The newest attempt at a federal privacy framework and what it means for startups
For more than a decade, startups have been asking Congress for a single, national rulebook on consumer privacy. The Securing and Establishing Consumer Uniform Rights and Enforcement (SECURE) Data Act, a new bill from key members of the House committee of jurisdiction, finally puts a serious proposal on the table, a critical step in establishing a comprehensive federal framework that protects consumers while creating consistency for startups.
Congress has debated comprehensive privacy legislation for years. Bills have come and gone, and while Washington deliberated, states filled the vacuum. Twenty states now have comprehensive privacy laws on the books, each similar in spirit but different in substance. The result is a patchwork that grows more complicated every legislative session, despite the inherent interstate nature of the Internet. A startup based in Austin selling to customers in Sacramento, Hartford, and Providence is suddenly subject to four different sets of rules for the same conduct.
The costs of the current patchwork land squarely on early-stage companies that can least afford them. A 2023 Engine report found that startups invest between $100,000 and $300,000 or more in privacy infrastructure and compliance under current state laws, and each additional state adds another $15,000 to $60,000 or more. For context, the average venture-backed seed-stage startup operates on roughly $55,000 per month. A single new state privacy law can erase a month of runway.
Those costs come from legal fees for outside counsel parsing each new statute, audits and risk assessments duplicated across jurisdictions, and engineering hours spent retrofitting systems for inconsistent rules. As one founder told Engine, complying with the patchwork would require raising, “an entire second Series A.” Another startup said it had delayed expansion into California because the resources required to handle CCPA compliance were too significant.
The SECURE Data Act recognizes what should have been obvious from the beginning: compliance regimes built around state lines do not work for businesses that operate online. Instead of allowing the patchwork to grow, the SECURE Data Act would preempt the varying state laws and replace them with strong consumer protections that apply no matter where in the country you — or, if you’re a startup, your users — are located.
Who does the bill apply to?
The SECURE Data Act would apply to businesses that operate in the United States or sell to U.S. residents and either process the personal data of more than 200,000 consumers annually with at least $25 million in revenue, or process the data of 100,000 or more consumers and derive at least 25 percent of revenue from selling that data. By tying applicability to both a user count and a revenue figure, the bill protects small startups while covering businesses with the resources and data footprint to manage real compliance obligations.
Smaller companies are not left adrift. The bill directs the Secretary of Commerce to publish voluntary codes of conduct within two years of enactment for businesses below the applicability thresholds. These codes must be cost-effective and appropriate to the size and risk profile of participants. That is the on-ramp startups need — a clear, government-vetted path to good privacy practices that grows with the company, so that by the time a startup crosses into full scope, it has already built the muscle to comply.
What are the requirements under the bill?
Consumer rights under the law:
Consumers would get a familiar set of rights mirroring those found in existing state laws: to confirm and access their data, correct inaccuracies, delete it, port it to another service, and opt out of targeted advertising, data sales, and profiling that in high risk areas, including things like credit, housing, and employment. Controllers would have to respond to authenticated requests within 45 days, with one extension available when reasonably necessary, and consumers would be entitled to two free requests per right each year; beyond that, or for technically infeasible or manifestly unfounded requests, controllers can charge a reasonable fee or decline. Denied requests trigger a 60-day appeal process. Controllers would not be able to require consumers to create new accounts just to exercise these rights.
Notices and disclosures:
Before processing personal data, controllers would have to publish a clear, accessible privacy notice covering what data is processed, why, how consumers can exercise their rights, who receives shared data, and any transfers to covered nations. Sales of personal data (which is defined as exchanging data with a non-affiliated third party for monetary consideration, and excludes data sharing that takes place as part of processing, mergers and acquisitions, and fulfilling consumer requests) and targeted advertising would require specific pre-collection disclosures. The SECURE Data Act would standardize what notices must contain and removes the guesswork of cross-checking against state-specific addendums.
Limits on sensitive data and secondary uses:
The bill would require consumer consent before processing sensitive data, which is defined as data about race, ethnicity, religion, mental and physical diagnoses, sexual orientation, citizenship or immigration status, biometric and genetic information, and precise geolocation. Data about children and teens would also be considered sensitive data (though, beyond referencing existing child privacy laws, the bill doesn’t detail how controllers would be tasked with determining users’ age). It would also limit secondary uses, meaning a controller could not process personal data for any purpose that is not reasonably necessary or compatible with the original disclosed purpose, unless the consumer consents.
