Where you live should not determine whether your personal data has any legal protection. Right now, it does. More than half of states have no comprehensive consumer privacy law at all, which means for millions of Americans the question of who can collect, sell, or profit from their personal information has one answer: basically anyone.
That is the problem a House subcommittee took up this week in a hearing on the SECURE Data Act, a bill that would establish a single national privacy standard built from the frameworks already enacted across more than 20 states. The case for it is straightforward. A patchwork of 22 different state laws creates real compliance chaos, particularly for smaller businesses that cannot afford teams of lawyers to navigate conflicting requirements.
The case against it is also straightforward. Critics at the hearing argued the bill preserves a notice-and-consent model that has never meaningfully protected anyone. Companies can continue collecting vast amounts of personal data as long as they disclose it in a privacy policy most people will never read. The bill’s broad preemption language could also wipe out stronger protections that states like California and Washington have already put in place, leaving consumers with less than they have now.
The data minimization debate cuts to the heart of it. The bill’s supporters say it limits unnecessary collection. Critics say it does not, calling it data maximization dressed up in privacy language.
Federal privacy legislation has stalled repeatedly for years. Whether this bill moves differently is an open question. But the hearing made one thing clear. The fight is not really about whether to have a federal privacy law. It is about whether that law will have any teeth.
;
