House GOP Proposes SECURE Data Act and GUARD Act for Nationwide Privacy Framework

April 27, 2026

House GOP Unveils Landmark Comprehensive Privacy Draft Alongside GLBA Proposal

LinkedIn Facebook X ;) Embed

[co-author: Francine Baidoo]

Key Points

• House Republicans have unveiled their long-awaited comprehensive privacy draft, the SECURE Data Act, alongside GLBA modernization legislation following a year-long stakeholder-driven process though without Democratic involvement.
• The Act would preempt state laws and regulations relating to its provisions and would be enforced by the FTC and state attorneys general. The measure does not authorize private rights of action. These provisions are expected to be sticking points for Democrats as the measure advances. The SECURE Data Act would create a nationwide privacy framework, establishing a new set of consumer rights applying to large data processors, imposing controller/processor obligations, requiring opt-in consent for sensitive data (including teens), and establishing a data broker registry.
• The Act includes a phased implementation timeline, with key provisions on controllers, data security and data brokers effective after one year and all remaining provisions taking effect after two years.
• The E&C Committee is expected to hold a legislative hearing on the Act in the coming weeks.

Overview

On April 22, 2026, the House Energy and Commerce (E&C) Committee Republicans, via the GOP Data Privacy Working Group, unveiled their long-awaited comprehensive privacy proposal, the SECURE Data Act (H.R. 8431), also joining the House Financial Services Committee (HFSC) in unveiling a Gramm-Leach-Bliley Act (GLBA) modernization proposal, the GUARD Financial Data Act (H.R. 8398).

The comprehensive privacy bill is the product of a more than year-long negotiation led by the Working Group since its formation in February 2025, in consultation with over 170 stakeholders and over 250 written responses. The measure is drafted to preempt state privacy laws and notably does not include a private right of action, which is likely to remain a sticking point for Democrats.

Unlike past comprehensive privacy proposals, the bill was drafted without consultation with Committee Democrats, in contrast to the 2022 American Data Privacy Protection Act (ADPPA) and the 2024 American Privacy Rights Act (APRA; see prior alert here)—both of which were bipartisan, bicameral efforts that ultimately stalled. The former lost traction due to opposition from Californian lawmakers, who opposed the preemption language, and Senate Commerce Committee Ranking Member Cantwell (D-WA), who advocated for a stronger private right of action. While Ranking Member Cantwell subsequently cosponsored the 2024 APRA, a version of which passed a House E&C Subcommittee on May 23, 2024, the bill failed to advance to a June 2024 E&C Full Committee markup, despite the release of revised text that addressed House GOP concerns about the breadth of the bill and its inclusion of a private right of action.

The bill comes as Congressional Republicans kick off work on a separate effort to implement the White House’s artificial intelligence (AI) legislative recommendations, which serve as a legislative roadmap organized around seven broad policy goals spanning multiple Congressional committees (see prior alert here).

Looking ahead, the E&C Committee’s Commerce, Manufacturing, and Trade (CMT) Subcommittee is expected to hold a legislative hearing on the SECURE Data Act in the coming weeks. Despite renewed legislative momentum on privacy, Congress heads into the coming months with a compressed legislative calendar and a narrow set of priorities, driven largely by the approaching midterm elections and limited floor time. Leadership in both chambers is expected to focus primarily on must-pass legislation and a handful of politically salient issues, rather than pursuing sweeping new policy initiatives.

A summary of the SECURE Data Act is below.

SECURE Data Act

The SECURE Data Act would establish a broad nationwide framework governing consumer privacy rights and organizational obligations around the collection, use and protection of personal data. The Act applies to entities that (1) collect and process the personal data of more than 200,000 individuals annually and have an annual gross revenue of at least $25 million or (2) collect and process data of at least 100,000 individuals and derive 25% or more of their annual gross revenue from selling that data. Data used solely for payment transactions is excluded from these thresholds.

The measure includes distinct obligations for controllers and processors; heightened protections for sensitive data, requiring opt-in consent and extending those protections to teens; and a data broker registration list.

The Act provides for a phased implementation, with provisions governing controllers (Sec. 2), data security (Sec. 4), and data brokers (Sec. 5) taking effect one year after enactment, and all remaining provisions becoming effective after two years.

