SECURE Data Act
Glossary
Plain-language definitions of key terms in the proposed SECURE Data Act and federal data privacy law. Understanding the terminology is the first step toward compliance readiness.
20 terms found
- SECURE Data Act Legislation
- The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (HR 8413), a proposed federal privacy law introduced in the 119th Congress on April 22, 2026. If enacted, it would establish a single national standard for consumer data privacy, preempting all existing state privacy laws.
- Federal Preemption Legal Concept
- The legal principle by which federal law supersedes conflicting state law. The SECURE Data Act's preemption clause uses the broadest possible formulation — nullifying any state law that "relates to" its provisions — which would effectively eliminate all 21 existing state comprehensive privacy laws upon enactment.
- Controller Covered Entity
- Under the SECURE Data Act, a "controller" is any person or entity that, alone or jointly with others, determines the purpose and means of processing personal data. Controllers bear the primary compliance burden under the Act, including obligations to provide privacy notices, honor consumer rights, and conduct data protection assessments.
- Processor Covered Entity
- A "processor" is any person or entity that processes personal data on behalf of a controller. Processors must enter into written contracts with controllers specifying the scope and purpose of processing, and may not process data beyond the controller's instructions.
- Personal Data Data Classification
- Any information that is linked or reasonably linkable to an identified or identifiable individual. Under the SECURE Data Act, personal data includes names, email addresses, IP addresses, device identifiers, browsing history, purchase records, and any other information that can be used to identify a specific person.
- Sensitive Data Data Classification
- A defined category of personal data that receives heightened protection under the SECURE Data Act, requiring affirmative opt-in consent before collection or use. Sensitive data includes: health and medical information, biometric data, genetic data, precise geolocation (within 1,750 feet), financial account information, government-issued ID numbers, racial or ethnic origin, religious beliefs, sexual orientation or gender identity, immigration status, and personal data of individuals under 16.
- Data Minimization Compliance Principle
- The principle that businesses should collect and process only the personal data that is reasonably necessary and proportionate to the specific purpose for which it was collected. The SECURE Data Act requires covered businesses to implement data minimization practices as a core compliance obligation.
- Data Protection Assessment (DPA) Compliance Requirement
- A documented analysis that covered businesses must conduct before engaging in high-risk processing activities. DPAs must weigh the benefits of the processing against the risks to consumers and document the safeguards implemented to mitigate those risks. The FTC may request DPAs during enforcement investigations.
- Targeted Advertising Data Use
- Under the SECURE Data Act, targeted advertising means displaying advertisements to a consumer based on personal data obtained from the consumer's activities across non-affiliated websites, applications, or services. Businesses engaging in targeted advertising must disclose this practice and provide consumers with an opt-out mechanism.
- Opt-In Consent Consumer Rights
- A form of consent that requires a consumer to take an affirmative action to agree to data processing before that processing may occur. Under the SECURE Data Act, opt-in consent is required for processing sensitive data categories. Opt-in consent cannot be obtained through pre-checked boxes, implied consent, or bundled consent buried in terms of service.
- Opt-Out Rights Consumer Rights
- The right of consumers to direct a business to stop selling their personal data or processing it for targeted advertising. Under the SECURE Data Act, businesses must provide a clear and conspicuous opt-out mechanism, honor opt-out requests within 15 days, and maintain opt-out preferences for at least 12 months.
- Right of Access Consumer Rights
- The right of consumers to request confirmation of whether a business processes their personal data and to obtain a copy of that data. Under the SECURE Data Act, businesses must respond to verified access requests within 45 days, with a possible 45-day extension for complex requests. No fee may be charged for fulfilling access requests.
- Right of Deletion Consumer Rights
- The right of consumers to request that a business erase their personal data. Under the SECURE Data Act, businesses must honor deletion requests within 45 days, subject to exceptions for legal obligations, legitimate business purposes, and certain other circumstances. Businesses must also instruct processors to delete the data.
- Right of Portability Consumer Rights
- The right of consumers to receive their personal data in a structured, commonly used, machine-readable format upon request, enabling them to transmit that data to another business. Under the SECURE Data Act, portability requests must be fulfilled within 45 days at no charge.
