Back to Blog
· Robert Bergman

The Preemption Gambit: Why the SECURE Data Act Could Erase 21 State Privacy Laws Overnight

privacycompliancepreemptionSECURE Data Actstate lawMODPACPRAfederalism

There are two ways to read the SECURE Data Act, introduced in the House yesterday.

The first way: as a long-overdue federal privacy law for the United States, written after a full year of stakeholder consultation, borrowing the template that twenty-one states have already adopted, and giving Americans consistent consumer protections for the first time since the Clinton administration.

The second way: as a preemption vehicle. A federal law that uses the appearance of consumer protection to override the state laws that currently provide the strongest protection, all while locking in an industry-friendly floor that nobody can legally rise above.

Both readings are defensible. Which one you land on probably tells me more about your politics than about the bill. But if you are a compliance officer, a general counsel, or anyone with a budget line item that says “privacy program,” your opinion matters less than your ability to plan for both outcomes. And that planning starts with understanding exactly what the preemption fight is about.

The One Word That Does Everything: “Relates”

Section 15 of the SECURE Data Act contains a preemption clause that nullifies any state law that “relates to” the matters the federal bill covers. Two words. Ten letters. An extraordinary scope.

In federal preemption case law, “relates to” is broader than “is inconsistent with,” broader than “directly regulates,” broader than almost any other common preemption formulation. It is the same language the Supreme Court has interpreted in ERISA cases to sweep in state laws that only tangentially touch employee benefits. The practical effect, if the Court interprets it the same way here, is that any state privacy rule would fall, even one that goes further than the federal floor in a way the federal bill does not specifically prohibit.

What falls? A partial list:

  • California Consumer Privacy Act and its 2023 amendment (CPRA), including the Sensitive Personal Information framework and the California Privacy Protection Agency’s rulemaking authority.
  • Maryland Online Data Privacy Act (MODPA), the strictest law in the country, which we wrote about a few days ago. Maryland bans outright the sale of sensitive data and limits collection to what is “strictly necessary.” SECURE’s floor is softer.
  • Colorado Privacy Act, which mandates universal opt-out recognition via the Global Privacy Control. SECURE has no universal opt-out requirement.
  • Virginia, Connecticut, Utah, Montana, Iowa, Tennessee, Nebraska, New Hampshire, New Jersey, Rhode Island, Indiana, Kentucky, Minnesota, Delaware, Texas, Oregon. Every comprehensive state law, with varying intensity of preemption depending on provision.

That is not a bug. The bill’s sponsors are explicit that it is a feature. According to the joint committee summary, a single national standard would “promote competition by lowering barriers to entry for new firms and increase consumer choice by making it easier for all firms to make offerings of products and services to Americans in all 50 states.”

That statement is true. It is also an admission that the bill’s purpose is uniformity, not maximum protection.

Why Industry Wants a Ceiling, Not a Floor

There is nothing unreasonable about wanting regulatory uniformity. I run multiple businesses; I understand why complying with one law is easier than complying with twenty-one. If you are a mid-size SaaS company trying to serve customers in every state, the current patchwork is genuinely expensive. Your legal spend on state-by-state analysis, your engineering spend on per-state opt-out implementations, your marketing spend on Delaware-specific vs. California-specific disclosures. All of it adds up. A federal ceiling solves that problem in one stroke.

This is the Workday position, captured in the IAPP coverage. Barbara Cosgrove, their Chief Privacy Officer, welcomed the bill, noting that the current lack of a federal floor “risks a fragmented digital economy where a person’s privacy rights depend on their zip code.” That is a real concern. Privacy protection by ZIP code is strange as a matter of principle.

It is also the Association of National Advertisers position. They described the bill as a “common-sense standard” that “protects all Americans without jeopardizing the 29 million U.S. jobs supported by advertising.” For the ad-tech industry, a federal ceiling is existentially important, because the strongest state laws, particularly California and Maryland, restrict the targeted-advertising business model in ways that would take time, money, and product redesign to accommodate. Preempting them is faster.

None of these positions are cynical. They are the honest interests of actors who would benefit from uniformity. But they are not, and do not pretend to be, the positions of actors optimizing for maximum consumer protection.

Why Advocates Want a Floor, Not a Ceiling

The opposing position, most clearly stated by Public Knowledge and the Center for Democracy and Technology, is that the bill adopts the weakest workable provisions from existing state laws, not the average, and certainly not the strongest, and then locks everyone into that level forever.

Consider the specifics:

  • Private right of action. California allows a limited private right of action under the CCPA for data breaches involving unredacted sensitive personal information. SECURE allows none. Federal ceiling wins; the California provision goes away.
  • Data broker bans. Some state laws already ban or severely restrict sales of precise geolocation data. SECURE allows sales with opt-out. Federal ceiling wins; the state bans go away.
  • Universal opt-out. Colorado’s Global Privacy Control mandate means a single browser setting can exercise your opt-out rights across every covered site at once. SECURE does not require this. Federal ceiling wins; you go back to per-site opt-outs.
  • Stricter data minimization. MODPA requires that sensitive-data collection be “strictly necessary.” SECURE requires “adequate, relevant, and reasonably necessary.” These are different standards. Federal ceiling wins; MODPA’s stricter standard is overridden.

