Skip to main content
ComplianceData Protection

House Republicans Unveil National Data Privacy Bill

Person stands in formal setting with blurred tech background, symbolizing data privacy.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” said Brett Guthrie, R-Ky., Chair of the House Energy and Commerce Committee and Rep. John Joyce, R-Pa., who led a working charged with developing the draft legislation, in a statement.

What the Secure Data Act would do

House Republicans unveiled the Secure Data Act as Congress’ latest attempt at a national privacy law. The draft would allow consumers to opt out of data collection by individual businesses for three specific purposes: targeted advertising, selling to third parties, and use in automated decisionmaking. It would also require businesses to notify consumers when their personal data is being collected or used, provide consumers with a portable copy of that data, and give parents consent rights over the data collection of teenagers.

On data handling, the bill would impose a limit on collection to what is “adequate, relevant and reasonably necessary” and require businesses to collect data only for purposes disclosed to consumers in advance. Companies would be required to adopt new safeguards for customers’ personal data and disclose any third parties they share or sell data to — explicitly including adversarial foreign governments like Russia and China in that disclosure requirement.

Federal Trade Commission role and a national data broker registry

The draft increases the Federal Trade Commission’s authority over data brokers — firms that buy, collect, repackage and sell personal data. Under the bill, data brokers would be required to register with the FTC, comply with data minimization, disclosure and data security mandates, and the legislation would create a new national data broker registry.

Advocates and industry observers characterized this approach as strengthening federal supervision of the commercial middlemen who accumulate and resell consumer profiles.

Critiques from privacy advocates and Democratic lawmakers

Not everyone welcomed the draft. Rep. Frank Pallone, D-N.J., ranking member on the House Energy and Commerce Committee, said he opposed the bill and accused House Republicans of having “lost the plot” on national privacy legislation. “This Republican privacy bill protects corporations and their bottom line, not people’s privacy,” Pallone said in a statement. “We should be protecting the little guy with a bill that empowers consumers, not one that preempts consumer protections at the behest of Big Tech.”

Privacy groups raised several substantive objections. Eric Null, director of the privacy and data project at the Center for Democracy and Technology, called the Secure Data Act full of “easily exploitable loopholes” that would let companies “hide behind cookie banners and lengthy terms of service rather than establishing meaningful privacy protections.” Null also criticized the draft’s treatment of AI, saying the bill “does neither sufficiently” to protect against AI-related privacy harms such as limiting data collection for AI training or preventing discriminatory uses of the technology.

The American Civil Liberties Union’s senior staff attorney Cody Venzke said the GOP-led bill “places the onus on regular people” to sift through complex privacy policies to request opt out or deletion, and “leaves us without real recourse – even blocking us from going to court – if our requests go unanswered.”

Internal GOP process, conservative legal framing, and potential weaknesses

Republican drafters described the bill as the product of more than 16 months of internal discussion and consensus-building within the GOP majority. A working group led by Rep. John Joyce, R-Pa., solicited feedback from 170 organizations and received more than 250 public responses to a Request for Information released last year.

Cobun Zwiefel-Keegan, managing director at the International Association of Privacy Professionals, said the draft most resembles privacy laws passed by Virginia or Kentucky, emphasizing notice and consumer opt-out rights tied to “reasonable” standards of business compliance. But Zwiefel-Keegan also noted features that could make the federal law weaker than some state regimes — including federal preemption of more robust state privacy laws like California’s, the lack of a private right of action allowing individuals to sue companies directly, and a mandatory 45-day “curing” period that lets companies in violation come into compliance and avoid formal sanctions.

What this means for consumers, businesses, and state governments

  • Consumers: Would gain specified opt-out rights, notice, data portability and parental consent for teenagers — but advocates warn enforcement gaps and the absence of a private right of action may leave individual remedies limited unless regulators act.
  • Businesses and data brokers: Would face new constraints on collection — limited to data that is “adequate, relevant and reasonably necessary” — and new obligations to register (for brokers), disclose sharing partners, and adopt security safeguards; critics say some compliance pathways (cookie banners, lengthy terms of service) could be used to satisfy notice without meaningful change.
  • State governments and state law guardians: Could see a clash over preemption, with Zwiefel-Keegan cautioning that the draft’s federal preemption could undercut more stringent state laws and produce pushback from representatives in states with existing privacy regimes.

Guthrie and Joyce closed their joint statement by saying they “look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.” Observers quoted in the release suggested the bill could pass out of committee but cautioned broader passage would depend on attracting some Democratic votes and navigating concerns among representatives whose state laws might be preempted.

Original story: https://cyberscoop.com/house-republicans-release-national-privacy-legislation/