SECURE Data Act
Knowledge Base

Quick Answer

What does the SECURE Data Act require businesses to do?

The SECURE Data Act requires covered businesses to provide consumers with rights to access, correct, delete, and port their personal data. It mandates opt-in consent for sensitive data categories, requires data minimization practices, and obligates companies to conduct data protection assessments for high-risk processing activities. Businesses must also designate a privacy officer and maintain written data protection programs.

Quick Answer

Will the SECURE Data Act replace state privacy laws like CCPA?

Yes. The SECURE Data Act contains a broad preemption clause that would nullify any state law "relating to" its provisions. This means California's CCPA and CPRA, Virginia's VCDPA, Colorado's CPA, and all other state privacy frameworks would be superseded upon enactment. Businesses currently complying with multiple state laws would transition to a single federal compliance standard, though some state laws addressing specific sectors (like Illinois BIPA for biometrics) may survive depending on final legislative language.

Quick Answer

What businesses are covered by the SECURE Data Act?

The SECURE Data Act covers businesses that either (1) process personal data of 200,000 or more U.S. consumers annually, or (2) process data of 100,000 or more consumers and derive 25% or more of their revenue from selling personal data. A small business exemption applies to companies with less than $25 million in annual revenue. Notably, the Act covers "controllers" (entities that determine the purpose and means of processing) and "processors" (entities that process data on behalf of controllers) differently, with controllers bearing the primary compliance burden.

Quick Answer

What types of data are considered sensitive under the SECURE Data Act?

The SECURE Data Act defines sensitive data to include: health and medical information, biometric data (fingerprints, facial recognition, voiceprints), genetic data, precise geolocation data (within 1,750 feet), financial account information, government-issued identification numbers, racial or ethnic origin, religious beliefs, sexual orientation or gender identity, immigration status, and personal data of individuals under 16 years of age. Processing any of these categories requires affirmative opt-in consent from the consumer — meaning businesses cannot rely on pre-checked boxes or inferred consent.

Quick Answer

How should businesses prepare for the SECURE Data Act?

Businesses should begin SECURE Data Act preparation with a data inventory audit to map all personal data collected, stored, and shared. Next, conduct a gap analysis comparing current practices against the Act's requirements. Third, update or create a written privacy program including a public-facing privacy notice, internal data handling procedures, and a data breach response plan. Fourth, implement technical and organizational controls for data minimization, access management, and consumer rights fulfillment. Fifth, engage qualified privacy counsel to review your program and monitor legislative developments. Early preparation reduces cost and risk compared to reactive compliance after enactment.

Quick Answer

How does the SECURE Data Act compare to GDPR?

The SECURE Data Act and GDPR share foundational principles — data minimization, consumer rights, and accountability — but differ significantly in enforcement and scope. GDPR allows private lawsuits by individuals and imposes fines up to 4% of global annual revenue; the SECURE Data Act relies solely on FTC and state AG enforcement with no private right of action. GDPR requires a lawful basis for all processing; the SECURE Data Act uses an opt-out model for general data and opt-in only for sensitive categories. GDPR applies to any company processing EU residents' data regardless of location; the SECURE Data Act applies to U.S. companies meeting coverage thresholds. Both require data protection assessments for high-risk processing and mandate breach notification.

Quick Answer

What are the penalties for violating the SECURE Data Act?

Under the SECURE Data Act, the Federal Trade Commission (FTC) serves as the primary enforcement authority and may pursue civil penalties for violations. The Act authorizes penalties of up to $10,000 per violation per day for knowing or willful violations, with total penalties potentially reaching tens of millions of dollars for systemic non-compliance. State attorneys general may also bring civil actions on behalf of state residents. Critically, the Act does not include a private right of action, meaning individual consumers cannot sue businesses directly — a significant departure from California's CPRA, which allows limited private lawsuits. The FTC is also authorized to issue implementing regulations that may further define penalty structures post-enactment.

Quick Answer

What rights do consumers have under the SECURE Data Act?

The SECURE Data Act grants consumers four primary rights over their personal data. The right of access allows consumers to request confirmation of whether a business processes their data and to obtain a copy of that data. The right of correction enables consumers to request that inaccurate personal data be corrected. The right of deletion allows consumers to request erasure of their personal data, subject to certain exceptions for legal obligations and legitimate business purposes. The right of portability requires businesses to provide data in a structured, commonly used, machine-readable format upon request. Businesses must respond to verified consumer requests within 45 days, with a possible 45-day extension for complex requests. Businesses may not charge fees for fulfilling these requests.

Quick Answer

When does the SECURE Data Act require a data protection assessment?

The SECURE Data Act requires covered businesses to conduct and document data protection assessments before engaging in processing activities that present a heightened risk to consumers. Mandatory DPA triggers include: processing sensitive personal data, processing data for targeted advertising, selling personal data to third parties, processing data for profiling that produces legal or similarly significant effects, and any processing that presents a reasonably foreseeable risk of harm to consumers. DPAs must weigh the benefits of the processing against the risks to consumers and document the safeguards implemented to mitigate those risks. The FTC may request DPAs during investigations, making thorough documentation critical. DPAs must be updated when processing activities materially change.

Quick Answer

What does the SECURE Data Act require for sharing data with third parties?

The SECURE Data Act requires controllers to enter into written contracts with processors before sharing personal data for processing on their behalf. These contracts must specify the nature and purpose of processing, the types of data involved, the duration of processing, and the obligations and rights of both parties. Processors are prohibited from processing data beyond the scope of the controller's instructions. Controllers remain liable for processor violations if they fail to conduct reasonable due diligence or continue using a processor after discovering non-compliance. Third-party data sales — distinct from processor relationships — require consumer opt-out rights and must be disclosed in the business's privacy notice. Businesses that sell data must also honor opt-out requests from consumers who do not wish their data sold.

Quick Answer

What must a privacy notice include under the SECURE Data Act?

The SECURE Data Act requires covered businesses to provide a privacy notice that is reasonably accessible, clear, and written in plain language. The notice must disclose: the categories of personal data collected and the purposes for which each category is processed; whether the business sells personal data or processes it for targeted advertising; the categories of third parties with whom data is shared; how consumers can exercise their rights of access, correction, deletion, and portability; how consumers can opt out of data sales and targeted advertising; the business's contact information for privacy inquiries; and the effective date of the notice. The notice must be provided at or before the point of data collection and must be updated within 30 days of any material change to data practices. Businesses operating websites must post the notice in a conspicuous location.

Quick Answer

What are the breach notification requirements under the SECURE Data Act?

The SECURE Data Act requires covered businesses to notify affected consumers and the FTC following a data breach involving personal data. Notification to the FTC must occur within 72 hours of discovering a breach that affects 500 or more consumers. Consumer notification must follow without unreasonable delay and must include: a description of the breach, the types of data involved, steps the business is taking to address the breach, and guidance on steps consumers can take to protect themselves. For breaches involving sensitive data categories, expedited notification timelines apply. The Act preempts all state breach notification laws, creating a single federal standard. Businesses that experience a breach and fail to notify within required timelines face enhanced civil penalties.