SECURE Data Act
Sponsored By: Representative Joyce (PA)
Introduced
Summary
Establishes a federal privacy baseline that gives people clear rights over their personal data and creates rules for companies and data brokers. It pairs consumer rights with security standards and a public data‑broker registry.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
8 provisions identified: 5 benefits, 0 costs, 3 mixed.
New consumer privacy rights and notices
If enacted, you would get new rights to confirm and access your personal data, correct inaccuracies, delete data, and get portable digital copies when technically feasible. You would be able to opt out of targeted advertising, sale of personal data, and profiling used for legally or similarly significant decisions. Companies would have to give clear privacy notices before processing that list data types, purposes, recipients, and how to use your rights. You would get up to two free requests per right per year and companies would generally have 45 days to respond, with one 45‑day extension.
Stronger rules for sensitive and teen data
If enacted, the bill would treat race, religion, health, sexual orientation, immigration status, genetic or biometric identifiers, precise location, and data collected from children or teens as sensitive. Controllers generally would need a consumer's consent before processing sensitive data. Child data must follow COPPA, and teen data would require verifiable parental consent. These sensitive‑data consent rules would take effect two years after enactment.
Data brokers must register and disclose
If enacted, a company that collects data about people who are not its customers and that gets at least 50% of revenue from selling personal data would be a 'data broker.' Data brokers would have to publicly say they are brokers and explain how consumers can use privacy rights. They would have to register with the FTC within 12 months and file annual updates and fees. The FTC would create a public searchable registry within 18 months.
Enforcement, state preemption, and cure
If enacted, violations would be enforced by the Federal Trade Commission using its usual powers, but the FTC could not enforce the bill's civil‑rights processing prohibition and must transmit those complaints to the appropriate agencies. State attorneys general could sue for residents but generally must notify the FTC and wait at least 45 days. The FTC and State AGs must give a 45‑day cure period and a written cure would avoid an enforcement action for that allegation. Any contract clause that waives the bill's consumer rights would be void on enactment. The bill would also preempt state laws that relate to its provisions.
Who the bill covers and timing
If enacted, the bill would cover companies that do business with U.S. residents or that process or sell U.S. residents' personal data and that meet one of two tests. Test one: they process data about more than 200,000 people a year and have at least $25,000,000 in annual revenue (that revenue level would be adjusted each Jan. 1 by CPI‑U). Test two: they process data about at least 100,000 people a year and at least 25% of revenue comes from selling that data. Many government, health, education, and nonprofit groups listed in the bill would be exempt. Most provisions would take effect two years after enactment, but Sections 2, 4, and 5 would take effect one year after enactment.
Business duties, processors, and data rules
If enacted, the bill would define controllers as the parties that decide why and how data is used and processors as those acting for controllers. Processors would have to follow controller instructions, help with security and rights requests, and meet minimum contract terms like deletion and confidentiality rules. Companies using deidentified or pseudonymous data would have to commit not to re‑identify it and to monitor recipients. Companies could adopt Secretary‑approved codes or certifications to gain a rebuttable presumption of compliance.
Limits on automated profiling and bias
If enacted, companies that use fully automated profiling for decisions with legal or similarly significant effects would have to disclose that fact before the decision and provide an opt out. 'Profiling' means a decision made with no human review. The bill would also bar processing that violates federal anti‑discrimination laws and would prohibit companies from treating a consumer worse for exercising privacy rights.
International data flows and opt-out study
If enacted, the Secretary would advise the President and federal agencies on cross‑border personal data flows and could enter agreements with foreign governments that must be sent to two congressional committees within 60 days. The Secretary would also issue a public report within 3 years on the feasibility of a universal opt‑out tool, like a browser or device setting, that would let consumers opt out of data processing under the bill's scope.
Free Policy Watch
You just read the policy. Now see what it costs you.
Pick a topic. PRIA runs your household against live legislation and sends you a free personalized readout.
Pick a topic to get started
Sponsors & CoSponsors
Sponsor
Joyce (PA)
PA • R
Cosponsors
Rep. Fry, Russell [R-SC-7]
SC • R
Sponsored 4/21/2026
Kean
NJ • R
Sponsored 4/21/2026
Obernolte
CA • R
Sponsored 4/21/2026
Langworthy
NY • R
Sponsored 4/21/2026
Goldman (TX)
TX • R
Sponsored 4/21/2026
Rep. Griffith, H. Morgan [R-VA-9]
VA • R
Sponsored 4/21/2026
Balderson
OH • R
Sponsored 4/21/2026
Fedorchak
ND • R
Sponsored 4/21/2026
Roll Call Votes
No roll call votes available for this bill.
View on Congress.govTake It Personal
Get Your Personalized Policy View
Take the PRIA Score to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in