惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
C
Cisco Blogs
The Hacker News
The Hacker News
T
Threatpost
S
Schneier on Security
K
Kaspersky official blog
Spread Privacy
Spread Privacy
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
NISL@THU
NISL@THU
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
Security Latest
Security Latest
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News and Events Feed by Topic
爱范儿
爱范儿
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
GbyAI
GbyAI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
T
Tenable Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News and Events Feed by Topic
V
V2EX
Webroot Blog
Webroot Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
Scott Helme
Scott Helme
Simon Willison's Weblog
Simon Willison's Weblog
L
LangChain Blog
W
WeLiveSecurity
Cloudbric
Cloudbric

Electronic Frontier Foundation

Onward, Friends EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance EFFecting Change Site Banner 6.17.26 Victory! 702 has Expired! Yes to California's Bill to Ban Surveillance Pricing ‘News’ Site Keeps Hallucinating EFF Staffers LGBT Q&A: We’re Back With Season 2! Congress Just Rushed Through a Disastrous Copyright Office Overhaul The 702 Ultimatum: Warrant Requirement or Bust Enshittification Merch That Actually Fights Enshittification 🔊 Mass Surveillance for… Loud Music? | EFFector 38.11 How and Why to Fight Back Against Social Media Bans Tell Congress: Just Say No to NO FAKES VICTORY: Meta Strips Facial Recognition Code From Smart Glasses App After Public Outcry Cheers to the Winners of EFF’s 18th Annual Cyberlaw Trivia Night! EFFecting Change: If You Own It, Why Can't You Fix It? Internet Age-Gates Are a Growing Global Threat LGBT Q&A Season 1 Recap: Staying Safer Online EFF at TechCrunch Disrupt California’s AB 412 Still Demands Developers Do The Impossible Pulte Appointment Underscores Need to Reform Section 702 Spying EFF Testifies to Congress on Protecting Americans’ Rights from Government AI Move Fast, Surveil Things EFF at DEF CON 34 We're Fighting Mass Surveillance Tech—and Winning Welcome New EFF Executive Director Nicole Ozer One Step Forward, Two Steps Back: CA's AB 1856 Exempts Open Source But Expands Age-Gating Barcelona Cybersecurity Congress Age Verification is a Privacy Nightmare More License Plate Reader Mission Creep: School Residency Verification, Background Checks, and Noise Complaints 🔒 A Win for Encrypted Messaging | EFFector 38.10 Microsoft Took a Step Toward Human Rights Accountability. Google and Amazon (and Others) Should Pay Attention! Your Privacy Shouldn't Be A Corporate Decision EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance We Updated Our Privacy Policy. Here's What Changed and Why. We Must Not Normalize Digital Surveillance Abuses. EFF’s New Guide Underlines Concrete Steps to Fight Back. EFF at Black Hat USA Help EFF Solve an Issue That's Bigger than Creepy Ads The Science is Not Settled: How Weak Evidence is Fueling a National Push to Ban Social Media for Youth Broken Promises: RIP Instagram’s End-to-End Encrypted DMs Victory! End-to-End Encrypted RCS Comes to Apple and Android Chats EFF Launches New Offline Campaign for Saudi Wikipedian Osama Khalid A Hackers Guide to Circumventing Internet Shutdowns Canada’s Bill C-22 Is a Repackaged Version of Last Year’s Surveillance Nightmare EFF to Fourth Circuit: Electronic Device Searches at the Border Require a Warrant EFFecting Change Site Banner 5.14.26 EFF Stands in Solidarity With RightsCon and the Global Digital Rights Community Congress Narrowed the GUARD Act, But Serious Problems Remain Free Signal Guide Milestone 1.0.0 Release of APK Downloader `apkeep` Powers Research on Android Apps 👎 California's Terrible, No Good, Very Bad Social Media Ban | EFFector 38.9 Offline: Osama Khalid EFF and 18 Organizations Urge UK Policymakers to Prioritize Addressing the Roots of Online Harm Shut Down Turnkey Totalitarianism EFF Submission to UK Consultation on Digital ID Getting Digital Fairness Right: EFF's Recommendations for the EU's Digital Fairness Act A Bridge to Somewhere: How to Link Your Mastodon, Bluesky, or Other Federated Accounts Utah’s New Law Targeting VPNs Goes Into Effect Next Week Open Records Laws Reveal ALPRs’ Sprawling Surveillance. Now States Want to Block What the Public Sees. Digital Hopes, Real Power: From Connection to Collective Action Aaron v. Bondi EFF Submission to UN Report on the Role of Media in the Context of Israel’s Policies Toward Palestinians Former EFF Activism Director's New Book, Transaction Denied, Explores What Happens When Financial Companies Act like Censors The Open Social Web Needs Section 230 to Survive The GUARD Act Isn’t Targeting Dangerous AI—It’s Blocking Everyday Internet Use Congress Must Reject New Insufficient 702 Reauthorization Bill The Internet Still Works: SmugMug Powers Online Photography Act Now to Stop California’s Paternalistic and Privacy-Destroying Social Media Ban EFF Challenges Secrecy In Eastern District of Texas Patent Case California Coastal Community Must Reject CBP's AI-Powered Surveillance Tower EFF to 9th Circuit (Again): App Stores Shouldn’t Be Liable for Processing Payments for User Content 📁 How ICE Got My Data | EFFector 38.8 EFF Sues DHS and ICE For Records on Subpoenas Seeking to Unmask Online Critics Bay Area Members' Speakeasy with WISP Copyright and DMCA Best Practices for Fediverse Operators Palantir Has a Human Rights Policy. Its ICE Work Tells a Different Story Keep Pushing: We Get 10 More Days to Reform Section 702 EFF at RightsCon Stop New York's Attack on 3D Printing How Push Notifications Can Betray Your Privacy (and What to Do About It) Google Broke Its Promise to Me. Now ICE Has My Data. EFF Calls on Kuwait to Release Journalist Ahmed Shihab-Eldin Digital Hopes, Real Power: The Rise of Network Shutdowns EFF to State AGs: Investigate Google's Broken Promise to Users Targeted by the Government The Dangers of California’s Legislation to Censor 3D Printing The Bay Agenda: Security for Journalists EFF 🤝 HOPE: Join Us This August! Hot Off the Press: EFF's Updated Guide to Tech at the US-Mexico Border War as a Pretext: Gulf States Are Tightening the Screws on Speech—Again Speaking Freely: Dr. Jean Linis-Dinco We Need You: Our Privacy Cannot Afford a Clean Extension of Section 702 Yikes, Encryption’s Y2K Moment is Coming Years Early Comparison Shopping Is Not a (Computer) Crime EFF is Leaving X Banning New Foreign Routers Mistargets Products to Fix Real Problem Another Court Rules Copyright Can’t Stop People From Reading and Speaking the Law 👁 Selling Mass Surveillance | EFFector 38.7 Digital Hopes, Real Power: How the Arab Spring Fueled a Global Surveillance Boom Privacy Index Workshop EU Parliament Blocks Mass-Scanning of Our Chats—What's Next?
The SECURE Data Act is Not a Serious Piece of Privacy Legislation
Mario Trujil · 2026-05-06 · via Electronic Frontier Foundation

