Back to Blog
· Robert Bergman

Two Bills, One Framework: What the SECURE Data Act and GUARD Act Actually Do

privacycompliancelegalfederal legislationSECURE Data ActGUARD ActGLBA

If you run compliance for a healthcare system, a mid-size law firm, a community bank, or any organization that has spent the last five years trying to chart a path through California, Virginia, Colorado, and eighteen other state privacy laws, yesterday was a day worth paying attention to. House Republicans introduced two bills that, taken together, attempt to do something Congress has been unable to do for twenty years: set a single federal privacy rule for the whole country.

The headlines are going to simplify this story. It deserves better than that. The bills are specific, the provisions matter, and the political path to enactment is narrower than the press release suggests. Here is what actually dropped on April 22, 2026, and what it means if you are the one at your organization responsible for answering “are we compliant?”

The Two Bills, Briefly

SECURE Data Act (H.R. 8413)

  • Full name: Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act.
  • Scope: every sector except financial services.
  • Sponsor: Rep. John Joyce (R-PA), chair of the House Energy and Commerce Data Privacy Working Group.
  • Co-sponsors: eight House Republicans. Zero Democrats.

GUARD Financial Data Act (H.R. 8398)

  • Full name: Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act.
  • Scope: financial institutions and the data they hold.
  • Sponsor: Rep. Bill Huizenga (R-MI), vice chair of the House Financial Services Committee.
  • Co-sponsors: three House Republicans. Zero Democrats.
  • Mechanism: amends the 1999 Gramm-Leach-Bliley Act rather than creating a new statute.

The pair is intentional. SECURE exempts financial firms; GUARD exempts everyone else. Together they are meant to form a seamless national privacy regime covering roughly every flow of consumer data in the U.S. economy.

What SECURE Would Give Consumers

The bill grants five consumer rights that should sound familiar to anyone who has read Virginia’s VCDPA, Colorado’s CPA, or two-thirds of the laws passed since 2023:

  1. The right to know when data is being collected.
  2. The right to access their data, in a portable format.
  3. The right to request deletion of their personal data.
  4. The right to opt out of targeted advertising, sales of personal data, and certain automated decisions.
  5. The right to treat children’s data (under 13) as sensitive, alongside health and precise geolocation.

On the business side:

  • Data collection must be limited to what is “adequate, relevant, and reasonably necessary” for the purposes disclosed to the consumer. This is the data-minimization language that has become standard in every modern privacy regime.
  • Data brokers would have to register with the FTC, which would publish a searchable central registry with links to privacy-rights mechanisms. The goal is visibility: giving consumers a place to see who is trading their information.
  • A safe harbor program would give companies a defense against enforcement if they adhere to a Department of Commerce-approved code of conduct. This is new territory for federal privacy law.
  • Enforcement would run through the FTC and state attorneys general.

What SECURE Would Not Give Consumers

This is where the bill’s politics get sharp.

  • No private right of action. If a company mishandles your data, you cannot sue them. You can complain to the FTC or your state AG. That is the full list.
  • No universal opt-out mechanism. If you have been watching the Global Privacy Control debate, the bill does not require sites to honor it.
  • No mandatory data protection impact assessments or data protection officers. Those are two baseline expectations in most state laws and all of Europe.

These are not incidental omissions. The ADPPA in 2022 and APRA in 2024 both included a private right of action, and both died in part because industry groups opposed it. SECURE’s drafters removed it. Whether that makes the bill more or less likely to pass depends on which side of the aisle you ask.

What GUARD Would Do to GLBA

Most people have forgotten how light the original Gramm-Leach-Bliley Act was on consumer rights. Passed in 1999, it focused on disclosures and safeguards. Tell customers what you collect, protect it reasonably, offer them a way to opt out of certain sharing. That was the standard for twenty-six years.

GUARD adds:

  • Data minimization obligations at the financial-institution level. Banks and credit unions cannot collect data they do not need, and they cannot hold it longer than necessary.
  • Access and deletion rights for current and former customers, including the right for a former customer to ask a bank to delete their information.
  • Affirmative opt-in consent before sensitive personal information can be disclosed. This is a meaningful shift: GLBA’s default was opt-out.

For a community bank, a credit union, or a fintech, this changes the data lifecycle. A customer who closed their account eight years ago now has a plausible right to request deletion. The records-retention schedule you built in 2015 needs a rewrite.

The Fight Over Preemption

The single most contested provision in SECURE is Section 15, a sweeping preemption clause that would nullify any state privacy law that “relates to” the federal framework.

That word matters. “Relates to” is doing serious work here. Depending on interpretation, it would wipe out:

  • California’s CPRA and the CCPA,
  • Virginia’s VCDPA and every state modeled on it,
  • Maryland’s MODPA, which we covered in our Privacy Patchwork piece, and which is the single strongest state law on sensitive data collection,
  • Colorado’s targeted-advertising opt-out rules,
  • Connecticut, Utah, Montana, Iowa, Tennessee, New Hampshire, New Jersey, Rhode Island, Kentucky, Indiana, Minnesota, and several more.

