House Republicans introduced two data privacy bills April 22 that together would overhaul financial data protections under a decades-old federal law and establish a national consumer privacy framework.
Both measures — the SECURE Data Act and the GUARD Financial Data Act — intend to preempt a growing patchwork of state privacy laws.
Rep. John Joyce of Pennsylvania introduced the SECURE Data Act, a broader measure that would create a national privacy framework similar to European data protection law. The Federal Trade Commission would serve as the primary enforcer, with state attorneys general authorized to bring parens patriae actions — lawsuits frequently used in antitrust and consumer protection cases where individual damages are deemed too small to justify private suits.
"This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safekeeping," Joyce and House Energy and Commerce Chairman Brett Guthrie (R-Ky.) said in a statement to S&P Global Market Intelligence.
The Commerce Secretary would serve as the principal adviser to the president on cross-border data flows, according to the bill text.
The SECURE Data Act would apply to companies that process data on more than 200,000 consumers annually with at least $25 million in gross revenue, or companies that process data on at least 100,000 consumers if 25% or more of their revenue derives from data sales. Nonprofits, higher education institutions, and entities already covered by the Gramm-Leach-Bliley Act or HIPAA would be exempt.
The bill raises the age at which platforms must obtain verifiable parental consent to process sensitive data from 13 to 16, covering teenagers as a distinct protected category. Staff said the provision accomplishes much of what the stalled COPPA 2.0 legislation sought to do, while adding that the Senate-passed kids bill remains worth pursuing on its own merits, given its more targeted scope.
The GUARD Financial Data Act, introduced by Reps. Bill Huizenga of Michigan, Andy Barr of Kentucky, Bryan Steil of Wisconsin and French Hill of Arkansas, would amend a portion of the Gramm-Leach-Bliley Act to add data minimization requirements, expand consumer opt-out rights and require financial institutions to obtain affirmative consent before collecting or sharing sensitive personal information, including biometric data and precise geolocation.
The bill also establishes deletion rights for former customers, requires financial institutions to respond to requests within 45 days, and adds disclosure requirements regarding the use of artificial intelligence in data processing. Regulators would be required to weigh compliance burdens on institutions with $15 billion or less in assets.
The bill's data portability provision defers to the Consumer Financial Protection Bureau's ongoing work under Section 1033 of the Dodd-Frank Act, directing financial firms to that statute when effectuating consumer data access rather than creating a parallel standard.
Financial Services Committee staff said they would revisit potential statutory changes to 1033 depending on how CFPB rulemaking develops.
Both bills contain broad federal preemption language that would supersede state privacy statutes. Staff said the preemption is confined to comprehensive privacy frameworks.
"The sharing of data doesn't really stop at state borders," one aide familiar with the legislation said, adding that the bills are not intended to displace state data breach notification laws.
Neither bill includes a private right of action. Staff defended the choice by noting that penalty exposure under the enforcement framework is already substantial.
"It wouldn't just be one violation — it would be $50,000 per violation, and that can add up very quickly," one E&C aide said. Staff also noted that no state comprehensive privacy law currently provides for private litigation, arguing the bills align with that consensus.
The free-market think tank R Street said the exclusion of a private right of action was the wise choice. "Tort costs grew at a rate of seven percent annually — nearly double GDP growth — between 2016 and 2022, with most of the money enriching trial lawyers instead of plaintiffs," wrote Adam Thierer, a resident senior fellow with the Technology and Innovation team at R Street. "Frivolous claims based on junk science continue to flood the courtrooms, undermining innovation in numerous sectors."
The SECURE Data Act also repeals the Video Privacy Protection Act, a 1988 law that restricted the disclosure of video rental records. Staff said the law has been stretched through litigation well beyond its original purpose, arguing the new framework's general applicability makes a standalone video privacy law redundant.
"VPPA is a pre-Internet law, and I think we've seen some abuses of the underlying private right of action," an E&C aide said, "to expand the scope of it well beyond its intended purpose in Congress."
Public Knowledge, a consumer advocacy group, rejected both bills on Wednesday. The SECURE Data Act's preemption language would hand tech companies "a single weak national standard with no way for states to fill the gaps," Sara Collins, the group's government affairs director, said in a statement. She argued the bill "prioritizes industry convenience over consumer rights."
Collins also noted the bill would strip the Federal Communications Commission of privacy authority over broadband and telecom providers entirely, calling the shift to FTC-only enforcement "a get out of jail free card" for internet service providers.
Industry groups, including the US Chamber of Commerce and Information Technology Industry Council, have previously supported preemption-based privacy frameworks.
