For more than a decade, American businesses have been calling on Congress to pick a lane on data privacy: a clear, national framework. Congress failed to pass a workable approach, so states stepped in, and most have taken a constructive approach. But right now, nearly half of Americans still have no comprehensive privacy protections, and small businesses are stuck guessing which laws apply to them. The SECURE Data Act, recently introduced in Congress, would protect all of the public and provide businesses the certainty they’ve been waiting for.
Twenty states representing more than 135 million people have enacted the Consensus Privacy Approach. Governors of both parties, from Greg Abbott (R-TX) to Democrat Tim Walz (D-MI), have signed these bills into law. Across those 20 state legislatures, the Consensus Privacy Approach garnered nearly 1,500 Republican votes and more than 1,100 Democratic votes, proving that this isn’t a partisan policy.
Now, Congress has a chance to build on that foundation with the SECURE Data Act. The U.S. Chamber of Commerce strongly supports this legislation because it reflects what states have already built and improves it.
POLICE SURVEILLANCE IS NOT JUST FOR EMERGENCIES, NO MATTER WHAT THEY SAY
Built on bipartisan consensus
Critics wrongly claim that a federal law that creates a single national standard would be a “race to the bottom.” The SECURE Data Act dismantles that argument. Instead of rolling back what states have done, it codifies the very framework that states across the ideological spectrum agreed on, while extending privacy rights to 150 million people in states who currently lack them.
The bill ensures all Americans benefit from core privacy rights that nearly every state law includes, such as:
The right to know what data of yours a company has; the right to delete your personal information; the right to correct inaccuracies; and the right to opt out of having your data sold, used for targeted ads, or fed into automated systems making high-stakes decisions about your housing, credit, or job.
Companies under the SECURE Data Act would also need to follow the state approach of obtaining permission before using sensitive data such as racial or gender information.
Similarly, the bill’s data minimization standard mirrors what Colorado, Virginia, Connecticut, Indiana, Tennessee, and others already require: data collection must be “reasonably necessary.”
Enforcement would fall to the Federal Trade Commission and state attorneys general, entities with long track records in privacy and consumer protection. And like every single state’s comprehensive privacy law, the SECURE Data Act rejects private lawsuits, which have been abused in the past to produce big settlements for attorneys and very little for actual consumers.
Where federal law goes further
The SECURE Data Act goes beyond mirroring state law. It fills gaps that some states never addressed. Early movers such as Utah and Iowa passed privacy laws without explicit opt-out rights for targeted advertising or profiling.
The federal bill fills those gaps, giving consumers in those states rights they currently lack. It also establishes a national data broker register and protects the data of teenagers up to age 16.
The patchwork problem
While state-level progress to date has been constructive, it has also created a serious problem for any business that operates across state lines, meaning nearly every business in the United States. Localities and states adopting more extreme approaches are already causing harm. California’s lead privacy authority recently adopted rules that could cost small businesses $16,000 a year just to conduct e-commerce in the state. Maryland’s law, if fully enforced, would prohibit the collection of data necessary for product innovation, critical scientific research, and fraud prevention.
This is exactly the kind of problem the commerce clause of the Constitution was designed to address. National commerce needs national rules, and the SECURE Data Act provides them.
The moment is now
YOUR PHONE HAS NO FOURTH AMENDMENT
States that have adopted the Consensus Privacy Approach have done something remarkable. Through genuine bipartisan cooperation, they built a broad consensus on what consumer privacy protection should look like.
Congress must not miss this opportunity. The SECURE Data Act does what good federal legislation should do: it learns from the states, codifies what works, fills gaps, and creates the national uniformity that consumers and businesses both need. The moment for Congress to act is now.
Jordan Crenshaw is senior vice president of the U.S. Chamber of Commerce Technology Engagement Center, where he leads the chamber’s work on technology policy, data privacy, and artificial intelligence.