The 'Privacy' Bill That Deletes Your Right to Sue
Twenty state laws gone, retention limits gone. A lobby coalition wrote the demands.
Introduction
The bill is called the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act. SECURE, for short. It would end your right to sue a company that sells your data, erase every limit on how long firms can keep it, cap how often you can ask what they hold, and void the privacy laws more than 20 states already passed. Three weeks after it was introduced, a coalition of 24 corporate lobbying groups wrote to the committee chairman asking for three things in particular: "Strong preemption, with no private right of action and no open-ended rulemaking authority for federal agencies or additional state regulations." The bill already did all three.
What the Bill Leaves Out
Start with what's missing. H.R. 8413 lets only the Federal Trade Commission and state attorneys general bring a case under it (Section 12 of the bill text). You, personally, cannot sue a company that breaks the law. And if a company does get caught, Section 12(c)(1) hands it a 45-day window to fix the problem, during which "there shall be no violation of this Act." That cure period never sunsets, so a company can violate, fix, and re-offend on a 45-day loop.
There is no limit on how long a business can hold your data. None. You can ask a company what it has collected about you only twice a year for free (Section 2(c)(3)); after that, it can charge you or turn you down. For a bill sold as putting you back in control of your data, that's the clause worth reading twice. The text also doesn't require companies to honor the opt-out signals your browser already sends, the Global Privacy Control built into Firefox and tools like Privacy Badger. Instead it tells the Commerce Department to study whether honoring them is feasible and report back three years later (Section 10).
Here's the part the name is built to hide. For almost 40 years, federal privacy laws set a floor. HIPAA, the Fair Credit Reporting Act, the federal wiretap law, the Driver's Privacy Protection Act, all of them let states stack stronger protections on top. The SECURE Act flips that into a ceiling. Once it passes, no state can give you a single protection beyond what sits in the federal text, and the federal text is what a coalition of lobbyists asked for.
The Letter That Asked for Exactly This
On May 12, 2026, Americans for Tax Reform and 23 other self-described "center-right" groups sent Chairman Brett Guthrie a letter. The same demand for strong preemption and no private right of action came bundled with instructions to "ignore" the California Privacy Protection Agency and other state regulators, which the letter dismissed as "entrenched bureaucracies" that "prefer a confusing patchwork of state laws that enrich trial lawyers." It claimed 50 separate state laws could cost the economy $1 trillion over a decade, a figure with no published math attached.
Guthrie, who chairs the House Energy and Commerce Committee, set the table more than a year earlier. He created an all-Republican Privacy Working Group in February 2025 and ran it for 15 months. He opened the June 3 hearing on the bill this way: "We're not looking to compete with Europe to regulate; we're looking to compete against China to innovate." When the bill landed in April 2026, the US Chamber of Commerce and more than 50 business associations endorsed it the same day it was announced.
None of this started in Congress. The SECURE Act's template was drafted by tech companies in Washington state in 2019, where it failed. A Big Tech lobbyist handed it to a Virginia legislator, and it became law there in 2021. EPIC, which testified against the bill on June 3, graded that Virginia law an "F." By EPIC's account, the same coalitions pushed near-identical copies through 21 states. Kentucky State Senator Whitney Westerfield testified in 2024 that the state Chamber, backed by "the AT&Ts and others, Amazon, and the likes," killed his stronger bill. H.R. 8413 takes that model national.
What "Repealed" Looks Like
Section 14(c) does its work in two words: "is repealed." The full sentence names Section 2710 of Title 18 and wipes it off the books: the Video Privacy Protection Act, a 1988 law most people have never heard of and have quietly relied on for decades.
The origin story is almost quaint now. During Robert Bork's Supreme Court confirmation fight, a reporter got hold of the list of films Bork had rented and published it. Congress was rattled enough to pass a law within months, making it illegal for a video provider to disclose what you watch without consent, with $2,500 in damages per violation and a private right to sue built in.
