US House Releases Latest Attempt at a Nationwide Privacy Bill; Prospects Are Uncertain

On April 22, the U.S. House of Representatives released draft legislation that would create a nationwide U.S. privacy law — the House’s third attempt since 2022. While the proposed bills would establish a uniform national standard for protecting individuals’ personal data, they would also largely preempt the 22 states that have privacy laws on the books, including the California Consumer Privacy Act (CCPA). It is unclear when the relevant House committees will proceed with next steps to hold hearings and mark up both bills.

The proposed legislation includes (1) the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Act), which provides privacy protections for nonfinancial entities including but not limited to technology, media and retail companies, and (2) the Guidelines for Use, Access and Responsible Disclosure of Financial Data Act (GUARD Financial Data Act), which is focused on strengthening the Gramm Leach Bliley Act’s (GLBA’s) privacy protections for nonpublic personal information, as defined by GLBA, that is collected by financial institutions.

SECURE Act

The SECURE Act includes many of the provisions that are present in current state privacy laws, including the CCPA. It applies to businesses that operate in the United States and/or process or sell personal data of U.S. residents. Such businesses either (1) collect and process personal data of more than 200,000 individuals annually and have at least an annual gross revenue of $25 million, or (2) collect and process personal data of more than 100,000 individuals and derive at least 25% of their revenue from the sale of that personal data. The bill exempts certain nonprofits, higher education institutes and businesses that must comply with existing federal privacy laws, including GLBA and the Health Insurance Portability and Accountability Act. The current draft also appears to exempt employee and human resources data.

The SECURE Act requires businesses to give notice to individuals on how their personal data is collected and processed. It requires businesses to collect the minimum amount of data needed for processing and limit collection to what is “adequate, relevant, and reasonably necessary” for the stated purposes. It requires businesses to implement reasonable data security practices proportionate to the type and volume of personal data they process. The businesses must also disclose what personal data they share with third parties — including any data processed in or transferred to China, Russia or other designated foreign adversaries.

The bill also grants individuals the following rights related to the collection of their personal data:

• Right of Access: Individuals may request a copy of their personal data, including in a portable format.
• Right to Delete: Individuals may request deletion of their personal data held by a company.
• Right to Opt Out: Individuals may opt out of targeted advertising, the sale of personal data and certain automated decision-making.
• Sensitive Data Consent: Processing of sensitive personal data (e.g., health, financial, biometric and geolocation data) will require affirmative consumer opt-in consent.
• Children and Teens: Parental consent will be required before a business may process the personal data of minors under the age of 16.

The SECURE Act also imposes specific requirements on data brokers, including that they must register with and disclose all privacy and data security practices to the Federal Trade Commission (FTC). It also requires data brokers to comply with all applicable data minimization, disclosure and security obligations. The FTC would be required to establish a searchable, publicly accessible registry of data brokers where consumers can learn how to exercise their privacy rights.

The SECURE Act also grants some authority to the U.S. Commerce Secretary including (1) to advise on rules around cross-border data transfers such as the U.S.-EU Data Transfer Framework, and (2) recognize industry codes of conduct that could allow businesses to claim they comply with the SECURE Act. The secretary is also asked to conduct a study on the feasibility of implementing universal opt-out mechanisms within a period of three years.

The GUARD Financial Data Act

The GUARD Financial Data Act provides some key updates to the GLBA Privacy Rule. It requires financial institutions to limit the collection and disclosure of individual data to what is necessary. Current and former customers of financial institutions may request access to and obtain a copy of their personal data, and former customers may request deletion of their personal data from the institution’s records. Financial institutions must obtain an individual’s affirmative opt-in consent before disclosing sensitive personal data to third parties. Institutions must maintain data security practices consistent with the nature and volume of the data they hold.

Private Right of Action/Enforcement

Neither bill includes a private right of action, meaning individuals would not be able to sue companies directly for alleged violations of these proposed laws. Enforcement authority under both bills would be shared by the FTC and state attorneys general. State insurance regulators would also have some enforcement authority under the GUARD Financial Data Act.

Next Steps

While the bills were released after a year-long effort by House Republicans to solicit ideas and draft legislative language, next steps are unclear on whether they can be passed this year. In 2022, the House Committee on Energy and Commerce introduced the American Data Privacy and Protection Act, which was approved in committee but never received a vote on the House floor or faced Senate action. In 2024, House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Chair Maria Cantwell (D-CA) jointly released the American Privacy Rights Act, which never received a hearing or a vote in committee and died with the adjournment of the Congress. Given the lack of buy-in from Democrats as well as a tight legislative calendar leading up to the midterm elections, it is a tough climb for these bills to pass both houses and be signed by President Donald Trump before the end of the congressional session. Additionally, the California Privacy Protection Agency has come out against the SECURE Act, nothing it would eliminate many of the provisions that the CCPA currently offers.

Regardless of what happens at the federal level, businesses should still pay attention to state privacy laws that are in effect or taking effect and ensure their notices and policies are updated to meet those requirements.

Paul Hastings’ Data Privacy & Cybersecurity practice regularly advises companies on how to proactively meet the requirements of privacy laws and regulations and is uniquely positioned to advise on compliance. If you have any questions regarding this proposed legislation, please do not hesitate to contact any member of our team.