On April 22, 2026, Republicans who are part of the House Energy & Commerce Committee’s Privacy Working Group introduced the Secure Data Act (the “Act”), a comprehensive federal privacy bill that would establish a nationwide framework governing the collection, use, and protection of personal data. If enacted, the Act would grant consumers a suite of enforceable rights over their personal data, including rights to access, correct, delete, and port their information, as well as the right to opt out of targeted advertising and the sale of personal data. The legislation also imposes obligations on controllers and processors, including data minimization requirements, enhanced transparency and disclosure obligations, and data security standards. Among its other notable provisions, the Act establishes a framework for voluntary codes of conduct, addresses cross-border data transfers, and broadly preempts state privacy laws. Enforcement authority would rest primarily with the Federal Trade Commission (“FTC”) and State Attorneys General (“AGs”), with a right-to-cure mechanism that requires written notice and a 45-day cure period before an action may be initiated. The following is a summary of the Act’s key provisions.
Consumer Rights
The legislation grants consumers rights to: (1) access/confirm processing (subject to a trade secret limitation), (2) correct inaccuracies, (3) delete personal data, (4) port data the consumer previously provided (when technically feasible), and (5) opt out of processing for targeted advertising, sale of personal data, and certain profiling that produces a legal or similarly significant effect.
It also requires affirmative consent before processing sensitive data. The processing of such data of a child (under the age of 13) must comply with the Children’s Online Privacy Protection Act (“COPPA”), and the processing of the sensitive data of a teen (under the age of 16 but over 13) requires verifiable parental consent.
The bill includes operational requirements for rights requests (authentication, response timelines, fee limitations), as well as an appeals process with a mechanism that allows consumers to escalate complaints to the FTC or AGs.
Controller Obligations
Data Minimization and Other Use Restrictions
Controllers must adhere to data minimization—meaning that controllers must only collect what is “adequate, relevant, and reasonably necessary” for disclosed purposes. Secondary uses of personal data must be “reasonably necessary or compatible with a disclosed purpose” (or the controller must obtain prior consent).
A controller may not process personal data in violation of a Federal law that prohibits unlawful discrimination against a consumer. A controller may also not discriminate against a consumer for exercising consumer rights, including by denying goods or services, charging different prices, or providing different levels of quality. Consumer loyalty programs are exempt from this requirement.
The bill also preserves the ability of a controller to:
- Cooperate with law enforcement;
- Investigate/defend a legal claim;
- Provide a product/service and perform a contract specifically requested by a consumer/parent;
- Protect the life or physical safety of an individual;
- Prevent/detect/protect against/respond to a security incident, including identity theft, fraud, harassment, malicious or deceptive activity, or any other similar illegal activity;
- Preserve the integrity/security of systems;
- Engage in certain types of scientific research;
- Conduct internal research to develop/improve/repair a product/service/technology;
- Effectuate a product recall; and
- Perform an internal operation that is reasonably aligned with/anticipated based on the expectations of a consumer.
Disclosures
Controllers must also provide a clear privacy notice describing, among other things: categories of personal data processed, purposes for processing personal data, how consumers can exercise/appeal rights, categories of data shared and recipients (including government entities), and whether data is transferred to/processed/stored in/sold to a “covered nation.”
The legislation also requires specific disclosures if a controller sells personal data or uses it for targeted advertising, and it imposes transparency obligations around certain automated decision-making activities (i.e., profiling without human review).
Data Security
Controllers must implement reasonable administrative, technical, and physical safeguards appropriate to the volume/sensitivity/nature of the data. The bill creates a rebuttable presumption against an alleged violation if the controller either complies with an approved code of conduct/certification or maintains a program aligned with “state-of-the-art” practices and a recognized risk-management framework (including detection/response/recovery).
Data Brokers
A data broker is defined as a controller that (1) collects and processes personal data of a consumer who is not a client, user, reader, or subscriber of a product/service provided by the controller, and (2) derives 50% or more of annual gross revenue from the sale of personal data.
A data broker must:
- Post a public notice identifying itself as a data broker and explaining how consumers can exercise their rights; and
- Register with the FTC within 12 months after enactment (and annually thereafter), providing specified information (including categories of data sold and certain reported security incident information).
The FTC must establish a public, searchable registry of registered data brokers within 18 months after enactment, including links to each broker’s privacy policy and rights-exercise mechanism.
Processors
Processors must adhere to the instructions of a controller and assist the controller in meeting its requirements, including responding to consumer rights requests and implementing appropriate data security measures. Whether an entity is a controller or processor is a fact-specific analysis that depends upon the context in which personal data is to be processed.
The relationship between a controller and a processor must be governed by a contract that sets forth instructions for processing personal data. Neither a controller nor a processor is relieved from liability “by virtue of a role in a processing.”
Deidentified and Pseudonymous Data
For deidentified data, the bill requires reasonable measures to prevent re-identification, a public commitment not to re-identify, and contractual flow-down obligations to recipients, along with ongoing oversight. The legislation also limits the extent to which consumer rights apply to pseudonymous data (in specified circumstances), and prevents re-identification or forcing businesses to keep data in identifiable form solely to respond to rights requests.
Codes of Conduct
Controllers/processors may submit codes of conduct to the Secretary of Commerce for approval (with public comment, consultation with the FTC, and an approval/denial determination on a defined timeline). Participation confers a rebuttable presumption of compliance for covered requirements. The Secretary can also withdraw approval, though the provision includes a right to cure.
A controller’s certification pursuant to the Global Cross Border Privacy Rules System Privacy Recognition for Processors or any successor system is deemed participation in a code of conduct for purposes of the legislation.
Cross Border Data Flows
The bill designates the Secretary of Commerce as the lead policy actor for international data flows, and allows the Secretary to enter into international agreements to promote cross-border data flows.
Enforcement
The bill is primarily enforced by the FTC, treating violations as a violation of Section 5 of the FTC Act (the unfair or deceptive acts or practices framework). The bill expressly extends FTC enforcement to communications common carriers. State AGs may bring actions for injunctive relief and monetary/redress remedies, subject to notice and coordination provisions and certain limits when a federal action is pending.
The bill includes a right to cure. The FTC or a State AG must provide written notice identifying the specific alleged violation and wait at least 45 days before initiating an action; curing within that period (and providing a written assurance) eliminates the violation.
The bill broadly preempts state laws “relat[ing] to the provisions of this Act.”
The bill does not relieve or change obligations under various federal regimes (e.g., COPPA, GLBA, HIPAA/HITECH, FCRA, FERPA, human-subject protections, etc.). But it does preempt the Communications Act and any regulation promulgated thereunder “with respect to the collection, use, processing, transferring, or security of personal data” unless “a regulation or order pertains solely to emergency services.” The bill also repeals the Video Privacy Protection Act.
