House Republicans Release Pair Of Bills To Preempt State Privacy Laws

House Republicans have introduced two new federal privacy bills that would create a national standard and broadly wipe out most existing and future state consumer data privacy laws, with narrower carve‑outs for some areas like data breach notification and certain sectoral rules.

What the two bills are

• SECURE Data Act (Energy & Commerce Committee)

  • Comprehensive federal privacy framework covering most consumer personal data across sectors.

  • Led by Rep. John Joyce (R‑Pa.), backed by Chair Brett Guthrie (R‑Ky.).

  • Draws heavily on existing state privacy models (e.g., Virginia/Kentucky‑style laws), providing access, deletion, and opt‑out rights, but no general private right of action; enforcement sits with the FTC and state AGs.

  • Imposes limits on processing of “sensitive data” (health, location, biometrics, children under 13, etc.), and on targeted advertising and data sales.

• GUARD Financial Data Act (Financial Services Committee)

  • Sectoral bill focused on financial data and modernizing/expanding federal financial privacy standards.

  • Led by House Financial Services Chair French Hill (R‑Ark.) and aligned with the broader GOP privacy framework.

  • Designed to create a unified standard for how financial institutions and fintechs handle consumer financial information, in coordination with the SECURE Act’s general rules.

Preemption of state privacy laws

• The SECURE Data Act uses a strong preemption clause that would render “moot” any state law that “relates to” its covered subject matter.

• This would likely wipe out:

  • Comprehensive state consumer privacy laws (e.g., California, Colorado, Virginia, New Jersey, etc.).

  • State data‑broker registry regimes, and potentially some other state‑level sectoral privacy standards, to the extent they overlap with the federal framework.

• Some state laws would remain, notably many data breach notification statutes and certain sector‑specific regulatory authorities (e.g., state insurance regulators), which the GOP drafters say they intend to preserve a role for.

• Politically, this is a key fault line: Democrats like Rep. Frank Pallone (D‑N.J.) are already criticizing the bills as protecting corporate interests by preempting stronger state protections and omitting a private right of action.

Core rights and obligations in the bills

Across the SECURE and GUARD proposals, the key substantive pieces include:

• Consumer rights

  • Access: right to obtain a copy of personal data held by covered entities.

  • Deletion: right to request deletion of personal data, with some exceptions.

  • Opt‑out: right to opt out of sale of data and certain targeted advertising/“profiling” uses.

  • Data portability: likely some right to receive data in a portable format (mirroring many state models).

• Business obligations

  • Data minimization: limit collection and use to what is “reasonably necessary and proportionate” for specified purposes.

  • Purpose limitation and transparency: clearer disclosures about what is collected, how it is used, and with whom it is shared.

  • Anonymization standards: new federal criteria for de‑identifying data and limiting re‑identification risk.

  • Data broker duties: brokers must clearly label their status and provide mechanisms for consumers to exercise rights.

• Special rules for sensitive data and kids

  • Additional restrictions or consent thresholds for sensitive categories like precise location, health data, biometrics, and children’s data.

  • Kids’ provisions build on, but are more limited than, some aggressive state youth‑privacy regimes that would be preempted.

• Enforcement

  • FTC as primary federal enforcer, with expanded authority under the statute.

  • State attorneys general and some sectoral state regulators (e.g., insurance) can also enforce, but no broad private right of action, so individual consumers generally cannot sue directly for violations.

Practical implications for industry and states

• For multi‑state businesses, especially nationwide platforms and financial institutions, a single federal standard would significantly simplify the current 20+ state law patchwork and reduce the need to track divergent state obligations.

• For firms that have built their compliance posture around California/CPRA‑style “highest bar wins” frameworks, a weaker federal ceiling with broad preemption may actually allow them to roll back some state‑specific features (e.g., certain heightened rights or remedies) while remaining compliant.

• States that have invested heavily in strong consumer privacy regimes, enforcement units, or data broker registries would see much of that authority curtailed, which is driving opposition from California‑aligned Democrats and privacy advocates.

• Passage is not guaranteed: prior comprehensive efforts like ADPPA and APRA have stalled over the same preemption and private‑right‑of‑action fault lines, and early statements from key Democrats signal similar friction here.