• by Wendy Davis , 4 hours ago

The Secure Act, a proposed national privacy bill that would override laws in at least 22 states, "is worse than no federal data privacy law at all," the advocacy group Electronic Privacy Information Center plans to tell lawmakers on Wednesday.

"America needs a strong federal data privacy law. But the Secure Data Act is not the right approach," Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, will testify, according to her prepared statement submitted in advance of an Energy and Commerce subcommittee hearing about the bill.

The Republican-sponsored bill, introduced in April by Representative John Joyce (R-Pennsylvania) and modeled on a 2024 Kentucky law, would give consumers some rights over data that clearly identifies them -- including the right to learn if such data is being processed, and to opt out of its sale.

The measure also has a provision giving consumers the right to opt out of targeted advertising, but only if the ads are based on non-pseudonymous data. As currently drafted, that provision doesn't appear to give consumers the right to reject targeted ads based on mobile device identifiers, tracking cookies or other pseudonymous identifiers.

The bill additionally would also require companies to obtain consumers' consent to process "sensitive" data -- defined as including some forms of biometric data, personal data of users under 16, and data that "discloses" race, ethnic origin, religious belief, health diagnoses, sexual orientation, citizenship or immigration status.

Ad industry organizations including the umbrella group Privacy for America expressed support for the proposed law when it was introduced. At the time, Stuart Ingis, counsel to Privacy for America, said the organization endorses the idea that consumers have the right to opt out of targeted advertising based on pseudonymous data. He adds that the portion of the bill that doesn't appear to give consumers that right likely reflects a "drafting error that needs to be fixed."

The Electronic Privacy Information Center's Fitzgerald raises several concerns with the bill -- including that its approach gives businesses more leeway than in states that have prohibited the collection or sale of certain sensitive data. To date, four states -- Maryland, Oregon, Virginia and Connecticut -- have passed laws banning companies from selling data that can pinpoint someone's location within a 1,750-foot radius.

The Secure Act "strips residents of those states of their existing protections and gives companies a permission slip to sell our most sensitive personal information for profit," Fitzgerald says in her written remarks.

Kentucky Chamber of Commerce President and CEO Ashli Watts, plans to praise the bill for several reasons, including that it creates a single national standard.

"When every state writes its own law, even good policy creates a patchwork," she will say, according to her prepared testimony. "No business should have to navigate a 50-state compliance landscape just to protect their customers’ data."

Other witnesses expected to testify include Kate Goodloe, managing director of the Business Software Alliance, and Tyler R. Bridegan, former director of privacy and technology enforcement with the Texas attorney general's office.

The Secure Act grew out of an initiative dating to February 2025, when Republicans on the House Energy and Commerce Committee formed a working group to explore potential legislation.

Two prior bipartisan proposals -- both of which were opposed by the ad industry -- would have had tougher restrictions on the collection and use of data.

The American Data Privacy and Protection Act, proposed in 2022, would have prohibited companies from collecting or processing data about people's cross-site activity for ad purposes -- effectively outlawing one form of behavioral targeting.

The House Energy and Commerce Committee advanced that bill by a vote of 53-2 in 2022, but the full House didn't vote on the measure, and the Senate didn't hold hearings on it.

In 2024, Senator Maria Cantwell (D-Washington) and Representative Cathy McMorris Rodgers (R-Washington) unveiled the bipartisan American Privacy Rights Act. That bill, which failed to advance, also would have prohibited businesses from serving targeted ads to consumers based on their activity across unaffiliated sites and apps.