House Republicans introduced two sweeping bills on Wednesday that will preempt state data privacy laws if adopted, and enforce guardrails on how financial institutions and technology companies treat Americans’ data.
The SECURE Data Act and GUARD Financial Data Act are backed by multiple senior GOP leaders, including House Energy and Commerce Committee Chair Brett Guthrie, R-Ky., House Financial Services Committee Chair French Hill, R-Ark., and House Energy and Commerce Data Privacy Working Group Chair John Joyce, R-Pa.
Under the two legislative proposals, technology firms and financial institutions would be limited to only collecting consumer data that’s necessary to do their job, and consumers would get more access to their data. For example, consumers could obtain copies of their data collected by companies.
Consumers could also gain the right to request deletion of their data and would need to opt in before companies take any actions with sensitive data.
The bills also seek to end what lawmakers called in a brief the “confusing and ineffective privacy patchwork currently in place.” Currently, 20 states have enacted comprehensive data privacy laws. Most recently, that number includes Indiana, Kentucky, and Rhode Island.
In place of those laws, GOP lawmakers said the two federal bills will integrate “rights, requirements, and definitions from state comprehensive laws and retain a role for state enforcers, including Attorneys General and insurance regulators.”
Notably, lawmakers said that the proposals draw clear lines between non-financial companies and financial institutions: The SECURE Data Act would govern most companies, while the GUARD Financial Data Act would apply only to financial institutions.
The SECURE Data Act follows more than 250 written responses and meetings with 170 organizations conducted by the Energy and Commerce Data Privacy Working Group, according to a press release. Members of the data privacy working group are also sponsoring the act.
“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping. We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy,” Guthrie and Joyce said in a statement on the SECURE Data Act.
Hill and Reps. Bill Huizenga, R-Mich., Andy Barr, R-Ky., and Bryan Steil, R-Wis., said that the GUARD Financial Data Act “represents a significant step to strengthen consumer protections and ensure Americans have control over their financial data.”
While the SECURE Data Act requires that companies take “reasonable measures” to anonymize data, only the GUARD Financial Data Act mentions artificial intelligence (AI). It requires financial institutions to disclose how they use AI when collecting and handling nonpublic personal information.
In a statement, Eric Null, director of the privacy and data project at the Center for Democracy and Technology, criticized the SECURE Data Act for not protecting against AI-related privacy harms. He said any new federal privacy law should be “limiting data collection for AI training and preventing use of the technology to discriminate against protected classes, but this bill does neither sufficiently.”
The SECURE Data Act prohibits companies from discriminating against users for exercising privacy rights, but Alejandra Montoya-Boyer, vice president of The Leadership Conference’s Center for Civil Rights and Technology, noted that the bill “bars state leaders from protecting their residents against data-driven discrimination.”
Both bills also lack language that would enable individuals to sue companies for violating the privacy laws established under the legislation.
“At face value, this bill comes across squeaky clean, a step toward federal data privacy protections that advocates have been calling for for decades. But as you peel back the layers, it lacks any real teeth,” Montoya-Boyer said in a statement on the SECURE Data Act.
The Business Software Alliance applauded the acts and said that they provide “a solid foundation for action by reflecting bedrock elements of workable privacy laws, including provisions that distinguish between and tailor obligations to both controllers and processors of data.”
While both Republicans and Democrats have expressed desire to pass a single comprehensive data privacy standards for years, the last bipartisan attempt in 2024 failed after encountering significant opposition from House Republican leadership.
Similar to that previous attempt, this latest move to create data privacy protections comes just months before the midterms – making it a tight squeeze to be considered during the busy election season.