US SECURE Data Act: What’s in the newly proposed federal privacy law & what happens next

House Energy & Commerce Vice-Chair John Joyce introduced HR 8413, the SECURE Data Act, on April 22, 2026. It is the first serious comprehensive federal privacy bill of the 119th Congress.

• The bill includes consumer rights to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling; data minimization; affirmative consent for sensitive data; and a federal data broker registry administered by the FTC
• Enforcement would be by the FTC and state attorneys general, with a 45-day cure period and no private right of action
• Section 15 would preempt state privacy laws including CCPA/CPRA, Illinois BIPA, and Washington's My Health My Data Act, reprising the fight that killed the last two serious attempts at a federal privacy bill

What does the bill do?

The SECURE Data Act largely follows the “Virginia style” state privacy model. 

The bill includes consumer rights, data minimization, “controller” and “processor” concepts borrowed from the GDPR, and FTC enforcement. 

A few features stand out.

• Teen data: Personal data of anyone aged 13 to 15 is treated as sensitive, requiring verifiable parental consent. This effectively extends COPPA by three years
• Data brokers: A national FTC-administered registry, with eligibility keyed to controllers that derive 50% or more of annual revenue from selling data of non-customers
• Codes of conduct: A Commerce Department system with a rebuttable presumption of compliance for participants, including recognition of Global Cross-Border Privacy Rules certification

Who would it apply to?

The thresholds are higher than any state law, covering FTC-regulated businesses that either 

• Process data of 200,000+ US consumers annually with $25 million+ in revenue, or 
• Process 100,000+ consumers' data and derive 25%+ of revenue from data sales 

Nonprofits, GLBA-covered financial institutions, HIPAA-covered entities, and educational institutions are exempt.

Will it pass?

If the bill fails, it will likely be due to how it “pre-empts” certain other privacy laws.

Section 15 effectively overrides any state law that "relates to" the bill's provisions. That is a ceiling, not a floor: California, Illinois, Washington, and state data broker registries would all be displaced. This is the same fight that killed the ADPPA in 2022 and APRA in 2024.

Why track it anyway?

Even unsuccessful federal bills shape state-level conversations. 

Provisions that make it through committee tend to surface in subsequent state amendments. And if a version does clear Congress, the shift to a single national framework would simplify compliance for non-US organizations, even if it lowered the substantive bar in some respects.

For organizations already compliant with UK GDPR and the more demanding state laws (California, Colorado, Connecticut), the SECURE Data Act's requirements would add little extra burden. The operational change would be the move to a single federal enforcement regime.

Privado AI's agentic privacy platform automates multistate and cross-border compliance by monitoring web and app privacy risks, mapping data flows, and automating RoPAs and privacy assessments.