United States of America: Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act) including data protection regulation was introduced to House of Representatives

On 21 April 2026, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act) was introduced in the House of Representatives. The SECURE Data Act would establish a national framework for consumer privacy rights and the protection of personal data. The SECURE Data Act would apply to persons subject to the Federal Trade Commission Act or common carriers subject to the Communications Act of 1934 that conduct business in the United States or process personal data of United States residents, and that either collect and process personal data of more than 200'000 consumers annually with annual gross revenue of USD 25 million or more, or collect and process personal data of 100'000 or more consumers annually and derive 25 % or more of annual gross revenue from the sale of such personal data. Controllers would be required to observe data minimisation, limit secondary uses of personal data, and provide consumers with a privacy notice before processing. Consumers would have the rights to confirm processing, access, correct, and delete their personal data, obtain a portable copy in a readily usable format, and opt out of targeted advertising, the sale of personal data, and solely automated profiling decisions producing legal or similarly significant effects. Controllers would be prohibited from discriminating against consumers for exercising those rights. Consent would be required to process sensitive data, with verifiable parental consent required for teens, and only a parent could exercise consumer rights on behalf of a child or teen. Controllers would be required to respond to consumer requests within 45 days, extendable by a further 45 days, and to establish a conspicuous appeal process with a 60-day response deadline. Controllers would also be required to maintain administrative, technical, and physical data security practices appropriate to the volume, sensitivity, and nature of the personal data processed, with a rebuttable presumption of compliance for controllers adhering to an approved code of conduct or to a recognised risk management framework. The Federal Trade Commission and State attorneys general would enforce the SECURE Data Act, subject to a 45-day right-to-cure period. The SECURE Data Act would preempt State laws on the same subject matter. Sections 2 and 4 of the SECURE Data Act would take effect one year after enactment, and the remaining provisions would take effect two years after enactment.