Congress Finally Moved on Your Data and the Fight Is Just Getting Started
Kofi MensahKofi Mensah
Curiosity
Download the Curiosity App for discussion, debates and more for free.
Download on theApp StoreGet it onGoogle Play

Your data has no federal protection. None. Zero. Zip. And Congress just made its most serious move in years to change that.

Why this bill matters more than the noise around it

On April 22, 2026, Rep. John Joyce (R-PA) introduced HR 8413 — the SECURE Data Act — the first major attempt in the 119th Congress to establish comprehensive consumer privacy rules at the federal level.

I have been watching this space for a long time. Every year someone promises a federal privacy law and every year it dies in committee. This time feels different, and I think the critics are missing the forest for the trees.

The bill would give every American the right to access, correct, delete, and port their personal data — and the right to opt out of targeted advertising and data sales. That is not nothing. That is a floor that does not exist today for most Americans.

Digital data streams representing personal data flowing through networks, illustrating the stakes of federal privacy legislation.

The patchwork problem is real and it is costing everyone

Right now, at least 20 states have enacted their own comprehensive data privacy laws. Indiana, Kentucky, and Rhode Island joined the club in January 2026 alone. The result is a compliance nightmare that small startups cannot afford to navigate.

The bill was described by House GOP aides as "small business and small startup-friendly," and for once that framing is not spin. A single national standard lowers the barrier to entry for new companies that cannot afford a team of privacy lawyers in every state.

This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping.

Rep. Brett Guthrie (R-KY), House Energy and Commerce Committee Chair

The bill was crafted after more than 16 months of internal work and feedback from 170 organizations. Notably, Big Tech companies were not looped into the drafting process — which is either a red flag or a genuine sign that this is not just a corporate handout.

The California objection is loud but it proves the point

The loudest opposition is coming from the California Privacy Protection Agency, which fired off a letter to Congress warning that the bill's preemption language would strip rights from over 100 million Americans. Their specific concern: California's DELETE Request and Opt-Out Platform, known as DROP, which already has over 215,000 residents signed up, would be wiped out.

That is a legitimate concern and I will not pretend otherwise. California's DROP system, which launched January 1, 2026, covers over 500 registered data brokers. Losing that is a real step backward for Californians specifically.

But here is the counterpunch: California is not the whole country. The 30 states with no comprehensive privacy law at all get nothing under the current system. A federal floor that covers every American — even if it is lower than California's ceiling — is still a net gain for the majority of people whose data has zero protection today.

What the bill actually gets right and where it falls short

The good: the bill creates a mandatory public registry of data brokers enforced by the FTC, requires opt-in consent for sensitive data like health and geolocation, and extends parental consent requirements to teens aged 13 to 16. These are real, enforceable wins.

The bad: the bill has no private right of action. The ACLU's Cody Venzke put it plainly, saying the bill "places the onus on regular people" to navigate complex opt-out systems with no real recourse if companies ignore them. That is a serious structural weakness and Congress should fix it before this moves forward.

The bill is also notably silent on AI and large language models — a glaring gap given that data is the fuel that powers every AI model being trained right now. Passing a privacy law in 2026 that does not address AI training data is like writing a food safety law that ignores restaurants.

The enforcement architecture is actually smarter than critics admit

Enforcement would be split between the FTC and state attorneys general, with a 45-day right-to-cure mechanism before any action can be filed. Critics call this toothless. I call it realistic — the FTC already has the infrastructure and the track record.

The companion GUARD Financial Data Act modernizes the Gramm-Leach-Bliley Act of 1999 — a law written before the iPhone existed — by introducing data minimization and stronger opt-out rights for financial data. That is genuinely overdue.

A person's privacy rights depend on their zip code. This draft establishes the necessary foundation for a national standard.

Barbara Cosgrove, Chief Privacy Officer, Workday

The bill is a Republican-only effort right now, which is its biggest political liability. The American Data Privacy Protection Act and the American Privacy Rights Act were both bipartisan and both died anyway. Going partisan does not make passage more likely — but it does clarify where the fault lines are.

This is the moment to push hard not walk away

Would you trust a law that protects your data in California but not in Ohio? Because that is exactly what we have right now.

The SECURE Data Act is imperfect. It needs a private right of action. It needs AI guardrails. It needs bipartisan buy-in before it can survive a Senate vote.

But walking away from this bill because it is not perfect is the same mistake that killed every previous attempt. The House Subcommittee for Commerce, Manufacturing, and Trade is expected to schedule a legislative hearing soon. That is the moment to push for amendments — not to declare the whole effort dead on arrival.

I believe this is the best shot at a federal privacy law in a decade. The question is whether the people who care most about privacy will show up to improve it — or just stand outside and throw rocks.