Consumer Privacy Rights (Sec. 2)

The SECURE Data Act grants consumers rights to access, correct, delete and port personal data, as well as the right to opt out of targeted advertising, the sale of personal data and profiling used for decisions with legal or similarly significant effects.

The bill requires controllers to obtain opt-in consent for the processing of “sensitive data,” which is defined to include non-exempt:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status
• Genetic or biometric data processed to uniquely identify an individual
• Any personal data collected from a child (under the age of 13) or teen (under the age of 16), requiring verified parental consent for teens
• Precise geolocation data To effectuate these rights, controllers must respond to consumer requests without undue delay and within 45 days, provide a formal appeals process and support at least two free requests per year per right. An additional 45-day extension may be provided when reasonably necessary, with notice and justification.

Controllers (Sec. 3)

This Act establishes the core substantive compliance obligations for organizations acting as “controllers,” or entities “that, alone or jointly with others, determine the purpose and means of processing personal data,” and it is anchored by a strong data minimization standard. Controllers must limit data collection to what is “adequate, relevant and reasonably necessary” for disclosed purposes.

The measure also introduces a strict purpose limitation rule, prohibiting secondary uses that are not “reasonably necessary or compatible” with the original disclosed purpose absent consent.

Before processing the personal data of a consumer, a controller must provide that consumer with a reasonably accessible, clear and meaningful privacy notice that includes:

• Categories of personal data processed
• Specific processing purposes
• Consumer rights and appeals processes
• Categories of third parties and government disclosures
• Whether personal data processed by the controller is transferred to, processed in, stored in or sold to “covered nations,” defined to include North Korea, China, Russia and Iran. Before collecting or selling personal data, or using it for targeted advertising, controllers must provide clear and conspicuous disclosures describing such activities and informing consumers how to exercise their opt-out rights. In addition, where controllers use profiling to make decisions with legal or similarly significant effects, they must provide advance notice that the decision will be made using automated means and explain how consumers can opt out of that profiling.

The bill also includes non-discrimination provisions, prohibiting adverse treatment of consumers exercising their rights, while explicitly permitting loyalty and incentive programs.

Data Security (Sec. 4)

The SECURE Data Act requires controllers to implement reasonable administrative, technical, and physical safeguards, calibrated to the volume and sensitivity of the data processed.

The Act introduces a rebuttable presumption of compliance where organizations (1) adhere to approved codes of conduct or certification programs, or (2) implement recognized risk management frameworks and industry-standard security practices.

Data Brokers (Sec. 5)

The Act introduces a federal data broker registry and disclosure regime that would require data brokers to:

• Publicly disclose their status as data brokers and provide straightforward information on how consumers can exercise their rights
• Register annually with the Federal Trade Commission (FTC)
• Provide detailed disclosures to the FTC, including categories of data sold, prior security incidents and credentialing practices Within 18 months of enactment, the FTC must establish and maintain a searchable central registry of data brokers that includes (1) a search feature that allows a person searching the registry to identify a data broker, (2) a link to each data broker’s privacy policy and (3) a link to a website published by each data broker that informs a consumer how to exercise any consumer right.

Processors (Sec. 6)

The Act also formalizes controller-processor relationships. “Processors,” or entities “that process personal data on behalf of a controller,” must act strictly on controller instructions and assist controllers in complying with the Act, including supporting responses to consumer rights requests and broader compliance obligations through appropriate technical and organizational measures. Controller–processor relationships must be governed by detailed contracts specifying processing instructions, purposes, data types, duration, and the respective rights and obligations of each party.

The measure also sets baseline contractual requirements, including confidentiality obligations for personnel, data deletion or return at the end of services, availability of information to demonstrate compliance, and mechanisms for audits or independent assessments. It further requires flow-down obligations to subcontractors.

Finally, the measure establishes that contractual arrangements do not relieve either party of liability and establishes a fact-based test for determining whether an entity is acting as a controller or processor, specifically noting that a processor that determines the purposes and means of processing becomes a controller for that activity.

Deidentified and Pseudonymous Data (Sec. 7)

The Act establishes a framework for deidentified and pseudonymous data, providing conditional relief from certain obligations.

To qualify, controllers must take reasonable steps to prevent re-identification and make a public commitment not to re-identify, contractually binding downstream recipients to the same standards. It also imposes an ongoing oversight obligation, requiring controllers to monitor compliance with these contractual commitments and take action if violations occur.

