Congress called it privacy. EFF: it wipes 21 state laws.

In May 2026, House Republicans on the Energy and Commerce Committee released the SECURE Data Act — promoted as America's first comprehensive federal privacy law. The Electronic Frontier Foundation (EFF, a nonprofit digital civil liberties organization defending internet freedom since 1990) published a detailed technical critique within days. Their verdict: "woefully inadequate." Stronger words followed: the bill would cause more corporate surveillance, not less, by legally erasing 21 existing state privacy laws that millions of Americans currently rely on — replacing them with a weaker federal standard that EFF says comes engineered with loopholes.

Not a single Democratic co-sponsor signed on. The bill was released unilaterally by the Republican majority — unusual for legislation promoted as protecting all Americans.

A Federal Floor So Low It Becomes a Ceiling

Federal privacy law can work two ways. Laws like HIPAA (Health Insurance Portability and Accountability Act — the federal law that protects your medical records), the Video Privacy Protection Act (VPPA — which protects your video rental and streaming history), and the Electronic Communications Privacy Act (ECPA — which governs digital message privacy) all set a minimum federal standard while explicitly allowing states to go further. The SECURE Data Act takes the opposite approach: it preempts (legally overrides) state privacy laws nationwide, replacing them with a weaker national standard. Under the bill, the following protections would disappear:

• 21 existing state consumer privacy laws, including California, Virginia, Colorado, Connecticut, and Texas
• Up to 50 state data breach notification laws that currently require companies to alert residents within defined windows when personal data is stolen
• California's data broker deletion tool — a state program letting residents submit one request to erase their profiles across hundreds of data brokers (companies that compile and sell detailed personal profiles including your address, income, political leanings, and health signals)
• Mandatory compliance with Global Privacy Control (GPC — a browser signal that automatically tells every website "don't sell or share my data," supported by browser extensions like EFF's Privacy Badger)

EFF stated the core problem plainly: "In fact, it would cause even more corporate surveillance of our personal information, by wiping out state laws that are more protective than this federal bill." Notably, the bill also declines to ban online behavioral advertising (the practice of tracking your searches, clicks, and purchases across websites to build ad profiles) — the primary business model driving corporate data collection at scale.

Caught Breaking the Law? Here Is Your 45-Day Free Pass

The bill's enforcement mechanics reveal its priorities. Section 6 grants any violator a 45-day "cure" period — meaning a company caught breaking privacy law has six weeks to fix the violation with zero financial penalty, and faces no consequence afterward if it complies. Put in context:

• GDPR (Europe's General Data Protection Regulation — the world's strictest privacy framework): fines up to 4% of global annual revenue or €20 million, whichever is higher
• CCPA (California Consumer Privacy Act — the California law the SECURE Act would preempt): civil penalties of $7,500 per intentional violation
• SECURE Data Act: fix it within 45 days, no fine, no record of the violation

More critically, the bill contains no private right of action — legal language meaning ordinary citizens cannot sue companies directly to enforce their own privacy rights. Every complaint must flow through the FTC (Federal Trade Commission — the federal agency that polices unfair business practices). EFF noted regulators already lack the resources to enforce existing law — and the SECURE Data Act proposes no new enforcement budget or staffing whatsoever.

The contrast with existing federal privacy law is sharp: HIPAA, the VPPA, and the ECPA — all of which predate the smartphone era — preserved states' right to strengthen federal floors. The SECURE Data Act eliminates that flexibility permanently.

Six Loopholes Written Into the Fine Print

EFF's line-by-line analysis of the bill text identified six specific exemptions and deliberately narrow definitions that appear designed to minimize what companies actually have to do:

The "One Human" Profiling Escape Hatch

The bill restricts solely automated profiling (using computers alone to build behavioral profiles of individuals for decision-making). But Section 2's definition exempts any process where even a single human reviewed the output. A company could automate 99% of a decision, assign one employee to glance at the result, and the profiling restriction no longer applies. EFF describes this as a legal fiction that nullifies the rule for virtually any real-world deployment.

