New GOP privacy bill may be worse than no standard

Congress is making another push for a national data privacy law, but the latest Republican proposal could actually roll back protections for millions of Americans. While the SECURE Data Act would introduce new safeguards in some states, it simultaneously threatens to weaken stronger privacy rights already in place elsewhere, and it lacks several critical components that privacy advocates say are essential.

The bill, spearheaded by Rep. John Joyce (R-PA) and House Energy and Commerce Committee Chair Brett Guthrie (R-KY), is the product of a GOP data privacy working group. It would require companies to collect only the user data necessary to provide their services, allow individuals to view and request deletion of their information, and mandate explicit opt-in consent for sensitive categories like location data or sexual orientation. Enforcement would fall to the Federal Trade Commission and state attorneys general, while a companion bill, the GUARD Financial Data Act, targets consumer financial information.

This effort marks the latest chapter in a protracted struggle to establish federal privacy protections, following years of failed attempts to unite key congressional leaders. In 2024, a scheduled meeting on a major bipartisan proposal was abruptly canceled amid opposition from House Republican leadership. Guthrie and Joyce described their working group’s goal as a chance to “reset the discussion on comprehensive data privacy.”

For the roughly 20 states with existing comprehensive privacy laws , many of which have received poor marks from advocates , the SECURE Data Act would offer some new protections. It also extends additional safeguards to teens aged 13 to 15, requiring parental consent to process their data.

However, the bill notably does not include a private right of action, meaning individuals cannot sue companies for privacy violations. It also fails to mandate recognition of universal opt-out mechanisms, forcing users to repeatedly limit data collection on their own. Furthermore, it exempts pseudonymous data from certain rules, a loophole critics say could allow targeted advertising to continue largely unchecked.

The most contentious aspect is the bill’s preemption of state laws that provide equal or stronger protections. This would override measures like California’s privacy law, which established a dedicated enforcement agency and allows consumers to sue for certain data breaches, or Maryland’s ban on selling sensitive data and serving targeted ads to minors under 18. The Future of Privacy Forum (FPF), whose members include tech platforms but maintains independence, notes that the bill “selects particular narrow approaches used by only a handful of states.”

FPF, which takes no position on the bill, observes that while it exceeds some of the weakest state laws, it is “consistently narrower and less prescriptive” than California’s standards. For example, the definition of biometric data excludes information from audio or video recordings, a more limited scope than many state laws. States like Oregon, Delaware, Maryland, and Minnesota allow consumers to request the identity of third-party data recipients, and Minnesota and Connecticut permit users to challenge certain profiling decisions , all of which would likely be preempted.

Critics are blunt. The Electronic Privacy Information Center (EPIC) has formally opposed the plan. “This bill would wipe out a huge range of privacy, security, online safety, and civil rights laws without providing any meaningful protections for Americans,” says Caitriona Fitzgerald, EPIC’s deputy director and policy director. “A weak federal standard is worse than no standard at all.”

R. J. Cross, director of PIRG’s Our Online Life Program, calls it “basically a green light for the tech industry to keep collecting whatever data they want from you and doing whatever they want with it. Then it makes sure that no pesky state that may want to, you know, actually regulate what companies are doing can get in the way.” Eric Null, director of the Center for Democracy and Technology’s privacy and data project, warns it “would cement the harmful online data practices that Americans need and want a privacy law to fix, resulting in more data breaches, more intrusive data collection, more creepy advertising practices, and more business for data brokers.”

On the other side, business groups have embraced the law, particularly its preemption provision. “The cost and complexity of tracking and complying with more than 20 state privacy laws are crippling small businesses, and some states’ radical data restrictions are jeopardizing the digital tools that power small business growth,” says Rob Retzlaff, executive director of the Connected Commerce Council, which advocates for small businesses but has received funding from major tech platforms. The US Chamber of Commerce, National Retail Federation, and NetChoice have also voiced support, stating the bill “would end a confusing patchwork that harms consumers and small businesses.”

Democrats have historically opposed broad preemption and supported a private right of action, and none have backed this measure. Sponsors hope to recruit them later, after the plan clears committee on a party-line vote, according to CNBC. FPF suggests that many omissions from the bill “are likely intended to create a margin for negotiations.”

If the bill passes, FPF predicts states will fight to preserve their laws, arguing their standards don’t directly “relate to” the federal standard. California’s law, for example, may be harder to fully preempt because it covers employee, B2B, and applicant data , categories the federal bill exempts.

With midterm elections approaching, the bill faces a difficult path. A federal privacy law is a necessary goal on paper, but many fear this version will ultimately do more harm than good.