The SECURE Data Act Is Worth Another Look

In March 2025, 23andMe filed for bankruptcy with the genetic profiles of roughly fifteen million Americans on its books - a deeply personal data set, generated voluntarily, stored under terms of use often agreed to without reading. The bankruptcy raised a question that had no clean answer in any privacy law currently on the books: what happens to that data when the company holding it is for sale to the highest bidder under federal bankruptcy code? State privacy regulators in California and several other states issued guidance and warnings. But state privacy law was built to govern operating companies. The asset transfers that move databases between entities, jurisdictions, and corporate structures sit largely outside its reach.

That is one example of a broader pattern. While strong state privacy laws have made meaningful progress in many areas, the gaps they cannot fill are not at the margins of the data economy, but at its structural core: cross-state data flows, sectoral and entity-level boundaries no single state regulator can patrol, and harms that materialize through chains of legal transactions where states cannot compel disclosure. Federal privacy law is not a luxury, nor should it be written off because of industry preference. It is the only level of law that can address the actual structure of the modern data economy.

The SECURE Data Act, H.R. 8413, the latest attempt to write that federal baseline, is built on ground that should be familiar to anyone who has watched the state privacy landscape over the last six years. 21 states have now enacted comprehensive consumer privacy laws. Those laws were passed by legislatures of both parties, signed by governors of both parties, and built around a substantively similar model: defined consumer rights, opt-outs from data sale and targeted advertising, an opt-in regime for sensitive categories, and enforcement by state attorneys general. The SECURE Data Act, in its core architecture, codifies that consensus. The familiar opposition frame - that this is an industry bill, not a consumer bill - is a category error worth retiring. Calling the framework consumer-protective when Connecticut, Virginia, Kentucky, and Colorado adopt it, and an industry giveaway when Congress does, requires an explanation. There is not a good one.

The bill's substance is worth reading on its own terms. Sections 3 through 5 give every American the rights to access, correct, delete, and port their personal data, and to opt out of the sale of that data, of targeted advertising based on it, and of fully automated profiling that produces legal or similarly significant effects. Section 6 imposes affirmative consent before any covered entity processes sensitive data, including precise geolocation, health information, biometric identifiers, and data revealing race, ethnicity, religion, or sexual orientation. These are not aspirational provisions. They are operative duties enforceable by the FTC and by every state attorney general, with civil penalties.

On children and teens' privacy, the SECURE Data Act establishes a strict nationwide opt-in data minimization standard. This aligns with some existing state laws, but will now require companies to protect the data of all children and teens, not just those that happen to live in states with a privacy law.

The data broker provisions also break new ground. Section 11 establishes a federal broker registry administered by the FTC, with mandatory registration within twelve months of enactment and a public, searchable database online within eighteen months. Only four states currently have broker registries of any type. But what SECURE Data proposes is operative and federal in a way no individual state can match. A consumer in any state will be able to identify, in one place, the entities holding their data and exercise rights against them under one consistent set of rules. State-level broker registries cannot reach entities operating outside their jurisdictions; a federal registry can, and Section 11 creates one.

The bill does not include a private right of action. Privacy advocates focused on individual litigation as the principal enforcement tool will read this as a fatal weakness, and their argument deserves a serious response rather than a dismissive one. Of the state comprehensive privacy laws now in force, only one - California's - includes a private right of action at all, and even that is limited to reckless data breach scenarios. The FTC-plus-state-AG model in Section 12 is not the industry escape hatch; it's the median state choice, made by both Democratic and Republican attorneys general who concluded that rule-driven public enforcement produces more consistent outcomes than one-off settlements in private litigation.

Scholars who have studied the actual record of class-action privacy enforcement, including some who have argued for a more aggressive private right of action regime in other contexts, have further documented its limits: low individual recovery, attorney fee-driven settlement structures, slow case progression, and a tendency to produce monetary judgments rather than behavioral change at the controller level. A federal regime that combines FTC rulemaking authority, state attorney general civil actions, and substantial civil penalties is not a weaker enforcement architecture than a private right of action. It is a different one, and the empirical case for it is not industry boilerplate.

Lastly, the bill's preemption architecture in Section 15 is the structural answer federal privacy law needs to provide. The section preempts state laws that relate to the federal Act's provisions while preserving state attorney general enforcement authority over the federal statute itself. That structure delivers what no combination of separate state regimes can deliver: a single national baseline applicable to every covered entity, enforceable across jurisdictions, with state attorneys general empowered to bring civil actions for violations of the federal Act.

Strong state regimes - California, Colorado, Connecticut, and Washington in particular - have advanced privacy protection in real ways, and their drafters deserve credit. But the relevant comparison is not the federal floor against the strongest state ceiling. It is the federal floor against the lived experience of consumers in the 29 states without a comprehensive privacy law, and against the cross-jurisdictional structure of the harms those state laws cannot reach. The SECURE Data Act's substantive provisions are comparable to Connecticut's and Virginia's on consumer rights, Colorado's on sensitive data opt-in, and exceed every state regime on data broker registration - because no single state can create a national broker registry.

Admittedly, two things would strengthen any federal privacy regime, and neither is in this bill. The first is sustained appropriations for the Cybersecurity and Infrastructure Security Agency (CISA). Privacy and cybersecurity are operationally inseparable, and a bill that creates federal data security duties depends on a federal security infrastructure that can support investigation and incident response. Congress should fund that infrastructure at higher levels regardless of which privacy bill becomes law.

The second is the broader question of civil rights protections to supplement existing in the context of artificial intelligence, including, for example, provisions on algorithmic discrimination, automated decisionmaking in high-stakes contexts, and transparency obligations for consequential systems. This is a serious question that requires congressional attention. But the SECURE Data Act is a privacy bill, and the U.S. has not been able to pass comprehensive consumer privacy legislation in any modern Congress. Bolting AI civil rights provisions onto a bill that finally has a chance to move - provisions that require careful design and stakeholder process - would not produce better AI policy. It would produce no privacy law, again.

Members of Congress and civil society advocates who want to see a federal privacy law done right have a question to answer about what doing it right means in practice. The SECURE Data Act is on the table now. Engaging with it, including pressing on where reasonable consumer privacy-protective amendments can be made, produces the law. Walking away does not. Privacy law in this country has been written, for nearly a decade now, by the people who showed up to write it.

Anton van Seventer is the Counsel for Privacy and Data Policy at the Software & Information Industry Association.