When lawmakers in Washington announce a new bill aimed at protecting American data privacy, it should signal a victory for everyday citizens navigating an increasingly data-hungry digital world. Think about it: our smart refrigerators are listening, our cars track our every turn, and the apps on our phones are chronicling our lives in granular detail. So, when a bill lands with the imprimatur of “SECURE Data Act,” the expectation is clear: stronger guardrails, real limits on who can collect what, and actual control over our personal information. Instead, what’s landed on the legislative floor is, according to privacy advocates, a legislative non-starter—a bill so fundamentally flawed that it might actually make things worse.
The core issue isn’t whether a federal privacy law is needed; that consensus is broad, bordering on universal. The question, as always, is whether the law actually does anything. And here’s the thing: the SECURE Data Act, as presented by House Energy & Commerce leadership, appears to not only fall short of strong privacy standards but to actively dismantle them. Reports from organizations like EPIC (the Electronic Privacy Information Center) paint a grim picture: a bill that sets the bar lower than many existing state laws and could erase stronger protections already in place in other states. This isn’t just a missed opportunity; it’s a potential rollback of hard-won privacy rights.
Letting Data Collection Continue Unchecked
The bill’s foundational flaw seems to be its continued reliance on the tired “notice and choice” model. This is the old playbook where companies get to collect vast amounts of data, use it however they please, and the only real recourse for consumers is to sift through dense, often incomprehensible privacy policies. As anyone who has ever tried to actually read one of these knows, it’s less about informed consent and more about disclaimers. The SECURE Data Act, in this analysis, doesn’t just allow the status quo of rampant data collection and sale to continue; it effectively codifies it. It’s like giving a fox a new, more detailed map of the hen house and calling it security.
The bill states: “A controller shall limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to each purpose for which the data is processed, as disclosed to the consumer.” This language is deceptively weak. The Connecticut Attorney General’s office, in reviewing similar language in their state’s law, identified it as an “exploitable standard.” Why? Because companies can simply declare that their data collection is “adequate, relevant and reasonably necessary” for a disclosed purpose. This gives them carte blanche to collect what they want, provided they write it down somewhere, knowing full well that most users won’t read it, won’t understand it, and certainly won’t be able to negotiate it. The only “choice” offered is to forgo the service entirely—a choice most consumers can’t realistically make in today’s interconnected world.
“This standard contravenes data minimization principles outright— it allows businesses to collect data they simply do not need so long as it is disclosed in privacy notices that are often bulky, confusing, or worse, misleading.”
This critique, coming from a state AG, isn’t just academic nitpicking. It highlights how easily this type of language can be gamed. The AG’s office even called for amendments to mirror Maryland’s law, which employs a much stricter standard: collection limited to what’s “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” That’s a meaningful constraint. The SECURE Data Act, by comparison, looks like an open invitation for continued data overreach. And that’s before we even get to the sprawling exemptions and rules of construction that seem designed to make the already weak protections even less applicable.
Ignoring the Data Minimization Trend
Perhaps the most galling aspect is how the SECURE Data Act appears to ignore the growing consensus around protecting sensitive personal data. Many major tech companies already disclose that they don’t sell or use sensitive data for targeted advertising. It’s a basic acknowledgment of consumer expectations and, frankly, good business practice. Yet, the SECURE Data Act, according to its critics, seems to pave the way for companies to collect, use, and sell sensitive Americans’ data with fewer restrictions than currently exist or are voluntarily adopted.
This is where the legislative misstep becomes truly jarring. Instead of building on existing best practices and the clearer standards emerging in states like Maryland (standards that often draw from federal blueprints like the ADPPA and APRA), the SECURE Data Act seems determined to regress. It’s a move that feels less like forward-thinking legislation and more like an attempt to preserve an extractive business model for Big Tech, dressed up in the language of consumer protection.
For real people, this means the continued erosion of privacy. It means that sensitive details about our health, our finances, our beliefs, and our relationships could be fair game for data brokers and advertisers, all under the guise of a federal law that promised protection but delivered a loophole. The market dynamics here are clear: companies that profit from data want as little regulation as possible. Legislation that appears to empower them, rather than rein them in, is a win for those companies but a loss for the individuals whose data fuels their profits.
A Historical Parallel: The Wild West of Early Internet
This feels eerily familiar. In the early days of the internet, the prevailing ethos was “move fast and break things.” Data privacy was an afterthought, a vague concept discussed in academic circles but with little real-world impact. It took decades, a series of high-profile scandals, and the gradual emergence of more responsible actors (and stronger regulations elsewhere, like the GDPR) for privacy to even enter the mainstream conversation in the U.S. The SECURE Data Act threatens to slam the brakes on this progress, pushing us back toward that Wild West mentality.
What’s particularly concerning is the potential for preemption. If a federal law like this passes, it could override stronger privacy protections enacted by states. This means that Californians, who currently benefit from strong data rights under the CCPA/CPRA, could find their protections diluted by a weaker federal standard. This isn’t just a policy debate; it’s about the tangible rights individuals have over their own information. A weak federal law, especially one riddled with exploitable language, is worse than no federal law at all because it creates a false sense of security while entrenching harmful practices.
Will This Actually Protect Americans?
Looking at the substance of the SECURE Data Act, the answer appears to be a resounding no. It seems to prioritize corporate disclosure over genuine consumer control, broad allowances over strict limitations, and the continuation of existing data monetization schemes over the establishment of meaningful privacy rights. The data-driven analyst in me sees a bill that caters to market interests that benefit from lax regulation, not one designed to safeguard the public in an era where data is the new currency.
It’s time for Congress to go back to the drawing board. Americans need a privacy law that is strong, enforceable, and genuinely protects their fundamental right to privacy, not one that offers the illusion of security while leaving them exposed.