Twenty-one states have comprehensive privacy laws on the books right now. SECURE’s preemption language would replace all of them with the federal floor, which is, in most measurable ways, lower than what the strongest states provide.

Industry supporters are clear about why they want this. A single national standard, the bill’s summary argues, would “promote competition by lowering barriers to entry for new firms and increase consumer choice.” That is partly true. Running compliance against a single rulebook is genuinely cheaper than running it against twenty-one.

Privacy advocates are equally clear about why they oppose it. Sara Collins of Public Knowledge called the bill “a false promise dressed up as consumer protection” because the preemption clause strips states of the ability to offer stronger protection. Eric Null at the Center for Democracy and Technology said the bill would “federally codify industry-favored state privacy rules while preempting state laws that include stronger protections, including requirements to affirmatively minimize collection of data and bans on selling certain sensitive information like Americans’ precise locations.”

This is the real political fight. Not whether the federal government should act on privacy. Almost everyone agrees it should. The question is whether the federal act should be a floor (states can go further) or a ceiling (states cannot).

The Political Reality

Both bills were introduced without Democratic co-sponsors. The prior two serious federal privacy attempts, the American Data Privacy Protection Act (2022) and the American Privacy Rights Act (2024), were bipartisan, bicameral, and still died. SECURE and GUARD start with a narrower political base than either of their predecessors.

Rep. Frank Pallone, the Energy and Commerce Ranking Member, told reporters the bill “protects corporations and their bottom line, not people’s privacy.” Lisa Hone, who served as Democratic chief counsel on the subcommittee that handled the APRA, called it “an enormous and disappointing step away” from the prior bipartisan work.

That is not the language of a bill about to move. The working assumption among people I’ve spoken to in the compliance world this morning is that SECURE and GUARD are now the opening offer in a longer negotiation, not the framework that will ultimately pass. But the opening offer sets the terrain.

What This Means for Your Compliance Program

Whatever happens in Congress, a few things are now true regardless of outcome:

  1. Federal privacy legislation is a live issue again. It had gone cold after APRA stalled. You can assume some version of a federal rule will land in the next 18 to 36 months, even if it is not this one.
  2. Data minimization is the common ground. Every bill drafted in the past four years, whether Democratic, Republican, or bipartisan, includes some form of “collect only what you reasonably need.” If you have not implemented a data inventory and a retention-review process, you are behind.
  3. Deletion rights are table stakes. Every bill includes them. Every state law that exists includes them. The organizations that have not built a deletion workflow are going to spend a lot of money in the next year catching up.
  4. Automated decision-making and AI are part of privacy law now. SECURE explicitly covers “certain automated decisions” in the opt-out rights. Whatever model you are running to score credit, evaluate claims, screen candidates, or prioritize collections is going to sit inside a privacy rulebook soon.
  5. Children’s data is sensitive data. The bill treats under-13 data the same as health and geolocation. If your product or service sees children’s information, that is now a regulated data category, not an incidental one.

The Underlying Workflow Hasn’t Changed

Here is what I keep telling compliance teams. And frankly, what I keep telling myself. The laws keep moving. The underlying discipline does not.

You still need to know what personal information is in your documents. You still need to be able to find it, minimize it, redact it before you share it with a third party, and delete it when a consumer asks. It does not matter whether the rule you are following is MODPA, CPRA, HIPAA, GLBA, the coming federal bill, or some cobbled-together combination of all of them. The work at the document layer is the same.

That is why local, offline PII detection and redaction, the kind you can run on a laptop without sending documents to a cloud service, has become such a practical hedge. If you can find sensitive data in your files and remove it before it leaves your environment, you satisfy the minimization and deletion and disclosure obligations in every framework I just listed. The federal bills would not change that. If anything, they make the workflow more valuable, because a national standard means everyone, not just Maryland and California, needs to do it.

A Closing Thought

I do not know whether SECURE and GUARD will pass. The political math is hard, the preemption fight is real, and the next election will change everything before either bill has a markup.

What I do know is that the direction is set. The United States is moving toward a comprehensive privacy framework, by some path, whether the destination is federal preemption, a floor-not-ceiling compromise, or a continued state-led patchwork that eventually gets rationalized. Compliance teams that wait for clarity will wait a long time. The ones that build systems which work under any reasonable outcome are the ones that will still be on their feet when the dust settles.

Build for the minimization. Build for the deletion. Build for the “your documents don’t leave your environment” workflow. The specific statute changes. The discipline does not.

Building that workflow? PII Anomalyzer detects 55+ types of PII across PDF, Word, Excel, and scanned images, entirely on your desktop, with nothing sent to the cloud. Purpose-built for the kind of minimize-and-redact obligation every bill I just described requires. Start a 7-day free trial.

Sources

Robert Bergman is CEO of Southwest Management Technology and Next Level Mediation.