America needs a strong privacy law. The SECURE Data Act isn’t it.

Everyone, including leaders in Congress, agree that we need a federal privacy law in the United States. But a privacy law is only as good as the protections it offers. We need strong protections now more than ever as surveillance systems have been embedded into the websites and apps that we (and our kids) use every day; even our household appliances and cars can collect our data now. That is why federal privacy legislation must limit the collection and use of our personal data and set rules that respect our human right to privacy. A privacy law must also limit harmful discrimination and targeting and support the beneficial evolution of the technologies and systems we rely on in our everyday lives. 

EPIC has been calling on Congress to pass a strong federal privacy law for almost 30 years now. And we have seen bipartisan support for strong protections in the past. Unfortunately, the bill recently released by majority leadership in the House Energy & Commerce, the SECURE Data Act, is worse than any privacy law we have evaluated. The SECURE Act not only fails to meet the standards set in the states with the weakest laws, it would also eliminate stronger protections in other states and shut down long standing privacy protections across the country. 

The SECURE Data Act allows data collection and abuse to continue uninterrupted

The SECURE Data Act continues the failed model of allowing businesses to collect and use data for any reason they want as long as they disclose that practice in their privacy policies—policies that very few consumers read or understand and that they do not have the power to change even if they did. This bill would not only permit the status quo of massive data overcollection and sale to continue uninterrupted, it would affirmatively endorse it and prevent states from investigating those harmful practices under existing laws.

Companies should not be allowed to determine for themselves what are the permissible purposes of collecting and using our personal data – we have seen the awful results system over the last two decades. The SECURE Data Act would set Big Tech’s harmful and extractive business model in stone. Section 3(a) reads: 

A controller shall limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to each purpose for which the data is processed, as disclosed to the consumer.

This reinforces the failed status quo of “notice and choice” — businesses can list any purpose they choose in their privacy policies, knowing that very few consumers will read them. In fact, it incentivizes companies to list as many purposes as possible, and describe them as broadly as possible, to cover every conceivable reason they would ever want to collect your data. And the only “choice” the consumer has is to not use the service at all. Those are not privacy policies, they are disclaimers.

The Connecticut Attorney General has called the similar rule in the Connecticut Data Privacy Act an “exploitable standard.” It his 2024 Enforcement Report, the AG said:

The AG called on the Legislature to amend Connecticut’s law to mirror Maryland’s law, which limits collection to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. Further, the AG called on the Legislature to limit the collection and processing of sensitive data to only when strictly necessary to provide or maintain a specific product or service requested by the consumer. Maryland’s data minimization standard was based on language from previous bipartisan federal bills such as American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA). 

Perhaps the most stunning failure of the SECURE Data Act are the rules of construction and exemptions, which make even the extremely permissive rules described in this section inapplicable in many contexts.

The SECURE Data Act ignores the trend in the states toward stronger protections for sensitive data

Americans’ sensitive personal information should not be sold to the highest bidder, something that most big tech companies already recognize, as many of them already disclose in their privacy policies that they do not sell or use sensitive personal data for targeted advertising purposes.

The SECURE Data Act allows companies to collect, use, and sell Americans’ sensitive data as long as they obtain consent. Opt-in consent does not adequately protect Americans online. Strict limits on the collection and use of sensitive data to what is strictly necessary for the product or service requested by the consumer, paired with a  prohibition on the sale of sensitive data, allows companies to collect and use sensitive data for legitimate business purposes while eliminating the harmful practices that serve only to increase profits rather than to benefit consumers. Under the SECURE Data Act, companies aren’t required to separate their request for consent for necessary processing (e.g. data collection) from unnecessary processing (e.g. data sales), so consumers will still be presented with take-it-or-leave-it choices.

The futility of this exploitable standard recently became very apparent to many Americans when TikTok’s transfer to a U.S. entity prompted a new pop-up notice for TikTok users in January. Upon opening the app, users were presented with a notice that TikTok was updating its Terms of Service and Privacy Policy to reflect changes including “new types of location information (including device geolocation) we may collect from you, with your permission” as well as changes to advertising practices. There was no “disagree” button—instead users had to agree or simply delete the app. That’s not a real choice, particularly for other apps that may be required for work, school, or other life necessities.

Moving toward more protective standards for sensitive data is a clear trend among states, with Maryland, Oregon, and Virginia recently banning some (or in Maryland’s case, all) categories of sensitive information from being sold. A similar proposal to ban the sale of precise geolocation in Connecticut, led by the original sponsor of Connecticut’s comprehensive privacy law, passed the Senate this week. The SECURE Data Act strips residents of those states from the protections they already enjoy and allows companies to continue selling our most sensitive personal information for profit. 

The SECURE Data Act fails to require recognition of universal opt-out signals

Twelve states (CA, MD, CO, NJ, MN, OR, DE, CT, TX, NH, MT, NE) require companies to honor universal opt-out mechanisms (UOOM), which allow consumers to use a one-click setting in their browser to send a signal to any website they visit that they want to opt out of targeted advertising and the sale of their personal data. Without UOOMs, consumers must click a link on every individual website they visit to indicate their desire not to be tracked – a tedious task that most Americans are not going to bother with. 

