Data Privacy: House Republicans Introduce SECURE Data Act

Last month, House Republicans introduced the ““Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act”, or the SECURE Data Act.  If enacted, the legislation would establish a single national standard that would preempt existing state consumer privacy laws.  This excerpt from a MaynardNexsen memo on the bill summarizes its key features:

– Consumer Rights. At its core, the Act establishes a familiar set of consumer privacy rights drawn from the existing state privacy law landscape. Individuals would have the right to access, correct, delete, and obtain a portable copy of their personal data from covered entities, as well as the right to opt out of targeted advertising, the sale of personal data, and certain profiling activities that produce legal or similarly significant effects.

– Controllers. Controllers would be required to limit data collection to what is “adequate, relevant, and reasonably necessary” for disclosed processing purposes, and to obtain consumer consent before using personal data for secondary, undisclosed purposes.

– Opt-in for Sensitive and Children’s Data. The bill mandates opt-in consent before processing “sensitive data,” a category that includes data revealing racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for identification purposes, precise geolocation data, and — notably — personal data of teenagers between the ages of thirteen and sixteen, for whom verified parental consent would be required. While the bill’s protections for teens effectively extend the age range subject to heightened consent requirements beyond COPPA’s under-thirteen threshold, the SECURE Data Act does not amend COPPA itself; rather, it creates a parallel regime for teen data (ages 13–16) under federal privacy law.

– National Data Broker Registry. The Act would also create a national data broker registry administered by the Federal Trade Commission. Data brokers — defined as controllers that collect and process personal data of individuals who are not customers, clients, users, readers, or subscribers of the controller, and that derive fifty percent or more of annual gross revenue from the sale of such personal data — would be required to register annually and provide public-facing disclosures about their practices. This mirrors state data broker laws and registration requirements in states like California and Vermont.

– Cross-Border Data Flows and Voluntary Codes of Conduct. One distinctive feature of the bill is its codification of the Secretary of Commerce’s role as lead advisor on international data flows and personal data protection in cross-border commerce. The Secretary would be authorized to recognize voluntary codes of conduct, and entities that conform to such codes under independent organizational oversight would receive a rebuttable presumption of compliance with the Act.

– Non-Waiver and Non-Discrimination. The Act provides that any contractual provision purporting to waive or limit consumer privacy rights is void and unenforceable as contrary to public policy. The bill also prohibits controllers from discriminating against consumers who exercise their privacy rights — for example, by denying goods or services, charging different prices, or providing inferior quality — although bona fide loyalty and rewards programs are expressly carved out.

The memo also addresses the businesses to which it would be applicable as well as its exemptions, and highlights its most controversial feature, a broad provision preempting state laws that “relate to” its provisions. The Act has attracted significant opposition, and commenters are split on its chances of being enacted. Stay tuned.