US lawmakers push national data privacy rules amid state preemption concerns

House Republicans this week introduced a pair of sweeping data privacy bills designed to create parallel national frameworks for the nonfinancial and financial sectors in what they described as a coordinated effort to give consumers more control over their personal information.

Critics, however, say the bills would override and preempt years of stronger state privacy laws and do not go far enough.

The two measures are the SECURE Data Act, led by the House Committee on Energy and Commerce, and the GUARD Financial Data Act, led by the House Committee on Financial Services.

Both bills are aligned in substance and are intended to establish national standards in place of what Republicans call a confusing patchwork of state privacy laws. The move isn’t surprising given that Republicans have been pushing for legislative regimes that would preempt state laws regulating privacy and AI.

The two bills are meant to work in tandem while avoiding overlap. The SECURE Data Act would apply to nonfinancial firms that control consumer data, while exempting Gramm-Leach-Bliley Act-covered financial data and financial institutions.

The GUARD Financial Data Act, by contrast, would update the Gramm-Leach-Bliley Act and exempt nonfinancial firms and their operations from its scope.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” said Reps. Brett Guthrie, chairman of the House Committee on Energy and Commerce, and John Joyce, leader of the committee’s Data Privacy Working Group and chairman of the Oversight and Investigations Subcommittee.

The SECURE Data Act would establish a broad set of consumer rights over personal data held by covered entities, including the right to confirm whether a controller is processing a person’s data, access a copy of that data, correct inaccuracies, delete data provided by or obtained about the consumer, obtain portable copies where technically feasible, and opt out of targeted advertising, the sale of personal data, and certain forms of automated profiling that produce legal or similarly significant effects.

The bill also requires prior consent before processing sensitive data and includes special rules for children and teens.

Beyond individual rights, the bill would impose data minimization and use-limitation requirements on controllers, requiring them to collect only data that is adequate, relevant, and reasonably necessary for disclosed purposes, and barring incompatible secondary uses unless the consumer consents.

It also requires privacy notices explaining categories of data processed, purposes for processing, categories of data shared with other controllers or government entities, and whether personal data is transferred to, processed in, stored in, or sold to a covered nation.

The bill also goes beyond many recent state-style proposals by addressing data brokers directly. It would require data brokers to register with the Federal Trade Commission (FTC), disclose categories of personal data sold, report previously disclosed security incidents, and link consumers to mechanisms for exercising their rights.

The FTC would then have to establish and maintain a searchable national registry of those brokers.

Enforcement of the SECURE Data Act would primarily run through the FTC, with violations treated as unfair or deceptive acts or practices under the FTC Act.

State attorneys general also would be able to bring civil actions under the SECURE Data Act, though the bill includes a 45-day right-to-cure period before either the FTC or a state attorney general could proceed. Most of the bill would take effect two years after enactment, though its consumer-rights, data security, and data broker provisions would take effect after one year.

The separate GUARD Financial Data Act is narrower and includes data minimization, a continuing consumer opt-out right, limits on the use of account access credentials, expanded privacy notices, customer access to privacy policies, rights to request disclosure or deletion of nonpublic personal information, and an opt-in requirement for sensitive nonpublic personal information.

Under the bill, financial institutions would be required to limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary for each purpose for which the data is collected or disclosed.

It would also give customers and former customers the right to request disclosure of the nonpublic personal information a financial institution holds about them, along with categories of affiliates and nonaffiliated third parties to whom that information has been disclosed, subject to existing legal limits.

For former customers, the GUARD measure would create a deletion right, again with exceptions where data must be retained for continuing purposes, for Fair Credit Reporting Act-related functions, disputes, or other legal requirements.

Financial institutions would have to verify identity before honoring such requests and respond within 45 days, with one additional 45-day extension available when necessary.

The bill would also require new disclosures around how financial institutions use AI in collecting, processing, and using nonpublic personal information, and whether any consumer data is processed in, retained in, or disclosed to a covered nation.

It further regulates the use of consumer account access credentials by financial data aggregators and third parties, requiring clear notice and an opportunity for consumers to opt out before those credentials can be used to obtain account information.

And like the SECURE proposal, the GUARD bill includes an opt-in framework for sensitive data. It defines sensitive nonpublic personal information to include categories such as biometric data and precise geolocation data and says a consumer’s consent must be obtained before such information is initially collected or disclosed, with the right to revoke that consent at any time.

“The SECURE Data Act falls far short of protecting the privacy of American consumers,” said Justin Brookman, director of technology policy at Consumer Reports.

“This bill would be a significant step back for privacy in this country as it would replace several stronger state and local laws with a weak federal framework riddled with loopholes,” Brookman said, adding the “bill is also a substantial retreat from the protections included in bipartisan bills such as American Data Privacy and Protection Act and American Privacy Rights Act considered in recent Congresses.”

“As a partisan Republican bill, the draft does not include a private right of action, though the drafters of the bill are quick to point out that neither does the so-called consensus framework in the states,” said the International Association of Privacy Professionals (IAPP).

“As introduced,” IAPP said, “the SECURE Data Act would embrace a strong preemption regime, rendering moot any state law or provision that ‘relates to’ its provisions. This would likely preempt state consumer privacy laws, data broker registries, and possibly some sectoral state laws.”

Daniel Castro, vice president of the Information Technology & Innovation Foundation, said “Congress should move forward with legislation like the Secure Data Act” because “it reflects the right approach to federal privacy [by] establishing a clear, consistent national framework that prioritizes meaningful consumer data protections.”

“Manufacturers are encouraged that this first-of-its-kind federal law would establish a uniform national framework that is both forward-looking and adaptable to new technology, while avoiding the regulatory morass of a 50-state patchwork,” said National Association of Manufacturers Executive Vice President Erin Streeter.

Article Topics

biometrics  |  data privacy  |  data protection  |  digital identity  |  legislation  |  U.S. Government