720-891-1663

Alerts, Legal, Privacy, Safety

The SECURE Data Act – Is It Theatre?

Leave a comment

The Secure Data Act is the next attempt at a federal privacy law that would replace 20 or more state privacy laws. The Electronic Frontier Foundation published a detailed assessment of the bill saying that it is not serious privacy legislation. They say it has too many exemptions, too little enforcement and too much … I can’t use the words I would use privately, but suffice it to say the proposed bill gives businesses pretty much every accommodation they might want, effectively making the law useless and eliminating the protections that many state residents currently get under their state laws. Is the EFF right? I will leave that as an exercise for the reader, but here is their assessment.

They have 3 core concerns:

#1 – Too many companies are exempted.

The bill has exemptions for data already regulated under sector-specific laws like HIPAA for health data, FCRA for credit data, COPPA for children’s data, FERPA for education data, non-profits and more. ALSO EXEMPT ARE ANY GOVERNMENT AGENCIES. The government loves to exempt themselves from laws that the rest of us have to obey. But remember that those laws do not have similar protections to state privacy laws like a right to get a copy of your data, a right to delete your data, etc. So, exempting them exempts the data of millions of people with no equivalent protections under the applicable laws. And, businesses with less than $25 million in revenue or who process less than 200,000 consumers’ data annually are also exempt. With the size exemption alone, basically, this will only apply to the corner diner and locally owned convenience store (that is a bit of hyperbole), but that is about all. At least 95% of all US businesses would be exempt. It would cover the big social media platforms, so that is a plus, but the “coverage” is limited to the few rules that the bill includes.

#2 – The enforcement problem

Under the bill, enforcement is delegated to the FTC, which pays strong deference to the president and has limited tools to make people comply. Under really dire circumstances the FTC can beg Main Justice (DoJ) to pretty please consider taking up a case, but they rarely do unless there is some political juice in it. In the current world that probably means that the company is an enemy of the person living in 1600 Pennsylvania Avenue. While State AGs can enforce this federal law (there are some other federal laws that state AGs can enforce), there is no money or headcount to do that. That means that the FTC and AGs can add this work onto their already overwhelming job with not additional help. And, there is no private right to sue as exists in several state laws. That actually is a huge win for business because that means is that all they have to do is make a “donation” to the appropriate organization and the investigation disappears. We have already seen that in action many times.

There is also a 45 day “cure” period, also known as a get out of jail free card. The company gets caught breaking the law, the FTC or AG sends them an email to fix it. 45 days later they fix it. Then later they go back to doing something almost the same. Rinse and repeat. No “one time get out of jail free” clause in the bill.

#3 – The Preemption Problem

Preemption means that state privacy laws, if they are not the same or weaker than federal law, are null and void. COPPA is an example where the federal law is the floor and states can create their own ceiling. Under this bill, this bill is the ceiling and while a state can create their own floor (a weaker law), it would actually be irrelevant because the stronger federal law would prevail. Businesses love this because they understand that the federal law would be weaker, they would not have to worry about complying with 20 or more state laws (which is a valid concern) and they would have a lot more freedom about how they use, trade and sell your data.

On the other side of the argument, the federal law does do some things.

For the small group of companies that are not exempted, there is a requirement to only collect data necessary for their stated purpose. It has a requirement to honor the Global Opt Out Signals such as GPC or Global Privacy Control. It prohibits the use of dark patterns (design that makes it harder to opt out or revoke consent than to opt in.

Obviously, the EFF is pushing a position that their supporters are asking them to support. But the reality is that getting a law that the EFF would like passed at the federal level in today’s world is impossible. Is having a weak law with preemption and possibly little to no enforcement (no people or money to do the enforcement) really helpful to people’s privacy?

At this point it is unclear whether a bill like this could pass or whether it will be modified plus or minus, but it is something to watch. Credit: My Privacy Blog

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 CyberCecurity, All rights reserved. Privacy Policy