- Privacy Notice Compliance Requirement
- A clear, accessible disclosure that covered businesses must provide to consumers at or before the point of data collection. Under the SECURE Data Act, a privacy notice must disclose: data categories collected, processing purposes, whether data is sold or used for targeted advertising, third-party sharing, how to exercise consumer rights, and the business's contact information. The notice must be updated within 30 days of any material change.
- FTC (Federal Trade Commission) Enforcement
- The primary federal enforcement authority under the SECURE Data Act. The FTC may pursue civil penalties of up to $10,000 per violation per day for knowing or willful violations, and is authorized to issue implementing regulations that may further define compliance obligations and penalty structures post-enactment.
- CCPA / CPRA State Law
- The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is California's comprehensive consumer privacy law. It grants California residents rights to access, delete, correct, and opt out of the sale of their personal data. The CCPA/CPRA would be preempted by the SECURE Data Act upon enactment.
- Biometric Data Sensitive Data Category
- Data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voiceprints, eye retinas or irises, facial geometry, or other unique biological patterns used to identify a specific individual. Biometric data is classified as sensitive data under the SECURE Data Act and requires opt-in consent.
- Precise Geolocation Sensitive Data Category
- Data that identifies the past or present physical location of an individual within a radius of 1,750 feet or less. Precise geolocation is classified as sensitive data under the SECURE Data Act and requires opt-in consent before collection or use.
- Data Breach Notification Compliance Requirement
- The obligation to notify affected consumers and the FTC following a security incident involving personal data. Under the SECURE Data Act, the FTC must be notified within 72 hours for breaches affecting 500 or more consumers. Consumer notification must follow without unreasonable delay. The Act preempts all 50 state breach notification laws.
Context
The SECURE Data Act represents the most significant federal privacy legislation proposed in the United States to date, drawing on frameworks from the EU's GDPR and existing state laws while creating a uniquely American federal standard.
Context
Federal preemption under the SECURE Data Act would be immediate upon enactment, with no transition period currently proposed. This means businesses complying with CCPA, VCDPA, and other state laws would need to shift to the federal standard on the effective date.
Context
Most businesses that collect and use consumer data for their own purposes are controllers. A company that collects customer data to send marketing emails, for example, is a controller of that data.
Context
Cloud service providers, payroll processors, and email marketing platforms are common examples of processors. While processors have fewer direct obligations than controllers, they face significant contractual and security requirements.
Context
The definition of personal data under the SECURE Data Act is intentionally broad. Aggregated or de-identified data that cannot reasonably be re-identified is generally excluded from coverage.
Context
The opt-in consent requirement for sensitive data is one of the most significant compliance obligations under the Act. Unlike general personal data (which uses an opt-out model), sensitive data requires businesses to affirmatively obtain consumer consent before any collection or processing.
Context
Data minimization is both a legal requirement and a risk management strategy. Businesses that collect only what they need have less exposure in the event of a data breach and face fewer consumer rights requests.
Context
DPAs are required before processing sensitive data, engaging in targeted advertising, selling personal data, or conducting profiling that produces legal or significant effects on consumers. They must be updated when processing activities materially change.
Context
Contextual advertising — ads based on the content of the page being viewed rather than cross-site behavioral data — is not classified as targeted advertising under the Act and is not subject to opt-out requirements.
Context
Opt-in consent is the more protective standard — it places the burden on the business to obtain permission before acting. This contrasts with opt-out consent, where processing may proceed unless the consumer actively objects.
Context
Opt-out rights apply to general personal data processing for data sales and targeted advertising. For sensitive data, the stronger opt-in standard applies instead.
Context
Unlike California's CPRA, which created a dedicated privacy enforcement agency (the CPPA), the SECURE Data Act relies on the existing FTC — a generalist consumer protection agency — as its primary enforcer.
Context
The CCPA/CPRA is widely considered the strongest state privacy law in the U.S. and has served as a model for many other state frameworks. Its preemption by the SECURE Data Act is one of the most debated aspects of the proposed federal legislation.
Context
Illinois' Biometric Information Privacy Act (BIPA) is a state law specifically governing biometric data. Whether BIPA would survive preemption under the SECURE Data Act is an open legal question that depends on the final legislative language.
Context
Many mobile apps and websites collect precise geolocation data for navigation, local search, and advertising purposes. Under the SECURE Data Act, these uses would require affirmative opt-in consent from users.
Next Step