The cumulative effect is real. Twenty-one states have, through their democratic processes, decided on privacy rules that go further than what the federal bill proposes. Preemption removes their ability to do so. States that were planning to pass strong laws in 2027 or 2028, such as Washington, Florida, and Arizona, all of which have had drafts circulating, would be foreclosed from enacting anything stronger than the federal baseline.

Frank Pallone, the Energy and Commerce Ranking Member, said the bill “protects corporations and their bottom line, not people’s privacy.” That is a political statement, but it is not a wrong one. A ceiling, by definition, protects regulated entities from future state action. Whether that protection is worth the uniformity benefit is the question Congress is being asked to answer.

The Third Option Nobody Is Talking About

The honest truth is that the floor-vs-ceiling debate does not have to be binary. The European Union runs a privacy regime where GDPR sets a strong floor and member states are permitted to go further on some provisions (e.g., age of data-subject consent, employee privacy, journalism exemptions). The EU is messy; it is also one of the most protective privacy regimes on earth.

A federal law that preempted weak state laws (bringing low-protection states up to a common baseline) while permitting stronger state laws to stand (Maryland and California could keep their stricter rules) would achieve most of the uniformity benefit industry wants while preserving the consumer-protection benefit advocates want. This is the approach the ADPPA in 2022 and the APRA in 2024 both flirted with. Both died anyway, largely because industry insisted on a ceiling.

SECURE is not that third option. It is the ceiling-only version. Whether a compromise emerges during markup and floor debate is the thing to watch.

The Compliance Problem You Have Either Way

Here is the part that matters for the people I talk to every week. Whatever happens politically, your compliance obligation is the same in the short term. And in the medium term, the direction of travel is unambiguous.

Short term: the patchwork is still in force. MODPA’s processing obligations kicked in on April 1, 2026. Indiana and Kentucky went live January 1. Rhode Island too. If you handle data belonging to residents of those states, the federal bill does not change your obligations today. Plan for the patchwork as if SECURE will never pass, because for the next 12 to 24 months, it will not have passed.

Medium term: minimization and deletion are the common ground. Every federal proposal in the past four years, whether Republican, Democratic, bipartisan, or partisan, includes data minimization and deletion rights. Every state law includes them. GDPR includes them. Brazil’s LGPD, India’s DPDPA, China’s PIPL all include them. Whatever federal bill eventually passes, or whatever state regime continues if none does, the common denominator is the same: you have to know what sensitive data you have, limit its collection, find it on request, and delete it on request.

Long term: the jurisdiction stops mattering. Here is the honest punchline. A compliance program that works is one that does not depend on which regulator happens to be looking at your organization on a given day. The company that can find, minimize, and redact PII across its document set is compliant under California, Maryland, Virginia, Colorado, SECURE, APRA, GDPR, HIPAA, GLBA, or any plausible successor to any of them. The company that cannot is not compliant anywhere, regardless of the statute.

The preemption fight in Congress is about who writes the rulebook. The underlying discipline, which means knowing where your personal data is, being able to find it, redact it before sharing, and delete it on request, is not written by any single rulebook. It is imposed by all of them, simultaneously.

A Practical Framing

If you are running a compliance program right now, here is how I would think about SECURE:

  1. Do not wait. The fight over preemption could take eighteen months to resolve. Your current state-law obligations are not suspended during that time.
  2. Do not bet on preemption. Build your workflow to satisfy the strictest state law you are currently subject to. If that is Maryland, build for Maryland. If SECURE passes with a weaker ceiling, your program will still work. You will just have headroom you did not need. If SECURE does not pass, or passes with stronger provisions, or a state gets stricter in the meantime, you are already there.
  3. Do not outsource the discipline. Vendors, SaaS platforms, and AI tools will all tell you they “handle compliance.” Some of them are telling the truth. Most are solving one slice of the problem and leaving you responsible for the rest. The workflow you run directly, on your own infrastructure, is the one you can actually defend in an audit.
  4. Build for minimization first. Every regime agrees on this. If your data inventory is accurate and your retention policy is tight, half the privacy rulebook is already satisfied. The other half, including consumer rights, deletion, and disclosure, becomes tractable once you know what you have.

A Closing Thought

I said at the start that which reading of SECURE you land on probably tells me something about your politics. That is true. But here is the thing neither reading changes: whatever Congress does, the documents on your hard drive still contain personal information, and you are still responsible for handling it correctly.

That responsibility does not disappear if SECURE passes. It does not deepen if SECURE fails. It is constant. The political fight over who sets the rules is consequential and worth following, but it is not an excuse to delay the work.

Build the discipline. Redact the documents. Minimize the collection. Satisfy the deletion requests. Do it now, under the patchwork, with whatever rules apply today. You will still be doing it five years from now, under whatever federal or state framework we land on, because that work is what “privacy protection” actually means at the operational level.

The preemption fight is a fight about the map. The territory has not changed.

Running a program that works under any of these frameworks? PII Anomalyzer is a desktop application that detects and redacts a wide range of PII across your documents, entirely offline, with nothing transmitted to the cloud. The workflow stays consistent whether your next audit is against MODPA, CPRA, a future SECURE Data Act, or GDPR. See pricing or download the free trial.

Sources

Robert Bergman is CEO of Southwest Management Technology and Next Level Mediation.