The provision further clarifies that pseudonymous data may be exempt from consumer rights requests where identifying information is kept separately and protected by appropriate technical and organizational measures. In addition, it makes clear that controllers and processors are not required to re-identify data, maintain data in identifiable form, or collect additional data solely to fulfill consumer requests.

Finally, the text limits obligations to respond to consumer rights requests where re-identification is not reasonably possible or would be unduly burdensome, provided the controller does not attempt to link the data to a specific individual or disclose it broadly.

Codes of Conduct and Certifications (Sec. 8)

This SECURE Data Act would establish a formal mechanism for developing, approving, and enforcing industry codes of conduct as a means of demonstrating compliance with the Act.

It allows controllers and processors (individually or collectively) to submit voluntary codes of conduct for government approval, provided those codes meet or exceed statutory requirements and are administered by an independent oversight organization responsible for assessing compliance and referring violations to regulators. The provision creates a structured review and approval process, including public comment and defined timelines.

The provision allows for modification review, withdrawal of approval where codes become insufficient, and opportunities to cure deficiencies. Participating entities must publicly certify compliance.

The provision creates a rebuttable presumption of compliance for entities adhering to an approved code of conduct. It also directs the development of tailored, voluntary codes for small businesses, and expressly recognizes certification pursuant to the Global Cross Border Privacy Rules System, or any successor system, as equivalent participation.

Cross-Border Data Flows (Sec. 9)

The Act assigns the U.S. Department of Commerce a central role in managing international data transfers, designating the Secretary as the principal advisor to the President on international personal data flows and privacy in global commerce, and directing the Secretary to assess foreign data protection regimes for alignment with U.S. standards and their impact on U.S. consumers, businesses, competitiveness, and national security. The provision further requires the development of policy recommendations to promote the benefits of cross-border data flows, address restrictive foreign practices, and mitigate risks from certain foreign actors.

In addition, it authorizes the Secretary to develop and promote international frameworks, certifications, and partnerships to facilitate data transfers while maintaining privacy protections, and to coordinate across federal agencies. The Secretary is also empowered to enter into international agreements to support cross-border data flows, subject to guardrails ensuring consistency with the Act, U.S. economic and security interests, and congressional notification requirements.

Study on Universal Opt-Out Mechanisms (Sec. 10)

Rather than mandating a universal opt-out, the Act directs the Commerce Department to, within three years of enactment, conduct a study on feasibility, including technical implementation, consumer usability and impact on legitimate data processing.

Rules of Construction (Sec. 11)

The language clarifies that the Act does not restrict certain routine, beneficial, or legally protected uses of personal data.

It permits controllers and processors to collect, use and retain personal data for internal business purposes, such as research and development, product improvement, recalls and fixing technical issues, as well as for operations that are reasonably expected, compatible with the consumer relationship or necessary to provide requested services or perform contracts. It also preserves the ability to share personal data in privileged communications under existing legal protections.

Additionally, it provides a safe harbor for compliant disclosures, shielding a disclosing entity from responsibility if a downstream recipient misuses the data and the discloser lacked knowledge of the intended violation.

Enforcement (Sec. 12)

As noted above, the bill declines to provide for a private right of action. Enforcement authority is vested in the FTC and state attorneys general (AGs), with violations treated as unfair or deceptive acts under the FTC Act. Specifically, the bill allows state attorneys general to bring civil actions in federal district court, as parens patriae on behalf of their residents, if they have reason to believe such residents have been adversely affected by a violation of the Act.

Applicability (Sec. 13)

The Act applies to entities that (1) collect and process the personal data of more than 200,000 individuals annually and have an annual gross revenue of at least $25 million or (2) collect and process data of at least 100,000 individuals and derive 25% or more of their annual gross revenue from selling that data. Data used solely for payment transactions is excluded from these thresholds.

