A New Push For Federal Privacy Law: What To Know About SECURE And GUARD

Last week, the House Energy and Commerce and Financial Services Committees announced a joint effort to advance two new data privacy bills: the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the SECURE Data Act) and the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act (the GUARD Financial Data Act).

(At minimum, points to Congress for the acronyms).

If you have been watching federal privacy legislation over the past few years, the SECURE Data Act alone may not inspire much excitement. Congress has been attempting comprehensive federal privacy legislation for years without much success, and this bill follows that tradition of ambition. That said, the SECURE Data Act is the result of over a year of work by the House Energy and Commerce Data Privacy Working Group and contains a few notable developments worth paying attention to. This package also includes a serious, targeted effort to modernize the Gramm-Leach-Bliley Act (the GLBA) through the GUARD Financial Data Act.

Below, we overview both bills, briefly explain why comprehensive federal privacy legislation has historically stalled, and discuss what this means for businesses today.

SECURE Data Act

What it Does

The SECURE Data Act would establish a uniform national privacy and security framework. Those familiar with state privacy laws will recognize much of its substance. The bill draws heavily from the existing state privacy laws, sharing common core provisions including the following:

• Applicability Thresholds. Applicability thresholds based on number of consumers and the percentage of revenue from personal data sales.
• Personal Data & Consumer Definitions. Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. Consumer is defined as an individual acting in an individual or household capacity, but does not include consumers acting in a commercial or employment context.
• Consumer Rights and Request Response. Consumer rights to access, correct, delete, and receive a portable copy of their personal data, and to opt out of targeted advertising, sale, and profiling and a controller obligation to respond within 45 days (with an extension and right to appeal).
• Consent to Process Sensitive Data. Consent requirements for processing sensitive data (notably using an opt-in model).
• Security. Reasonable administrative, technical, and physical data security practices requirement.
• Controller Obligations / Privacy Notice. Controller obligations include data minimization and privacy notice requirements. Privacy notices must include each category of personal data processed, each purpose of processing, how consumers can exercise their rights, each category of personal data disclosed to third parties, and each category of third party receiving personal data.

What Makes it Different

While the SECURE Data Act appears to be more closely aligned with state laws than prior federal attempts like the American Data Privacy Protection Act (“ADPPA”) and American Privacy Rights Act (“APRA”), it has some meaningful deviations. For example, it does not require data protection impact assessments (“DPIAs”), and it stops itself short of mandating recognition of universal opt-out mechanisms (though it does direct further study on the issue). Further, as expected to round out the federal dimensions of the bill, it includes FTC and state attorneys general enforcement and cross-border data transfer provisions.

The SECURE Data Act also goes meaningfully further than most state laws in its treatment of teen data. It incorporates the Children’s Online Privacy Protection Act (“COPPA”) protections for children under 13 and extends specific protections to teens aged 13 through 15, treating their personal data as inherently sensitive and requiring verifiable parental consent for processing. The bill also lacks a “knows or should have known” qualifier, meaning controllers cannot rely on a knowledge standard for identifying minor users.

The Preemption Question

Finally, as introduced, the SECURE Data Act would broadly preempt state laws relating to its provisions. Preemption has historically derailed prior federal efforts. That said, the bill’s closer alignment with state law frameworks, combined with its meaningful protections for children and teens, may give it more negotiating surface than its predecessors.

GUARD Financial Data Act

For businesses that handle consumer financial data, the GUARD Financial Data Act is where this legislative package has the most direct impact. Since 1999, the GLBA has served as the baseline privacy framework for financial institution and has protected nonpublic personally identifiable financial information (“NPI”). The GUARD Financial Data Act would modernize the GLBA in several meaningful ways:

• Financial Institution Obligations. It would introduce data minimization, strengthen opt-out rights, and significantly expand required privacy notice disclosures, including a disclosure of how financial institutions use artificial intelligence (“AI”) to collect, process, and use NPI.
• Customer Rights. Current financial institution customers would gain additional access rights and former customers would gain a new right to request deletion of their NPI.
• Sensitive Data. Affirmative opt-in consent would be required before collecting or disclosing sensitive NPI, which would be defined to include highly personal demographic information, genetic or biometric data, and precise geolocation data. Consumers would be permitted to revoke that consent at any time.
• Financial Data Aggregators. Financial data aggregators and nonaffiliated third parties that access NPI or a consumer’s account through account credentials would be required to provide clear notice and an opportunity for consumers to opt out.
• Model and Safe Habor. To facilitate compliance, it directs regulatory agencies to develop a new model privacy disclosure form incorporating the new disclosure information, and provides a safe harbor for institutions that use the model form for a period of two years.

The operational implications of the GUARD Financial Data Act would be significant. Financial institutions would need to review and update their privacy notices and disclosure practices, assess how they handle consumer account credentials, implement processes for responding to deletion requests from former customers, and develop frameworks for identifying and treating sensitive NPI differently from other NPI.

What this Means for Businesses Today

Whether or not these bills become law, the direction is clear. Consumer data protections are tightening at the federal and state levels, and businesses waiting for legislative certainty before acting are already behind. The most practical takeaway from this privacy package is not to predict their fate in Congress, but to use them as a roadmap. Auditing your data collection practices, reviewing third-party sharing arrangements, updating privacy notices, and building consent frameworks now will prepare your business for whatever form federal privacy law ultimately takes.