That old statute turned out to be one of the sharpest tools against modern streaming surveillance. Send someone's Netflix, Hulu, Disney+, or YouTube history to advertisers without asking, and you are exposed under the VPPA. The Supreme Court agreed in January 2026 to hear a case, Salazar v. Paramount Global, over how broadly the law applies. Section 14(c) settles the question by deleting the statute underneath it.
The VPPA gets repealed outright; the rest fall a different way. Because Section 15 voids any state law that "relates to" the bill, the same clause reaches California's CCPA, Illinois's biometric privacy law (the one behind Clearview AI's $51.75 million settlement in 2025), Washington's My Health My Data Act, and California's Delete Act, the data-broker deletion portal more than 280,000 people used in its first months. That portal is also how California learned that more than two dozen registered data brokers were selling Americans' information to entities in North Korea, China, Russia, and Iran. The disclosure rule that surfaced it goes too.
Who Benefits
Follow the liability. The clearest winners are the companies that currently get sued. With no private right of action in the federal bill and the state laws that allow those suits preempted, the class-action door closes. Illinois's biometric law alone has generated thousands of class actions. Repealing the VPPA ends the streaming-data suits outright. Section 15 reaches further still: in May 2026, Meta, Snap, YouTube, and TikTok agreed to pay $27 million to a Kentucky school district, the kind of claim EPIC warned could vanish once any state rule "related to" the bill is wiped out.
AI companies get their own line. Section 11(b)(1) says nothing in the law restricts a company from collecting and keeping data to "develop, improve, or repair a product, service, or technology." EPIC and EFF read that as a carve-out for training AI models on personal data without consent.
Data brokers come out ahead as well. State registration laws in Texas, Nevada, Oregon, and Vermont, plus California's Delete Act, get swept into a thin FTC registry that carries no deletion mandate. For any large company, California is effectively the national standard today, and the SECURE Act swaps it for a federal ceiling that asks for less on every front.
They Had a Narrower Option
This is where it stops looking like a compromise. Congress had two ways to write a preemption clause, and the difference is the whole game. A "covered by" clause knocks out only state laws on subjects the federal law actually addresses. A "relates to" clause, the kind in Section 15, reaches anything that touches the same territory. The Congressional Research Service spelled this out in an August 2025 report: the Supreme Court has called "relates to" provisions "deliberately expansive" and "conspicuous for their breadth."
Congress knew the difference, because the last serious federal privacy bill used the narrower one. The 2022 American Data Privacy and Protection Act cleared committee on a 53-2 bipartisan vote with "covered by" language, and it carried savings clauses that specifically protected Illinois's biometric law and California's breach provisions. The SECURE Act drops the savings clauses and reaches for the broadest preemption language on the menu. Stripping those clauses and choosing that language only makes sense if the point is to leave nothing standing underneath the federal text.
The industry isn't wrong that the patchwork is a real burden. A company selling nationwide juggles California, Illinois, Washington, and 19 other state regimes that don't line up, and states with no law of their own would gain baseline rights they lack today. That's the honest case for a federal standard, not an argument for this one, where the federal standard lands below what those state laws already guarantee and bars anyone from going higher.
EPIC's Caitriona Fitzgerald put it flatly to the subcommittee on June 3: a bill that "combines weak rules with broad preemption of state laws is worse than having no federal data privacy law at all." A coalition of 18 attorneys general and state agencies, led by California's Rob Bonta, sent Congress a letter opposing the bill the day before.
The Bottom Line
For all that, the SECURE Act probably won't pass. GovTrack puts its odds at 1%, and the same preemption fight sank the stronger 2022 bill. But it's the clearest statement yet of what the industry wants the finished product to be, and they've been patient about getting there. The model that failed in Washington and spread through 21 statehouses is now reaching for a federal ceiling, the last piece.
The real thing to watch is the next version, the one the same coalition writes after the Supreme Court rules on the VPPA in Salazar. They've already told us what they'll ask for. What's not settled is whether anyone in Congress says no.