Data Broker Registration: The 50% Revenue Threshold

Data brokers must register in a public FTC database only if at least 50% of their revenue comes from selling personal data. A company making 49.9% of income from data sales faces no disclosure requirement at all. When consumers do submit deletion requests, the bill treats them as opt-out requests (stop selling my data going forward) rather than actual deletion (erase what you already hold). The profile stays in corporate databases; the broker merely agrees not to sell it again.

De-Identified Data Exempt — Despite Decades of Re-Identification Research

The bill fully exempts de-identified data (records with names and direct identifiers removed) from all its protections. But security researchers have demonstrated repeatedly that de-identified datasets can be re-identified (linked back to real individuals) using external data sources. A 2006 study re-identified AOL users from "anonymous" search logs. A 2008 study re-identified Netflix subscribers from purportedly anonymous movie ratings. Location ping data with names stripped can still reveal home addresses, medical offices, and places of worship. The SECURE Act treats a technique widely considered broken by security researchers as a complete privacy guarantee.

Biometric Definition Deliberately Narrowed

The bill's definition of biometric data (unique physical identifiers like fingerprints, iris patterns, and facial geometry) excludes data derived from photos or videos where the scan was not specifically intended to identify an individual. This creates exemptions for sentiment analysis (detecting emotion from facial expressions), demographic inference (estimating age, gender, or ethnicity from images), and gait recognition — all active forms of biometric surveillance that fall outside the bill's protections under this narrow reading.

Government Contractor Exemption

Section 11 exempts government contractors from the bill's requirements — potentially permitting companies to transfer personal data to federal agencies without restriction. EFF specifically named Clearview AI (the facial recognition company that scraped over 30 billion photos from social media without consent and sells database access to law enforcement) as a potential beneficiary. This exemption could create a direct legal pipeline from corporate data harvesting into government surveillance infrastructure with no restriction under the SECURE Act.

Self-Regulatory Audit Scheme

Section 8 allows companies to obtain a presumption of compliance by submitting to audits by "independent organizations" — a category that in practice means industry-funded certification bodies with no public accountability. EFF also flagged Section 9, which grants the Secretary of Commerce broad, vaguely defined power over "international flows of personal data" — language with undefined scope that critics say could restrict access to privacy tools or create new cross-border surveillance channels.

What Existing State Protections Would Vanish First

California has spent more than a decade building the most comprehensive state privacy framework in the United States. The CCPA (California Consumer Privacy Act) and its successor CPRA (California Privacy Rights Act — which added stronger data minimization and created the California Privacy Protection Agency) created enforceable rights millions depend on. Under the SECURE Data Act, California's advantages would be preempted on the day of enactment, including:

• Required compliance with Global Privacy Control — California currently mandates companies honor this opt-out signal automatically, without requiring individual requests
• The data broker deletion registry — one-click erasure across hundreds of brokers simultaneously
• Stronger protections for sensitive data categories: precise geolocation, reproductive health information, union membership, and sexual orientation

One provision with direct AI implications: companies are explicitly permitted under the SECURE Act to use personal data to "develop or improve" AI systems and new technology — with no restrictions on data type, no consent requirements, and no scope limitations. A company could collect data for customer service, then use it to train AI models for an entirely different commercial application, with no notice to users and no legal barrier under this bill.

EFF joined 18 other organizations in a parallel letter to UK policymakers arguing for privacy-by-design frameworks that require opt-in consent for invasive data uses — the opposite of the SECURE Act's default, which places the burden on individual consumers to actively resist data collection rather than requiring companies to seek permission first.

The SECURE Data Act remains in committee as of May 2026. If it advances, you can read the full bill text and contact your representative through the House Energy and Commerce Committee, or take action directly through EFF's Action Center. To understand how AI companies collect and process personal data at a practical level, explore our AI literacy guide.

Related Content — Get Started | Guides | More News