworks. California in particular is unlikely to accept federal preemption of the CCPA without a significant political fight.
