Tech Policy Press• Apr 26, 2026• 29:24Interview

Unpacking the SECURE Data Act

From Tech Policy Press

Eric Null•Director of the Privacy and Data Program at the Center for Democracy and Technology

Executive Summary

The latest attempt at a US federal privacy law, the Republican-led SECURE Data Act, is analyzed as a significant step backward from previous bipartisan efforts like ADPA and APRA.
The bill is heavily criticized for its weak data minimization standards, narrow definition of sensitive data, broad exemptions that benefit AI training, and lack of protections against manipulative 'dark patterns'.
A primary concern is the bill's broad preemption clause, which threatens to nullify stronger state-level privacy and civil rights laws, effectively creating a low federal ceiling for data protection.
The discussion also highlights the tension between competition policy and privacy, citing California's BASED Act as an example where interoperability mandates could create new risks like forced message decryption.

9 quotes

Concerns Raised

The SECURE Data Act's broad preemption clause will nullify stronger state privacy and civil rights laws.
The bill contains numerous loopholes and weak standards that codify the status quo rather than protect consumers.
The lack of a private right of action removes a key enforcement mechanism for individuals.
The insatiable demand for data to train AI models is exacerbating privacy risks, and the SECURE Act effectively exempts this activity.

Opportunities Identified

Passing a strong, bipartisan federal privacy law that sets a high standard (a floor, not a ceiling).
Learning from past bipartisan compromises on difficult issues like the private right of action.
Ensuring new competition laws include robust, built-in privacy protections to avoid unintended consequences.

Key Themes

The Failure of Federal Privacy Legislation

The U.S. has repeatedly failed to pass a comprehensive federal privacy law, with the latest proposal, the SECURE Data Act, being a partisan and weaker version of previous bipartisan bills (ADPA and APRA). This reflects a persistent legislative gridlock on a fundamental issue in the digital age.

The absence of a strong federal standard creates a complex and inconsistent patchwork of state laws, leaving consumers vulnerable and creating compliance uncertainty for businesses, especially as AI's data appetite grows.

Weakening Protections Through Loopholes and Preemption

The SECURE Data Act is framed as a pro-industry bill that codifies the status quo rather than enhancing consumer privacy. Its broad exemptions, weak data minimization rules, and narrow definitions are compounded by a powerful preemption clause that would invalidate stronger state laws.

This approach would establish a low federal ceiling for privacy rights, reversing progress made in states like California and Illinois and potentially gutting meaningful civil rights and biometric data protections nationwide.

Privacy as a Civil Rights Issue

The conversation emphasizes that data privacy is inextricably linked to civil rights, particularly in the context of AI and automated decision-making. The SECURE Data Act's civil rights provisions are dismissed as performative, merely restating existing law while its preemption clause threatens to undermine state-level anti-discrimination enforcement.

As AI systems are increasingly used for consequential decisions in employment, housing, and finance, weak data protection laws can facilitate the collection of data that perpetuates and amplifies systemic biases, making robust civil rights safeguards essential.

The Intersection of Competition and Privacy

The discussion explores the unintended privacy consequences of competition-focused legislation, using California's proposed BASED Act as a case study. Mandating interoperability between tech platforms without sufficient privacy safeguards could create new vulnerabilities, such as forcing the decryption of end-to-end encrypted messages.

This highlights the need for holistic policymaking, ensuring that efforts to curb monopolistic power in the tech sector do not inadvertently compromise user security and privacy by creating new avenues for data exploitation.

Get started free

Topics

Federal Privacy Law SECURE Data Act American Data Privacy and Protection Act (ADPA)American Privacy Rights Act (APRA)Data Minimization Preemption State Privacy Laws Civil Rights AI Training Data Dark Patterns Private Right of Action Biometric Privacy Competition Policy Interoperability California BASED Act

Processed May 4, 2026 yt-dlp + mlx-whisper + Gemini

You're reading a preview

Get started free →