U.S. Privacy and Data Protection | Insights | The SECURE Data Act | Q2 2026 (Federal Law)

What is the SECURE Data Act

In April 2026, the “SECURE Data Act” (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, H.R. 8413) was introduced as a comprehensive federal privacy bill, which was the scope of a June hearing and is now pending in the U.S. House of Representatives. The proposal would establish a nationwide consumer privacy framework and broadly preempt overlapping state consumer privacy statutes in the areas it covers, potentially reducing the current patchwork of state‑by‑state requirements.

The SECURE Data Act borrows heavily from existing state privacy laws, using a familiar controller/processor model and focusing on how businesses collect, use, and share “personal data” and “sensitive data.” The bill also incorporates data‑minimization obligations and generally applies to entities that process personal data about large numbers of U.S. consumers and meet specified revenue or data‑broker thresholds.

Core features of the SECURE Data Act include:

• Consumer rights to access, correct, delete, and port their personal data, along with opt‑out rights for targeted advertising, sales of personal data, and certain automated profiling that has legal or similarly significant effects on individuals.
• Mandates companies to obtain affirmative opt‑in consent for processing “sensitive data,” including categories such as precise geolocation, health, financial, and biometric data, with personal data about teens under 16 treated as sensitive and subject to enhanced parental and teen‑specific protections.
• A federal data‑broker registration regime requiring qualifying entities that derive a significant portion of revenue from selling personal data to register annually with the Federal Trade Commission, which would maintain a national public registry.

Together, these provisions aim to standardize how consumer data is handled across sectors while imposing stricter guardrails around particularly high‑risk data uses. For many internet‑focused businesses, that means aligning their practices to a single national rule set rather than navigating a growing list of overlapping state laws.

Preemption and Enforcement

A key feature of the SECURE Data Act is broad federal preemption. It aims to establish a single national standard and therefore the bill would bar states from enforcing many overlapping consumer privacy laws in the areas it covers, effectively operating more as a ceiling than a floor while leaving certain sector‑specific or non‑privacy state laws in place.

Enforcement authority would rests with the Federal Trade Commission and State Attorneys General, with an enhanced role for the U.S. Department of Commerce in overseeing approved privacy codes of conduct. There is no private right of action for consumers.

The SECURE Data Act has already been the subject of early House subcommittee hearings, and its scope, particularly around preemption and children’s privacy, may evolve through amendments as it moves through the legislative process. Businesses should expect continued debate before any final vote.

What Businesses Should Do Now

Although the SECURE Data Act is still working its way through Congress and may be revised before it is enacted, companies that rely heavily on consumer data, especially online platforms, advertisers, app and game developers, and data brokers, can take practical steps now to prepare for a potential federal standard and to reduce regulatory risk under existing laws.

Practical next steps include:

• Reviewing updates to this and other potential privacy laws.
• Mapping personal and sensitive data flows across systems, products, and vendors, including where data is shared with third parties or transferred outside the United States.
• Stress‑testing processes for access, deletion, portability, and opt‑out requests at scale, focusing on response timelines, identity verification, and auditability of request handling.
• Reviewing consent flows, dark‑pattern risks, and age‑gating strategies for sensitive data, especially where teens under 16 may use the service or be targeted for advertising.
• Updating controller/processor contracts, data‑processing addenda, and vendor‑oversight programs to anticipate a single national privacy standard, while maintaining compliance with existing state laws until any federal preemption actually takes effect.

Kronenberger Rosenfeld is closely tracking federal and state privacy laws and advising internet‑focused businesses on how a national privacy law could reshape their obligations, risk profile, and product roadmaps. If you would like to discuss how this proposal may impact your data practices, advertising programs, or future product planning, our team is available to assist. Contact us today to speak with an attorney.