The House Energy and Commerce Committee has released text of their federal data privacy framework. This bill avoids the mistakes of past attempts at a federal privacy framework while providing one standard for interstate commerce.

A federal data privacy standard is badly needed. Congress’s failure to pass one has led states to pass their own data privacy laws governing websites, ISPs, and online data brokers. Some of these are bad ideas, like Maine’s law imposing liability on ISPs rather than websites who actually collect user data.

But many served as workable solutions that balanced user privacy without opening the flood gates to vexatious litigation that would crush private sector innovation. Some of these state laws, including those in Texas, Tennessee, and Colorado, inspired the basic provisions of the SECURE Data Act.

The benefit of states taking the lead was that it allowed Congress to see what worked and what didn’t as they built a federal package. The drawback is that user data routinely crosses state lines, making data privacy a matter of interstate commerce. Compliance with a patchwork of state laws is extremely difficult and costly: If all 50 states move forward with their own privacy laws, it could cost the American economy over $1 trillion in the next decade, with $200 billion of that burden falling on small businesses. 

For this reason, ATR has long supported a federal data privacy standard that preempts state laws. But previous attempts fell short with halfhearted preemption or giveaways to special interests.

ATR opposed the American Privacy Rights Act in 2024, for example, because it failed to fully preempt state laws. It set a floor, not a ceiling, on data privacy regulation, which is even worse than a patchwork because states can layer new regulations on top of old. A federal ceiling, by contrast, ensures that everyone operates under the same rules and commerce can smoothly run between states.

The SECURE Data Act’s preemption language is short and to the point:

No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force
and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.

There is no wiggle room for states to complicate compliance with consumer protection.

Trial lawyers are not empowered. Previous bills, like APRA and the American Data Privacy and Protection Act, both contained expansive private rights of action to sue companies for mishandling data. This would have buried every industry, from banking and finance to healthcare, that stores personal data in an avalanche of frivolous lawsuits. Many of these would have little merit but would be less expensive for companies to settle than to fight, which only invites more lawsuits for more cash settlements.

The SECURE Data Act includes no private right of action and relies on federal regulators to enforce its provisions.

There is no new rulemaking. Federal agencies are not empowered by this bill to develop the particulars of legislation. It is specific in the rules it sets out and defers none of the decisions to political appointees that can change the rules back and forth as regulators come and go. Stability from permanent law is a better system than empowering bureaucrats to act for Congress.

The most that the Secretary of Commerce would be allowed to do is to accept or reject a voluntary code of conduct developed by industry. This would be a set of best practices that, once approved by the Commerce Department, would grant any company that complies with it a presumptive rebuttal against claims by consumers. That is, as long as companies comply with the voluntary framework, they will have an easier time in court. If they do not comply, which they are free to do, they can be more easily sued. This incentives-based system is preferable to one based on unaccountable regulation by government lawyers.

And this bill is pro-consumer. The argument that a federal framework codifying consumer privacy protections harms the public assumes that any collection of any data, at any time, for any reason, is necessarily harmful.

This simply is not true. The entire internet economy depends on advertising, and advertisers pay for placement on sites that attracts the kinds of customers they want to reach. This is how many websites are able to provide their services free-of-charge to consumers. Banks, too, need to collect data to assess creditworthiness while making loans or approving credit cards. There are good reasons to collect data, and they should be allowed under any federal framework.

What the SECURE Data Act does do is allow consumers to opt-out of allowing their data to be sold to data brokers by websites. It also empowers parents by requiring affirmative consent for the collection of data from children. These are real data privacy protections, and the SECURE Data Act provides them without enriching trial lawyers, empowering bureaucrats, or inviting states to complicate the system with more rules.