Rep. John Joyce’s new privacy bill could strip protections from millions of Americans, privacy advocates warn

Congress is moving forward with another attempt at a national data privacy law—but this time, the bill could actually make things worse for millions of Americans living in states with strong privacy protections already in place.

The SECURE Data Act, introduced by Rep. John Joyce (R-PA) alongside House Energy and Commerce Committee Chair Brett Guthrie (R-KY), represents a Republican effort to establish baseline privacy standards across the country. On the surface, this sounds reasonable: a uniform national standard could simplify compliance for companies and extend protections to states that currently lack comprehensive privacy laws. But privacy advocates are raising alarm bells about what the bill would take away.

The bill’s core provisions would require companies to collect only the user data they genuinely need to perform promised services, allow users to see what information websites hold about them, and enable users to request deletion of their data. These are legitimate protections that would benefit consumers in states without existing privacy frameworks. The problem lies in what happens to states that have already gone further.

States like California, Virginia, Colorado, Connecticut, and Utah have enacted their own privacy laws over the past few years—each with varying degrees of strength. California’s approach, in particular, has set a higher bar for consumer protection than what many other states have adopted. The concern among privacy advocates is that a federal standard, if poorly designed, could preempt these state laws and replace them with weaker protections. In other words, millions of Americans could lose privacy rights they already have.

How Does Federal Preemption Actually Work in Privacy Law?

This is not a new problem in federal regulation. When Congress passes a national standard on a consumer protection issue, it often includes language that prevents states from enforcing stricter rules. This is called preemption, and it’s a powerful tool that can either protect consumers or harm them, depending on where the federal floor is set. Research from NYU Law demonstrates that “even when federal or state law threatens to preempt local privacy regulation, it mainly establishes privacy” baselines that can limit stronger local protections.

If the SECURE Data Act’s floor is lower than what California or Virginia already require, residents of those states would effectively lose protections. The Brennan Center for Justice notes that “the United States lacks a comprehensive data privacy law,” creating a patchwork where state innovations could be vulnerable to federal override.

What Essential Protections Could Americans Lose?

The bill is also missing several elements that privacy advocates consider essential. The source material indicates the proposal lacks certain safeguards that privacy organizations have identified as necessary for comprehensive consumer protection. Without access to the full legislative text’s details in the reporting, the specific gaps are not enumerated, but the warning from advocates suggests the bill does not go far enough in key areas where privacy risks remain high.

The timing of this bill is significant. It arrives as tech companies face increasing pressure from state-level regulation and as consumer awareness of data privacy issues continues to grow. A national standard that favors industry convenience over consumer protection could effectively freeze privacy law in place at a relatively low level, making it harder for states to innovate or strengthen protections in response to new threats.

What Would This Mean for Your Personal Data?

For the average American, the stakes are concrete. If you live in California and the SECURE Data Act becomes law with broad preemption language, you could lose the right to opt out of certain data sales or the ability to request that companies delete your information under the more stringent California Consumer Privacy Act (CCPA). Your data broker could continue selling your information to the highest bidder, and you would have fewer legal tools to stop them.

The bill’s introduction by Joyce and Guthrie signals Republican interest in shaping the privacy debate before Democrats push for stronger federal standards. This is a strategic move: by introducing a moderate Republican bill now, they may be able to frame the debate around a lower baseline rather than allowing privacy advocates and Democratic lawmakers to set the terms. It’s a common legislative tactic—control the center of the negotiation by moving first.

Will Congress Address the Preemption Concerns?

The real question now is whether Congress will listen to privacy advocates’ concerns about preemption and missing protections, or whether the bill will move forward largely unchanged. The House Energy and Commerce Committee, where Guthrie holds significant power, will likely be the first stop for this legislation. Privacy organizations will almost certainly testify against the bill in its current form, but their influence on Republican-controlled committees has limits.

The SECURE Data Act represents a critical moment for American privacy law. A poorly designed national standard could entrench weak protections for a generation. Watch for amendments in committee that address preemption language and fill in the gaps privacy advocates have identified. The outcome will determine whether a national privacy law becomes a floor that lifts all boats or a ceiling that traps millions of Americans in weaker protections than they already have.