Two House Bills Aim to Create National Privacy Standards, Preempt State Laws

Members of the Energy and Commerce Committee introduced the SECURE Data Act, governing how technology companies and services handle data, while the Financial Services Committee bowed the GUARD Financial Data Act, covering data protection by financial institutions.

The two bills follow years of mostly fruitless efforts by Congress to establish national data standards. In their absence, at least 20 states have passed their own privacy statutes creating a maze of sometimes conflicting compliance requirements for businesses operating across state lines.

The bills introduced Wednesday draw many of their definitions and requirements from existing state laws and would keep state enforcement of the new federal standards in place. But neither bill creates a private right of action allowing consumers to sue an organization they believe has violated their privacy rights, setting up a potential clash with Democrats on the two committees who generally favor permitting private enforcement actions.

As described in a joint press release, the bills would establish “national standards for the protection of Americans’ personal data, ending the confusing and ineffective privacy patchwork currently in place,” and “retain a role for state enforcers, including Attorneys General and insurance regulators.”

The bills would require financial institutions and non-financial data “controllers” to limit the collection of consumer data to only what is needed to do their jobs.

According to Financial Service chair Rep. French Hill (R-AK), the GUARD Act aims to “modernize” the Gramm-Leach-Biley Act of 1999 that requires financial institutions to explain their data collection policies to consumers.

Read more: Failed Utah AI Bill Highlights Ongoing Conflict Between States and Feds

“It was written in a technology-neutral fashion that has adapted well to the changes in technology and types of consumer data that have developed since 1999,” Hill and the bill’s co-sponsors, Reps. Bill Huizenga (R-MI) and Bryan Steil (R-WI), said in a joint statement. “But, in that time, the volume and complexity of data have increased such that providing consumers greater control over their financial data has become imperative.”

The measure would allow current and former customers to request access to financial data held by an institution, let former customers request deletion of their data and require affirmative opt-in consent before sensitive personal information is disclosed.

In a separate statement, Energy and Commerce chair Rep. Brett Guthrie (R-KY) and Rep. John Joyce (R-PA) said the SECURE Act would establish “clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping.” It would also place new requirements on data brokers, which would have to comply with data minimization, disclosure and security rules, register with the Federal Trade Commission and provide details on their privacy practices and the personal data they sell. The FTC would be charged with creating a searchable public registry intended to help consumers understand how to exercise their privacy rights.

The two bills would also empower the Secretary of Commerce to support cross-border data flows and to address the effects of foreign data localization rules and transfer restrictions ,and protect Americans’ data from risks associated with foreign adversaries, such as being sold to or processed in China or Russia.