We covered the SECURE Data Act when it advanced through committee, noting it as a meaningful — if imperfect — step toward the comprehensive federal privacy law the United States has never had. The Electronic Frontier Foundation has now published a detailed rebuttal, and they’re calling it something harsher: not serious privacy legislation.
The EFF’s critique deserves engagement rather than dismissal. They have a long track record of identifying exactly the kinds of industry-friendly loopholes that convert apparent consumer protections into compliance theater. When the EFF says a bill doesn’t do what its title claims, their analysis is usually worth reading carefully.
Having read it: they’re right about several things, too harsh about others, and the debate between their position and the bill’s supporters illuminates something important about what a real federal privacy law would require.
What the EFF’s Critique Says
The EFF’s core argument is that the SECURE Data Act fails on three dimensions: its exemptions are too broad, its enforcement mechanisms are too weak, and it preempts stronger state protections without providing equivalent federal protection in return.
The exemption problem. The bill contains carveouts for data already regulated under sector-specific laws — HIPAA for health data, FCRA for credit information, COPPA for children’s data, FERPA for education records, and others. The EFF’s argument is that these exemptions create a patchwork where the most sensitive data categories are excluded from the new framework’s protections, leaving only the least sensitive data covered by the “comprehensive” law.
This is a legitimate concern. Under the SECURE Data Act’s structure, a data broker holding both your health records (HIPAA-covered, exempted) and your general browsing history (covered) would face different rules for different parts of the same file. The health records — arguably the most sensitive — are outside the bill’s scope.
The enforcement problem. The EFF argues the bill’s enforcement mechanism — routed through the FTC — is inadequate given the FTC’s existing case backlog and resource constraints. More fundamentally, they criticize the absence of a private right of action. Under the SECURE Data Act, individual consumers cannot sue when companies violate their privacy rights. They can file complaints with the FTC and hope for agency action. Given the volume of potential violations and the FTC’s capacity, the EFF argues this makes the law practically unenforceable at the individual level.
This is the enforcement gap that has made privacy law advocates skeptical of FTC-only enforcement models since the COPPA experience in the 1990s. The Illinois BIPA’s power comes from its private right of action — the plaintiff’s bar becomes an enforcement mechanism. Remove that, and you’re depending entirely on an agency with competing priorities and limited resources.
The preemption problem. This may be the EFF’s most serious objection. The SECURE Data Act includes preemption language that would override stronger state privacy laws in covered areas. California’s more protective opt-out rights, Illinois’s BIPA private right of action, New York’s pending biometric consent requirements — all could be weakened if federal law preempts them in covered data categories.
The argument for preemption is that businesses need uniformity. The argument against it is that you’re trading the most protective standards in the most privacy-conscious states for a national floor set at a lower level. The EFF argues the SECURE Data Act’s floor is low enough that the trade is bad for consumers.
Where the Critique Is Too Harsh
The EFF applies a standard that no federal legislation passed in the current Congress could meet. The question isn’t whether the SECURE Data Act is ideal — it clearly isn’t. The question is whether it’s better than nothing, and whether “better” is worth the preemption cost.
On the substance of the protections it does create, the bill is not trivial. Data minimization requirements — companies can only collect data necessary for their stated purpose — would represent a genuine change in behavior for most data brokers if enforced. The requirement to honor opt-out signals, including the Global Privacy Control, creates obligations that currently exist only in states with opt-out laws. The prohibition on using deceptive design to undermine consent choices (dark patterns) addresses a real and widespread problem.
These are meaningful protections that most Americans currently don’t have at the federal level. Dismissing them entirely because the bill doesn’t include a private right of action or cover HIPAA-regulated data undersells what the bill does.
The EFF’s analysis also doesn’t fully grapple with the political reality that any federal privacy law capable of passing Congress in 2026 will contain industry accommodations. The alternative to the SECURE Data Act isn’t a stronger federal law — it’s continued reliance on the state-level patchwork, which protects people in California, Virginia, and Colorado while leaving most Americans without any meaningful federal baseline.
Where They’re Right to Be Skeptical
Preemption is the sticking point that’s hardest to defend.
If the SECURE Data Act preempts California’s opt-in requirements for sensitive data — allowing a national opt-out standard — consumers in the most privacy-protective state in the country lose protections they currently have. If it preempts Illinois’s BIPA private right of action — ending the flood of biometric privacy class actions that have cost major companies billions — it removes the most effective enforcement mechanism for biometric data rights in the country.
Trading stronger state protections for a weaker federal floor is a bad deal if the preemption is broad. Defenders of the bill argue the preemption is narrowly drafted and doesn’t eliminate state remedies for violations of state law. The EFF argues the operative preemption language is broader than those assurances suggest.
This is ultimately a legal question that will be resolved in court after the bill passes, if it passes. The concern is legitimate: privacy preemption fights have consistently resolved in favor of the narrower interpretation of consumer rights.
What a Real Federal Privacy Law Looks Like
The EFF-versus-SECURE-Data-Act debate is useful because it articulates what a serious federal privacy law would need to include:
Comprehensive coverage. No major exemptions for data categories based on existing sector-specific laws. Health data, financial data, and children’s data should have heightened protection under a comprehensive law — not be handed off to weaker existing frameworks.
A private right of action. FTC enforcement alone is insufficient. Consumers need the ability to sue when their rights are violated. The class action mechanism, for all its flaws, creates the scale of enforcement that agency resources cannot.
No federal preemption of stronger state laws. States should be able to go further. Federal law creates a floor, not a ceiling.
Opt-in as the default for sensitive data. Opt-out frameworks put the burden on consumers to find and exercise rights most will never know they have. Sensitive data — health, financial, location, biometric, political, sexual orientation — should require affirmative opt-in.
Real data minimization. Not “collect what you need” as a vague principle, but specific prohibitions on data collection and retention that go beyond stated purpose.
The SECURE Data Act doesn’t meet this standard. Neither does any other federal privacy bill currently in Congress. That’s a problem that reflects the structure of federal lobbying and the difficulty of building coalitions that include both the tech industry (which wants preemption and FTC-only enforcement) and privacy advocates (who want neither).
Where This Leaves Us
The EFF’s critique doesn’t change the calculus for whether the SECURE Data Act should pass. It clarifies what passing it would cost and what it would buy.
The cost is real: potential preemption of stronger state protections in exchange for a national baseline that includes genuine concessions to industry. The benefit is also real: a federal data minimization obligation, opt-out rights enforced by the FTC, and a dark patterns prohibition that would cover the entire country rather than a handful of states.
Whether that trade is worth making depends on how you assess the probability and timeline of stronger federal legislation, the durability of state protections against future federal preemption, and the marginal value of FTC enforcement versus the current status quo.
What’s not acceptable is passing the SECURE Data Act and declaring the federal privacy problem solved. The EFF is right that this bill doesn’t end the fight — and advocates who accept it as a conclusion rather than a step will have made a costly mistake.