The federal SECURE Data Act is not a serious consumer privacy bill, and its provisions—if enacted—would be a retreat from already insufficient state protections.

Republicans on the House Energy and Commerce Committee released a draft of the bill late last month without bipartisan support. The bill is weaker than congressional proposals in prior years, as well as most of the 21 state consumer privacy laws already on the books.

The bill could wipe out hundreds of  state privacy protections.

Most troubling for EFF: the bill would preempt dozens, if not hundreds, of state laws that regulate related topics, and it would not allow consumers to sue to protect their own rights (commonly called a private right of action). And it comes nowhere close to banning online behavioral advertising—a practice that fuels technology companies’ always increasing hunt for personal data.

The bill also suffers from many other flaws including weak opt-out defaults, inadequate data minimization requirements, and large definitional loopholes for companies.

Key Provisions

The bill would give consumers some rights to take action to control their personal data— like access, correction, deletion, and limited portability. These rights have become standard in all data privacy proposals in recent years.

The bill would also require companies to obtain your consent before processing your sensitive data, or using any of your personal data for a previously undisclosed purpose. Absent your consent, a company couldn’t do these things.

Further, the bill would allow you to opt out of (1) targeted third-party advertising, (2) the sale of your personal data, and (3) profiling of you that has a legal, healthcare, housing, or employment effect. Unfortunately, a company could keep doing these invasive things to you, unless you opted out.

The bill would also require data brokers that make at least 50 percent of their profits from the sale of personal data to register in a public database maintained by the Federal Trade Commission (FTC).

Preemption of Too Many State Laws

Federal privacy laws should allow states to build ever stronger rights on top of the federal floor. Many federal privacy laws allow this, including the Health Insurance Portability and Accountability Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act.

The SECURE Data Act would not do that. Instead, it would wipe out dozens, if not hundreds, of existing state privacy protections. Section 15 of the bill would preempt any “law, rule, regulation, requirement, standard, or other provision [that] relates to the provisions of this Act.” This would kill the 21 state consumer privacy laws passed in the past few years. These state bills aren’t strong enough, but they are still better than this federal proposal. For example, California maintains a data broker deletion tool and requires companies to comply with automatic opt-out signals—including one that is built into EFF’s Privacy Badger.

