X

State Attorneys General Oppose Federal Data Privacy Bill

"A robust federal data privacy law is one that maximizes protections for consumers by setting a floor, not a ceiling, to allow states to continue to innovate and quickly adapt to the ever-evolving technology industry."
State AGs' Letter to Congress
"A robust federal data privacy law is one that maximizes protections for consumers by setting a floor, not a ceiling, to allow states to continue to innovate and quickly adapt to the ever-evolving technology industry."
State AGs' Letter to Congress

State attorneys general urged Congress to reject a recently introduced federal consumer privacy bill, arguing that the bill's broad preemption language would effectively nullify stronger existing state privacy protections.

In the letter, the attorneys general ("AGs,") together with state consumer protection offices and privacy authorities, raised several substantive concerns about the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act ("SECURE Data Act"). They argued the SECURE Data Act narrows key definitions (such as "sensitive data," "biometric data," and "profiling") in ways that would strip consumers of rights they currently enjoy under state law. They said the bill's data minimization standard applies only to data collection, not to how businesses use, share, or retain data, and it sets no data retention limits at all. They also argued the bill fails to require businesses to honor opt-out preference signals, a technology already operational in 12 states, instead mandating only a three-year study with no clear path to implementation.

The AGs argued that a sound federal privacy framework should establish a national floor, not a ceiling, allowing states to continue adapting quickly to a fast-changing data landscape, much as existing federal frameworks like HIPAA and COPPA have done. The AGs said any federal framework should leave room for states to legislate as technology and data practices change.

Further, the AGs contended that the bill offers businesses only a permanent 45-day notice-and-cure window before any enforcement action can proceed - a provision that rewards delayed compliance. They said the bill would also eliminate civil penalties in state-brought actions, reduce deterrence, and restrict enforcement authority to the FTC and state attorneys general, cutting out specialized state agencies (like California's Privacy Protection Agency.)

The letter was signed by attorneys general of California, Connecticut, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New Hampshire, Oregon, Vermont, Virginia, and Washington, along with the California Privacy Protection Agency.

Primary Sources

  1. Release: HAWAIʻI OFFICE OF CONSUMER PROTECTION OPPOSES FEDERAL SECURE DATA ACT LEGISLATION
  2. H. R. 8413: SECURE Data Act
  3. California letter on the Secure Act

Tags

Regulated Activities
Regulatory Oversight Jurisdiction
Regulated Products
Data
Body of Law
Privacy / Data Protection / Cybersecurity
Jurisdiction
US - Federal , States
Organization
States