By Kathy O’Sullivan, Esq. (CIPP/US, CIPP/E)

On April 21, 2026, the U.S. House Energy and Commerce Committee introduced the latest U.S. effort at nation-wide data privacy legislation: H.R. 8413, The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, aka the SECURE Data Act (the “Act”). This article briefly describes just some of its features. For context (but beyond the scope of this article), a companion bill was introduced by the House Committee on Financial Services, to amend the 1999 Gramm-Leach-Bliley Act: H.R. 8398, Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act, aka the GUARD Financial Data Act.

Responsible Data Stewardship? Or Protection For Business Interests?

From skimming recent commentary, there seems to be no expectation the SECURE Data Act will pass, certainly not in its current form. While it awaits consideration by committee, let alone the full House, there’s ample opportunity for feedback from interested parties, which may well alter the bill’s contours. With that in mind:

One example of feedback came into the Committee on Energy and Commerce on April 27, 2026, from the California Privacy Protection Agency. The Agency sent a letter outlining some of the SECURE Data Act’s flaws, from a consumer protection perspective, compared with features to be lost were it to preempt the California Consumer Privacy Act (“CCPA”).

Among the areas where the Act is viewed as undesirable by some privacy-focused commentators are:

1. Federal Preemption. As written, the Act would preempt any State law that “relates to the provisions of ” the Act. It purports therefore to set the ceiling, not floor, for data privacy legislation – within its scope. (Getting into the weeds and potential arguments about scope is beyond the reach of this short article.)
2. Honor Universal Opt-Out Signals? Not required. (The Secretary of Commerce would be required to publish a “study” about them. Within three years. Sec. 10.)
3. Risk Impact Assessments? Not required.
4. Data Minimization, Retention, Purpose Requirements? Various requirements would be weaker, or non-existent, compared to some other laws.
5. And more.

Like plenty of State efforts, there’s also the ever-controversial: No private right of action. The Act would empower State Attorneys General, as well as the Federal Trade Commission (“FTC”), for enforcement.

Some Nitty Gritty: Who would the SECURE Data Act govern?

Like in contracts, the devil’s always in the details of legislation. And there are plenty of defined terms and other twists and turns in the Act, far more than we can get into here. But here are a few of note:

Section 13 lays out detailed “applicability” tests – and exemptions. For applicability, the first part of the test is being a “person” falling under the jurisdiction of the FTC, or being a “common carrier;” then also conducting business in the U.S., or offering products or services for use or sale to a U.S. resident, or processing or engaging in sale of a U.S. resident’s personal data.

Next, satisfy one of two flavors of revenue and consumer size thresholds (excluding where the sole purpose was completing payment transactions):

Either:

(1) collecting and processing personal data of more than 200,000 “consumers” annually and at least $25M in annual gross revenue,

OR

(2) collecting and processing personal data of at least 100,000 “consumers” annually and deriving at least 25% of annual gross revenue from sale of personal data.

Section 8 describes a Code of Conduct process for covered entities – and that a special (“voluntary”) Code of Conduct process will be rolled out (in two years) for entities too small to otherwise be covered. (Sec. 8(e)).

Section 13(b) lays out numerous exemptions (including without limitation government entities, non-profits, financial institutions subject to Section V of the Gramm-Leach Bliley Act). Additionally, Section 14 identifies numerous federal laws, the controller and processor obligations under which are not impacted by the Act (according to Section 14).

Some more of the Act’s definitions:

“Controller” means a “person that, alone or jointly with others, determines the purpose and means of processing personal data.” (Sec. 16(10)). “Processor” means a person who processes personal data “on behalf of a controller.” (Sec. 16(24)). “Consumer” means “an individual” acting in an “individual or household capacity,” but not “in a commercial or employment context.” (Sec. 16(9); see also Sec. 13(b) re employment-related exclusions).

What About International/Cross-Border Data Transfers?

The Act’s potential implications for international data flows is way beyond the scope of this article. But just scratching the surface, check out Sections 13-14 re general applicability where U.S. residents’ personal data is concerned. Then, Sections 8(f) and 9, which address “cross-border flows.” You’ll see reference to the Global Cross Border Privacy Rules and Privacy Rules for Processor systems in Section 8(f) (related to Codes of Conduct). (But, not the EU-US Data Privacy Framework.)

And, among the Secretary’s obligations would be “developing policy and recommendations” “addressing any negative impact on consumers and businesses in the United States of laws, regulations, requirements, frameworks, and practices (and the implementation thereof) of foreign governments that limit or restrict the international flow of personal data.” (Sec. 9(b)(2)(B)).

Closing observation: Both the SECURE Data Act and GUARD Financial Data Act are Republican-led efforts, with no Democrat co-sponsors. Prior, bi-partisan, efforts at national data privacy legislation have failed. Stay tuned….

Resources:

Here’s the House Financial Services’ press release about both Acts (which includes links to the legislation, and a one-page summary of both): https://financialservices.house.gov/news. And here are examples of commentary: Statement from the Data Foundation on the SECURE Data Act and GUARD Financial Data Act | ANALYSIS | Data Foundation; California Privacy Protection Agency Releases Letter Opposing the SECURE Data Act – privacy.ca.gov; To establish a national framework for consumer privacy rights and the protection of personal data, and for other purposes. (H.R. 8413) – GovTrack.us (giving SECURE Data Act 1% chance of enactment).

Interested in training about contracts, including their all-important data terms? Tech Contracts Academy® offers an array of courses about contracts involving all sorts of technology, including AI: https://www.techcontracts.com/

© 2026 by Kathy O’Sullivan Esq. (CIPP/E, CIPP/US). All rights reserved.

Thank you to Pixabay.com for the great, free stock image.

THIS ARTICLE IS NOT LEGAL ADVICE. IT IS GENERAL IN NATURE AND MAY NOT BE SUFFICIENT FOR A SPECIFIC CONTRACTUAL, TECHNOLOGICAL, OR LEGAL PROBLEM OR DISPUTE, AND IT IS NOT PROVIDED WITH ANY GUARANTEE, WARRANTY, OR REPRESENTATION. LEGAL SITUATIONS VARY, SO BEFORE ACTING ON ANY SUGGESTION IN THIS ARTICLE, YOU SHOULD CONSULT A QUALIFIED ATTORNEY REGARDING YOUR SPECIFIC MATTER OR NEED.