The technology for UOOMs already exists. Over 80 million Americans live in a state where they can use this consumer-friendly tool to protect their privacy – and companies are required to honor it. If companies are not required to recognize UOOMs, they will ignore them – it is in their financial interest to do so because they can then monetize more personal data about the consumer. The SECURE Data Act does not require companies to honor UOOMs and instead gives the Secretary of Commerce three years to issue a report about whether this tool — that already exists and is in widespread use — is feasible.  

The SECURE Data Act guts state protections for minors online, and its protections for minors are practically unworkable

In any of the 21 states with a privacy law, children and teens have the right to access, delete, or correct their own personal data and to opt out of targeted advertising, the sale of their personal data, or profiling, just as adult consumers do. The SECURE Data Act would strip them of these rights by allowing only parents to exercise these rights on their behalf. 

The bill would also require companies to obtain verified parental consent before processing the personal data of teens, which is practically unworkable. This requirement would mean that every time a company wants to collect, use, store, delete, disclose, or modify a teen’s personal data, they would need to obtain parental consent before doing so. This standard would make it nearly impossible for teens to use the internet and would inundate parents with constant pop-ups that they will never have the time or energy to actually read. This is not a meaningful privacy protection. 

The SECURE Data Act would also preempt dozens of additional state laws aimed at protecting minors online. These state-level legislative models include laws that regulate harmful platform design like age-appropriate design codes and laws that restrict access to certain harmful design features like addictive feeds or push notifications. States have also enacted laws that age gate or require parental access to certain content or platforms like social media. We include a list of these laws below.

The SECURE Act has weak enforcement mechanisms

Robust enforcement is critical to effective privacy protection. Strong enforcement by both federal agencies and state government via Attorney General authority is an essential component of a strong privacy law. 

However, while government enforcement is essential, the scope of data collection online is simply too vast for one entity—or even 50 entities—to regulate. Individuals and groups of individuals who use online services are in a good position to identify privacy issues and bring actions to vindicate their interests. A private right of action ensures that businesses have strong financial incentives to comply with privacy laws. We have seen evidence of this in Illinois,  where a biometric privacy law passed in 2008 includes a private right of action. Lawsuits under that law have led to changes to harmful business practices, such as forcing facial recognition company Clearview AI to stop selling its face surveillance system to private companies.  In contrast, in states where Attorneys General have sole enforcement authority, we have seen little enforcement of (and compliance with) privacy laws. 

Many privacy laws include a private right of action, and these provisions have historically made it possible to hold companies accountable for their privacy violations.  Consumers have had the right to vindicate their consumer rights in court under state consumer protection statutes for decades. And federal privacy laws have historically contained a private right of action. 

For example, when Congress passed the Cable Communications Policy Act in 1984, it established privacy rights for cable subscribers and created a private right of action for recovery of actual damages not less than liquidated damages of $100 per for violation or $1,000, whichever is higher. The Video Privacy Protection Act specifies liquidated damages of $2,500. The Fair Credit Reporting Act affords individuals a private right of action that can be pursued in federal or state court against credit reporting agencies, users of credit reports, and furnishers. In certain circumstances, individuals can also recover attorney’s fees, court costs, and punitive damages. The Drivers Privacy Protection Act similarly includes a private right of action. The Telephone Consumer Protection Act allows individuals who receive unsolicited telemarketing calls to recover actual monetary loss or up to $500 in damages per violation.

There is no reason privacy violations should be treated differently than other violations of consumer rights.

Previous bipartisan privacy proposals, such as the American Data Privacy and Protection Act and the American Privacy Rights Act, proposed a compromise version of a private right of action that allowed for injunctive relief so that consumers could force companies to stop violating the law, but did not allow for statutory damages. The SECURE Act fails to even include this bare minimum protection for consumers. In a bill full of gifts to Big Tech, its weak enforcement mechanisms may be the biggest gift of all. For the most powerful companies in the world, a law without meaningful enforcement is merely a suggestion.

The SECURE Act would wipe out decades worth of state privacy laws across the country

The SECURE Act contains an extraordinarily broad preemption provision. Section 15 states:

No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.

A 2025 Congressional Research Service report on “Preemption & Privacy Law describes “relating to” preemption as follows:

The CRS report goes on to describe other terms Congress could use to limit the scope of a preemption clause, but the drafters of the SECURE Act chose the most expansive option. This choice means that the SECURE Act would wipe out a huge range of privacy, security, online safety, and civil rights laws (some of which have been on the books for decades) without providing any meaningful protections for Americans.

The following is a representative list of state laws that would be preempted by the SECURE Data Act’s broad preemption provision. It is not a comprehensive list – there are likely dozens more state laws that could be gutted by the SECURE Data Act. 