Further, the Act includes a broad range of entity-based exemptions for:

• Government agencies and their processors
• Financial institutions already regulated under the Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates
• Nonprofits and certain mission-driven organizations (e.g., anti-fraud entities)

• Higher education institutions and specific statutory entities
  In addition, the Act provides nuanced exemptions for the following categories of data:

• Health information (including, for example, “health records” as defined by the Act and substance use disorder patient records subject to 42 C.F.R. Part 2 (Part 2))

• Clinical research data governed by human research subject protections

• Employment and HR data

• Consumer reporting data governed by the Fair Credit Reporting Act (FCRA)

• Educational records under the Family Educational Rights and Privacy Act (FERPA)

• Driver and motor vehicle data under the Driver’s Privacy Protection Act of 1994 (DPPA)

• Financial data under the GLBA

• Certain agricultural, insurance and safety-related datasets
  It also extends exemptions to data that has been de-identified to the HIPAA standard or included in a limited data set under HIPAA.

Application of State/Federal Law (Secs. 14-15)

As drafted, the bill would preempt any state law or provision that “relates to” its provisions, including state consumer privacy laws.

The bill would preserve existing federal sectoral laws, including those addressing:

• Children’s privacy (COPPA)
• Financial data (GLBA)
• Health data (HIPAA, HITECH and related regulations; Part 2)
• Human research subject protections
• Consumer reporting (FCRA)
• Education records (FERPA)
• Various public health and safety reporting regimes The provision also addresses the Communications Act of 1934, effectively carving out privacy regulation from the Federal Communications Commission’s (FCC) authority, stating that FCC rules will not apply to personal data practices covered by the Act, except in the narrow context of emergency services.

Additionally, the Act repeals the Video Privacy Protection Act (VPPA).

Conclusion

If advanced, the SECURE Data Act would represent the most consequential expansion of U.S. privacy rights in decades, immediately extending baseline consumer rights and data protection obligations to tens of millions of Americans who currently reside in states without comprehensive privacy legislation. With approximately 20 states now having enacted their own comprehensive privacy laws, a federal framework of this scope would meaningfully reshape the national compliance baseline and eliminate many of the geographic gaps that exist today.

Although broad federal preemption will remain a central point of debate, the bill’s allocation of enforcement authority to both the FTC and state attorneys general may mitigate some concerns by preserving a role for state regulators. Similarly, while the absence of a private right of action is likely to cause debate, that feature aligns with the enforcement model used by several existing state privacy laws and could be less of an impediment in this legislative cycle than in prior efforts.

From an operational standpoint, the SECURE Data Act largely reflects concepts already familiar to organizations subject to state privacy laws, including data minimization, consumer rights workflows, opt-in consent for sensitive data and controller–processor governance. Companies with mature state law compliance programs may be comparatively well positioned, though the Act’s purpose limitation standard, sensitive data consent requirements and data broker provisions warrant close attention.

While the Act includes extensive language aiming to leave many existing federal privacy regulatory regimes intact, the exemptions require careful consideration.

Whether this proposal can advance amid long-standing partisan differences remains uncertain. Nevertheless, its release underscores that federal privacy preemption is not speculative and organizations should assess how their existing compliance frameworks would translate to a uniform national regime.

;) ;) Report

Related Posts

• Cybersecurity & Data Privacy Issues in Fund Finance
• President Biden’s AI EO: Key Takeaways for Cybersecurity & Data Privacy
• Texas Data Privacy Act: What Businesses Need to Know

Latest Posts

• House GOP Unveils Landmark Comprehensive Privacy Draft Alongside GLBA Proposal
• FERC Issues Landmark Enforcement Order in American Efficient See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Akin Gump Strauss Hauer & Feld LLP
2026

Written by:

Akin Gump Strauss Hauer & Feld LLP Contact + Follow Reggie Babin + Follow Marshall Baker + Follow Jenna Becker + Follow Edward Block + Follow Taylor Daly + Follow Rita Heimes + Follow Casey Christine Higgins + Follow Joseph Hold + Follow Natasha Kohne + Follow Maida Oringher Lerner + Follow Ed Pagano + Follow Hans Christopher Rickhoff + Follow Alexis Ward + Follow Evan Wolff + Follow more

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Consumer Privacy Rights + Follow Data Brokers + Follow Data Privacy + Follow Data Security + Follow Federal Trade Commission (FTC) + Follow New Legislation + Follow Preemption + Follow Privacy Laws + Follow Sensitive Personal Information + Follow State Attorneys General + Follow Finance & Banking + Follow Privacy + Follow more

Akin Gump Strauss Hauer & Feld LLP on:

Solve with 2Captcha

Solve with 2Captcha