Because the SECURE Data Act has provisions that relate to data privacy and security, it could preempt all 50 state data breach laws and many others. It could also preempt state laws related to specific pieces of sensitive data, like bans on the sale of biometric or location information. Some states like California have constitutional provisions that protect an individual’s right to privacy, which can be enforced against companies. That constitutional provision, as well as state privacy torts, could also be in danger if this bill passed.

No Private Enforcement, A New Cure Period, and Vague Security Powers

Strong consumer privacy laws should allow consumers to take companies to court to defend their own rights. This is essential because regulators do not have the resources to catch every violation, and federal consumer enforcement agencies have been gutted during the current administration.

The SECURE Data Act does not have a private right of action. The FTC, along with state attorneys general, have primary enforcement authority. The law also gives companies 45 days to “cure” any violation with no penalty after they are caught.

Moreover, Section 8 of the bill creates a vaguely defined self-regulatory scheme in which companies can apply to be audited by an “independent organization” that will apply a “code of conduct.” Following this code of conduct would give companies a presumption that they are complying with the law. This provision is an implicit acknowledgement that the bill does not provide regulators with any new resources to enforce new protections.

Section 9 of the bill would give the Secretary of Commerce broad power to “take any action necessary and appropriate to support the international flow of personal data,” including assessing “security interests of the United States.” The scope of this amorphous provision is unclear, but it likely does not belong in a consumer protection bill.

Weak Privacy Defaults

Your online privacy should not depend on whether you have the time, patience, and knowledge to navigate a website and turn off invasive tracking. Good privacy laws build in data minimization requirements—meaning there should be a default standard that prevents companies from processing your data for purposes that are not needed to provide you with the service you asked for.

The SECURE Data Act puts the burden on you to opt out of invasive company practices, like targeted third-party advertising, the sale of your personal data, and profiling. The bill at least requires companies to obtain your consent before processing your sensitive data (like selling your precise location). These consent requirements, however, are often an invitation for companies to trick you into clicking a button to give away your rights in hard-to-read policies. Indeed, few people would knowingly agree to let a company sell their personal data to a broker who turns around and sells it to the government.

Section 3 of the bill uses the term “data minimization,” but it is done in name only. The provision does not limit a company’s processing of data to only what is necessary to provide the customer with the good or service they asked for. Instead, the provision limits processing of data to only what a company “disclosed to the customer”—meaning if it is in the confusing privacy policy that nobody reads, it is okay.

And the bill would not even allow you to restrict certain uses of your data. As companies seek more data for AI systems, many internet users do not want their private personal data to be used to train those models. However, the bill makes clear that “nothing in this Act may be construed to restrict” a company from collecting, using, or retaining your data to “develop” or “improve” a new technology.

Other Flawed Definitions and Loopholes

The bill has numerous loopholes that technology companies would exploit if the bill were to become law. Below is just a sampling:

  • Government contractors: Under Section 13(b)(2), government contractors are exempt from the bill, which could be wrongly interpreted to exempt certain data brokers from sale restrictions when those sales are made to the government. This type of exemption could benefit surveillance companies like Clearview AI, which previously argued it was exempt from Illinois’ strict biometric law using a similar contractor exception. This is likely not the authors’ intention, since the definition of sale includes those made “to a government entity.”
    Sale definition: The definition in Section 16(28) is defined too narrowly. A sale should mean any exchange for monetary “or other valuable” consideration, as in some other privacy laws.
  • Biometric information definition: The definition in Section 16(4) excludes data generated from a photo or video, and the definition excludes face scans not meant to “identify a specific individual.” This could be wrongly interpreted to allow biometric identification from security camera footage, or biometric use for sentiment or demographic analysis.
  • Personal data definition: The definition in Section 16(21) exempts “de-identified data” from the definition of personal data, which could allow companies to do anything with de-identified data because that data is not protected by the law. The problem with de-identified data is that many times it is not.
  • Deletion requests: With regard to data that a company obtained from a third-party, Section 2(d)(5) would treat a consumer’s deletion request merely as an opt-out request. And even if a customer requested deletion, a company might be able to retain the data for research purposes under section 11(a)(9)(A).
  • Profiling definition: Under the definition in Section 16(25), companies could profile so long as the profiling is not “solely automated.” The flimsiest human review would exempt highly automated profiling.

Congress is long overdue to enact a strong comprehensive consumer data privacy law, and we have sketched what it should look like. But the SECURE Data Act is woefully inadequate. In fact, it would cause even more corporate surveillance of our personal information, by wiping out state laws that are more protective than this federal bill. Even worse, this bill would block state legislatures from protecting their residents from the privacy threats of tomorrow that are unforeseeable today.