• Comprehensive privacy laws in 21 states:
  • Alabama, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia
• Invasion of privacy laws (statutory and torts, all 50 states) including:
  • Intrusion Upon Seclusion – common law rights where exercised w/r/t personal information online (states adopting 2d Restatement of Torts include Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Minnesota, Mississippi, Missouri, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia)
  • Eavesdropping and electronic surveillance statutes in nearly all states (Vermont does not have an eavesdropping statute and the Connecticut statute does not cover electronic comms)
• Laws aimed at protecting minors online:
  • Age-Appropriate Design Codes in 5 states:
    • California, Maryland, Nebraska, South Carolina, Vermont
  • Arkansas Children and Teens’ Online Privacy Protection Act
  • California Protecting our Kids from Social Media Act
  • Connecticut SB3 (amending the CT Data Privacy Act)
  • Colorado Privacy Protections for Children’s Online Data (amending the CO Data Privacy Act)
  • Georgia Protecting Georgia’s Children on Social Media Act of 2024
  • Louisiana Secure Online Child Interaction and Age Limitation Act
  • Louisiana Protection of Children’s Internet Data
  • Mississippi Walker Montgomery Protecting Children Online Act
  • New York SAFE for Kids Act
  • New York Child Data Protection Act
  • Texas Securing Children Online through Parental Empowerment (SCOPE) Act
  • Utah Minor Protection in Social Media Act
• Laws requiring age assurance to access social media:
  • Arkansas Social Media Safety Act
  • Florida Online Protections for Minors
  • Georgia Protecting Georgia’s Children on Social Media Act
  • Nebraska LB383 Parental Rights in Social Media Act
  • Tennessee Protecting Children from Social Media Act
  • Texas SCOPE Act
  • Virginia’s social media age verification law
  • Utah Social Media Regulation Act
• Laws requiring device-based filters for harmful content
  • Alabama Act 2025-406
  • Utah Children’s Device Protection Act (Laws 2024, Ch. 166)
• Laws requiring age assurance to access “harmful” material that can be proscribed for kids (e.g., porn) in 25 states: 
  • Alabama, Arizona, Arkansas, Florida, Idaho, Indiana, Kansas, Kentucky, Louisiana, Mississippi, Missouri, Montana, Nebraska, North Carolina, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, West Virginia, Wyoming
• App store accountability laws in 4 states:
  • Texas, Utah, Louisiana, and Alabama 
• Device/operating system age assurance
  • California Digital Age Assurance Act
• Health data and genetic privacy laws
  • Washington My Health My Data Act
  • Nevada’s Health Data Privacy Act
  • Genetic privacy laws in 11 states:
    • Texas, Florida, Montana, Tennessee, Virginia, Arizona, Kentucky, Maryland, Utah, Wyoming, Alaska
• Biometric privacy laws
  • Texas Capture or Use of Biometric Identifier Act
  • Illinois Biometric Information Privacy Act
• Robocalls/SCAMs
  • Arizona Do-Not-Call
  • Connecticut Telemarketing Law
  • Florida Telephone Solicitation Act
  • Georgia Telemarketing law
  • Maryland Stop the Spam Calls Act of 2023
  • Mississippi Telephone Solicitation law
  • New Jersey Telemarketing law
  • New York Telemarketing law
  • Oklahoma Telephone Solicitation Act
  • Texas Telemarketing law
  • Tennessee Telephone Solicitation law
  • Virginia Telephone Privacy Protection Act
  • Washington Robocall Scam Protection Act
• ISP privacy
  • Maine ISP privacy law
• Data broker laws
  • Data broker registry laws in 4 states (California, Texas, Vermont, Oregon)
  • California DELETE Act 
  • California Opt Me Out Act 
• Data security laws
  • At least 25 states have statutes requiring reasonable data security procedures and practices.
  • Massachusetts data security law (Chapter 93H)
  • Nevada Security and Privacy of Personal Information law
• Data breach notification laws in all 50 states
• Laws governing automated decision-making systems
  • Colorado AI Act 
  • California’s ADMT regulations 
• Civil rights laws as applied in cases where personal information is used to facilitate unlawful discrimination
• Laws prohibiting non-consensual distribution of intimate images in all 50 states
• Cybercrime / hacking laws
  • Virginia Computer Invasion of Privacy §18.2-152.5
• Unfair and deceptive trade practices – enforcement actions related to privacy and data abuses

The SECURE Data Act also eliminates some of the few federal privacy protections that Americans currently enjoy, including the Video Privacy Protection Act that protects the privacy of our viewing habits.

The SECURE Act is a disaster for Americans

The combination of minimal consumer protections, weak enforcement, and insanely expansive preemption of state laws makes the SECURE Act a disaster for Americans’ privacy. A weak federal privacy law is worse than no privacy law at all. EPIC is disappointed that House Energy and Commerce Republicans have released a privacy bill that would empower Big Tech to track everything we do online and sell our data to the highest bidder.

Congress should build on the bipartisan federal bill from last session and on state laws that actually protect Americans online. EPIC has published multiple reports explaining how laws like the SECURE Data Act fail at protecting our privacy. And Big Tech has made it very clear that a weak national standard is their top priority.

The SECURE Act would be a huge gift to Big Tech and would take away privacy protections from millions of Americans across the country. Any member of Congress who cares about protecting Americans online should oppose the SECURE Data Act. This legislation is not a serious effort at tackling the urgent privacy crisis facing this country.