Unlike 160+ countries, unlike almost every industrialized nation, the U.S. has been an outlier because it lacks a comprehensive privacy law. Congress has been trying repeatedly to pass one, without luck, an effort that has faltered because such a law involves many complicated issues that require thoughtfulness and compromise, which don’t exist in Congress these days.
Congress’s latest foray is a new bill called the SECURE Data Act, a piece of garbage cooked up by Republicans as a gift to industry in a climate where the public is deeply concerned about privacy, outraged at the harms tech is causing, and yearning for ways to hold Big Tech accountable.
I can’t stress enough how awful this bill is. On balance, if passed into law, it will do dramatic harm to privacy. It will leave people less protected than if it didn’t exist. I’d call it more of an anti-privacy law than a privacy law.
I’ll briefly provide a few reasons why this bill is terrible and should not be passed.
Uses Failed Anemic Approaches of State Consumer Privacy Laws
The Act tracks many of the state consumer privacy laws, most passed from 2018-present, which largely double down on the failed notice-and-choice approach. These laws barely move the needle, asking extremely little of companies, and giving consumers individual privacy rights that are a chore to exercise and that mainly create the illusion of control over their data.
I wrote extensively about why these rights fail in my piece from a few years ago, The Limitations of Privacy Rights, 98 Notre Dame Law Review 975 (2023). The problems with rights is that people aren’t getting adequate information to manage their privacy and there are too many companies gathering too much data for people to have the time to exercise their rights at scale. In an age of AI, there’s no way for people to meaningfully make the key decision they must make when using tech or sharing their data, which is a risk calculation: Are the benefits worth the risks? With AI, people have no idea what inferences will be made regarding their data or what the risks could conceivably be. Privacy notices fail to provide the meaningful information people need to assess the risks.
The state consumer privacy laws have thus far been a disappointment. Many were written substantially by industry. They are more similar than different, often cut-and-paste jobs with just a few differences, and they lack imagination (or any real attempt by most legislatures to incorporate some great ideas in extensive scholarship by academics and work by NGOs).
We don’t need this at the federal level. It won’t move the needle at all. And most people know this. I wonder if anyone in one of the states blessed with one of these consumer privacy laws ever has said: “Oh, I feel so relieved and safe. My privacy is so protected now that there’s this great law in my state.” Nope. Most likely, whether you’re in one of these states or not, you’d never know the difference.
The SECURE Data Act is modeled on the weakest state consumer privacy laws, so it’s bad even when compared to a rather bad group of laws.
Empty Data Minimization Provision
Like many laws, the bill articulates principles of data minimization, that only data “adequate, relevant, and reasonably necessary” for disclosed purposes may be collected and that secondary uses of data must be “reasonably necessary or compatible with a disclosed purpose.”
In practice, these provisions are empty because they’re rarely ever enforced with rigor. They are merely there to sound good.
A more rigorous approach to data minimization is Maryland’s consumer privacy law which has actual restrictions on data collection and use that are not just a facade.
Weak Regulation of Data Brokers
The law requires that data brokers register with the FTC. Beyond that, little else.
Data brokers gather and share massive quantities of personal data with the government, feeding greatly into the problems of unchecked authoritarian power and the burgeoning surveillance state. I wrote about this problem in Privacy in Authoritarian Times: Surveillance Capitalism and Government Surveillance, 67 Boston College Law Review 51 (2026).
Having just a registration requirement doesn’t address most of these problems. It’s just saying “please raise your hand if you’re a data broker,” and when folks do, replying, “that’s nice, how do you do?”
Minimal Duties and Governance
The bill has very weak requirements for duties and governance around privacy. There are minimal to no requirements to do risk assessments, mitigate harms, conduct workforce training, have privacy officers, design tech in privacy-protective ways, use privacy by default in settings, restrict dark patterns, or do much of anything at all.
Weak Enforcement
The bill can be enforced by the FTC (or state attorneys general) as a FTC Act Section 5 violation. There are no fines. And no private right of action.
The FTC is hobbled right now, and it’s woefully understaffed and under-resourced. I recently wrote a piece about problems with government enforcement and why privacy laws must have a private right of action to be effective. Enforcing Privacy Law: Why Private Litigation is Essential, 107 Boston University Law Review __ (forthcoming 2027).
Terrible Overbroad Preemption
If the above aren’t enough reasons to hate this law, the preemption provision alone is outrageously bad. I’ve written extensively about why a federal privacy law shouldn’t preempt state laws.
The preemption provision states: “No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.”
This is a ridiculously broad preemption provision and it could wipe out not just state consumer privacy laws but scores of other laws, perhaps thousands of other laws. Consumer privacy is an enormously broad topic, and the language “relates to” is quite vague. Many torts could be wiped out. So could state wiretap laws, which can be used for consumer privacy issues. So could countless other laws that aren’t even privacy laws but involve, in some way, the collection and use of personal data. We’re not talking hundreds of laws, but potentially thousands!
And it will open the door to endless litigation over the scope of this provision as it applies to so many laws, which will create an enormous headache and great uncertainty in the law.
Earlier in this essay, I critiqued state consumer privacy laws as weak and unimaginative, so why should we care if they’re preempted? There are several reasons:
- Some states are including interesting provisions, such as Maryland’s data minimization requirements. California has an enforcement agency dedicated to privacy. It is useful to see how these things work. There is a value for states being able to create their own laws and be the “laboratories ” of democracy.
- Many states have subject-specific privacy laws that have some effective elements, such as the Illinois Biometric Information Privacy Act (BIPA), and several of these laws are stronger than most general state consumer privacy laws. These subject-specific laws might also be preempted.
- States are starting to amend and strengthen their consumer privacy laws, so the game isn’t over in the states. This is one reason why industry wants a preemptive federal law, because industry fears that when some states realize their laws are no good, they might respond to public pressure to improve them.
- State common law can be an effective tool, for it allows people to bring civil litigation, and we saw recently with the verdict in Los Angeles against tech companies that juries (unlike many policymakers) want companies to be held accountable.
- Congress is inept at keeping its laws updated. It has failed to update woefully outdated privacy laws such as FERPA (regulating education privacy) and ECPA (regulating electronic surveillance).
Preemption really isn’t necessary if a federal privacy law is good. Many earlier federal privacy laws don’t preempt stricter state laws, and they aren’t presenting problems. HIPAA, for example, doesn’t preempt in this way, and there isn’t a clamor to change it. So, the best way to avoid a patchwork of state laws is to create a good federal privacy law. Then states won’t need to pass privacy laws because the federal law is getting the job done.
But that’s not what’s going on with the SECURE Act. It’s preempting to impose weak protections for the whole country and prevent states from protecting their residents.
There are ways to protect privacy rigorously, hold companies accountable for data collection and use, and still have robust innovation. Companies can make healthy profits from using personal data without destroying privacy or undermining society. Real solutions are out there. Productive ideas are out there. It would be wonderful to see a truly good faith effort to enact a good law. The SECURE Act is the opposite of that, and hopefully the bill will go to the Congressional trash bin.
If you’re interested in learning more about my thoughts on how to regulate privacy, check out my book, ON PRIVACY AND TECHNOLOGY (Oxford University Press 2025).
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 180 courses.
Subscribe to Solove’s Free Substack
A supplement to Solove’s regular newsletter with more in-depth discussions