Data minimization and security:
Controllers would require that controllers limit data collection to what is adequate, relevant, and reasonably necessary for each disclosed purpose and create security practices that are reasonable and calibrated to the volume, sensitivity, and nature of the data. If a controller generally demonstrates robust data security practices — including by complying with an approved code of conduct, third party attestation, adhering to “widely accepted” technical specifications, or implementing a recognized risk management framework — they have a rebuttable presumption, meaning they would have less of an uphill legal battle if they’re accused of violating the law’s data security requirements.
Automated decision making:
Controllers that rely on fully automated profiling for certain decisions would have to disclose that fact and provide information about how consumers can opt-out before the decision is made. This requirement applies only to decisions made with no human oversight and only to high-stakes outcomes like denials of healthcare services, housing, or employment. Startups use automated systems throughout their products, and the bill sensibly does not sweep all that activity into a heavy compliance regime.
How would it be enforced?
FTC and state AG enforcement, with a cure period:
A national privacy framework only solves the existing patchwork problem if it’s enforced consistently, and the SECURE Data Act contains several provisions aimed at harmonizing enforcement. At the broadest level, the Federal Trade Commission would be tasked with enforcing the law, and state attorneys general (AGs) could bring cases if citizens of their state have had their rights under the law violated. State AGs would have to notify the FTC before they bring a case — or, when necessary, as they’re bringing a case — and the FTC would have the ability to intervene in state cases. To mitigate the risk of redundant enforcement actions, state AGs could not bring an action against a company while an FTC enforcement action is pending.
The bill also contains a critical safeguard for startups: a cure period, or a requirement that the FTC and state AGs give companies 45 days to fix any violations of the law before they pursue legal action. If a company fails to fix the violation or violates the law in another way, the legal action can proceed.
Codes of conduct:
Separate from government enforcement, the bill would create a formal “code of conduct” regime where independent organizations certify that participating companies are in compliance with the law. Building off of years on industry-led best practices, the bill would allow companies or groups of companies to submit proposed codes of conduct to the Commerce Department that lay out how complying with the code meets the requirements in the bill, what kind of companies would follow the code, which independent organization will enforce the code, and how it will judge compliance. The proposed codes of conduct would be open to public comment, and the Commerce Department would have a year to approve or reject the proposed code.
No private right of action:
Most critically for startups, the bill does not contain a private right of action, or the ability for individual consumers to sue companies that they believe have violated the law. In past Congresses, the fight over whether a privacy law should include a private right of action has gotten so contentious and entrenched that it has derailed severaliterations of a national privacy framework, leaving the door open for more states to bring their own privacy laws online.
A private right of action is the favored approach for many privacy advocates, because lawsuits can be a useful tool for granular enforcement in cases where the harms are small or novel and don’t rise to the level of action from a government agency trying to prioritize resources. But private litigation is also easily weaponized in ways that are anticompetitive and disproportionately harm startups. When the cost of defending against a lawsuit — even successfully — can be hundreds of thousands of dollars in legal fees, startups with small budgets and no in-house attorneys become attractive targets for “nuisance-value lawsuits,” or lawsuits filed with the goal of extracting a settlement that takes much less time and costs much less than a legal fight.
We’ve seen this play out in many areas of the law with a private right of action, including intellectual property, online accessibility, and California’s privacy law, which lawmakers attempted to write narrowly but plaintiffs attorneys have found creative ways to push the law’s limits. (The bill would also repeal the Video Privacy Protection Act, a 1980’s law originally written to deal with video store rental records that is increasingly being used to bring lawsuits against any website that offers subscriptions, has video content, and hosts advertisement through a cross-web advertising platform.)
A private right of action also leaves open the possibility that different federal courts will interpret the law’s requirements and rights differently, especially as the technology and nature of data collection and processing change in the future. Government enforcement either by or in coordination with an expert agency is the best way to ensure fair, consistent enforcement of law with as wide-ranging an effect as a data privacy framework. While it may set them up for a contentious fight with advocates and lawmakers who demand a private right of action, the SECURE Data Act’s authors were right to leave it out if they want a privacy law that truly solves the current patchwork problem.
Congress is expected to consider the SECURE Data Act in the coming weeks and months, hopefully restarting the long overdue conversation about the need for a federal privacy framework. As startups grapple with the rising costs of an increasingly complex privacy patchwork, lawmakers should prioritize advancing the SECURE Data Act to ensure that Internet users all over the country are protected and all companies — especially startups — have clear and consistent rules of the road about how to protect their users.