--- title: "State Privacy Laws Show the SECURE Data Act’s Merits and Political Appeal" summary: |- Twenty-one states have enacted privacy laws with provisions similar to the SECURE Data Act. This bill is a clear bipartisan attempt at meaningful data privacy legislation. date: "2026-05-15" issues: ["Privacy", "Internet", "State and Local"] authors: ["Ash Johnson"] content_type: "Blogs" canonical_url: "https://itif.org/publications/2026/05/15/state-privacy-laws-show-the-secure-data-acts-merits-and-political-appeal/" --- # State Privacy Laws Show the SECURE Data Act’s Merits and Political Appeal For decades, the United States has relied on a patchwork of sector-specific and state laws to govern data privacy. [Various attempts](https://itif.org/publications/2024/04/10/privacy-bill-faceoff-comparing-the-apra-and-adppa/) at [comprehensive federal privacy legislation](https://itif.org/publications/2022/06/17/bills-show-remaining-divisions-on-federal-data-privacy-legislation/) have stalled in Congress, largely due to conflict on key issues, including federal preemption and a private right of action. The House Financial Services Committee and House Energy and Commerce Committee [announced a joint effort](https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=411100) in April to advance a new privacy bill, the [SECURE Data Act](https://financialservices.house.gov/UploadedFiles/SECURE_Data_Act.pdf). While this bill would preempt state privacy laws, it also draws heavily from those laws, reflecting a bipartisan, multistate consensus on key privacy provisions that would [protect consumers while enabling innovation](https://itif.org/publications/2022/08/08/maintaining-a-light-touch-approach-to-data-protection-in-the-united-states/) that bolsters the U.S. economy. Critiques of the SECURE Data Act assume that stronger-sounding provisions necessarily produce better outcomes. Critics [point to](https://epic.org/america-needs-a-strong-privacy-law-the-secure-data-act-isnt-it/) its less restrictive data minimization framework, lack of a private right of action, and preemption of state laws as provisions that will fail to adequately protect consumers. Furthermore, the SECURE Data Act was the result of a “[unified House Republican effort](https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=411100),” but gaining Democrats’ support remains a key barrier to the bill’s passage, and these provisions will likely be the biggest sticking points. However, looking to state privacy laws proves critics’ assumptions wrong and presents a path forward for the SECURE DATA Act, both on the merits of the bill and its political appeal. First, the SECURE Data Act avoids importing the more restrictive data minimization framework of the European Union's General Data Protection Regulation (GDPR), which even [European policymakers](https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en) admit [needs reform](https://commission.europa.eu/topics/competitiveness/draghi-report_en). Data collection is not inherently harmful to consumers; in fact, many forms of data collection benefit consumers by improving the services Americans rely on every day. That translates to more personalized health care, more efficient energy usage, and more reliable transportation. The SECURE Data Act preserves more of these beneficial use cases while still giving consumers more control over their data. This approach mimics the vast majority of state privacy laws in both red and blue states. Second, the SECURE Data Act’s reliance on the FTC and state attorneys general for enforcement reflects the most effective approach to complex, economy-wide regulatory frameworks. Private rights of action lead to fragmented interpretations and opportunistic litigation disconnected from concrete consumer harm. Centralized enforcement, on the other hand, promotes consistency, provides expert oversight, deters bad actors, and allows regulators to focus on meaningful violations. Finally, by preempting state privacy laws, the SECURE Data Act creates a uniform national standard that reduces compliance fragmentation while preserving core consumer protections and incentivizing responsible data use. Rather than revisiting proposals that failed to achieve legislative consensus at the state level, the SECURE Data Act closely tracks the model enacted in multiple states across the political spectrum, consolidating state innovation into a workable consensus. As figure 1 illustrates, 21 states have enacted privacy laws with provisions similar to the SECURE Data Act. These provisions have been adopted in states led by both Democrats and Republicans, reflecting an [emerging consensus](https://www2.itif.org/2026-secure-data-act-state-infographic.pdf) around a balanced approach to privacy governance. ![Figure 1: Core provisions in the SECURE Data Act already enacted in state laws](https://cdn.sanity.io/images/03hnmfyj/production/477c32fde326d4d290d70fcafb3be893c146750e-1370x1434.png) The debate over federal privacy legislation should not center on whether Congress can produce the most restrictive possible framework, but whether it can establish a workable national standard that meaningfully protects consumers while preserving the benefits of data-driven innovation. The SECURE Data Act reflects the direction many states have already taken: stronger consumer protections, clear rules for businesses, centralized enforcement, and flexibility for beneficial data use. Rather than restarting debates that have repeatedly prevented federal action, Congress should build on this emerging consensus and finally provide Americans with a consistent national privacy framework. In practice, the alternative to the SECURE Data Act is not a stronger, perfectly harmonized privacy regime—it is continued fragmentation, rising compliance costs, and weaker national competitiveness. --- *Source: Information Technology & Innovation Foundation (ITIF)* *URL: https://itif.org/publications/2026/05/15/state-privacy-laws-show-the-secure-data-acts-merits-and-political-appeal/*