New US House Privacy Bills Raise Hard Questions About Enterprise Data Collection
New US House Privacy Bills Raise Hard Questions About Enterprise Data Collection
US House Republicans have introduced two major privacy proposals that would reshape how US companies collect, process, and retain consumer data: the SECURE Data Act for general consumer privacy and the GUARD Financial Data Act for financial institutions. These bills aim to create national standards for privacy and security practices while broadly preempting many state privacy laws, including the stronger protections already in place in states like California and Maryland.
The proposed legislation would eliminate the possibility of private lawsuits under the federal framework, leaving enforcement primarily to the Federal Trade Commission and state attorneys general. This combination of federal preemption, weaker enforcement, and broad compliance changes has made the bills politically toxic for Democrats and privacy advocates alike. The Electronic Privacy Information Center (EPIC) has called the SECURE Data Act “a huge gift to Big Tech” and warned that “a weak federal standard is worse than no standard at all.” 🚨
The bills matter because they expose the privacy issues enterprises are already being forced to confront under existing state laws and federal guidance, including data minimization, automated profiling, data broker accountability, and increasingly complex rules around sensitive data. The SECURE Data Act includes familiar privacy rights: access, correction, deletion, portability, opt-outs for targeted advertising and data sales, and restrictions on certain forms of automated profiling. It also creates a federal data broker registry and formal controller-processor obligations for companies and vendors.
The most consequential operational issue for enterprises, however, is data minimization—the increasingly accepted principle that companies should collect only what they need, retain it only as long as necessary, and be able to justify both decisions. The National Institute of Standards and Technology (NIST) already treats minimization as a core privacy and security principle, stating that organizations should collect only the personal information necessary for a stated purpose, because excess retention creates avoidable privacy and security risks.
For CIOs, CISOs, and CFOs, this is not simply a privacy-notice issue. Dormant customer records, excessive telemetry, forgotten SaaS archives, oversized AI training datasets, and legacy marketing databases all increase breach exposure. The more unnecessary data a company stores, the larger its attack surface becomes.
Alan Butler, executive director and president of EPIC, argues the SECURE bill’s own minimization language is weaker than what leading states already require. He stated, “The answer is that the law doesn’t really do anything,” because the provision largely ties collection limits to what companies disclose in their privacy policy rather than imposing a stronger necessity standard. This creates an unusual enterprise dynamic: the bill could weaken privacy protections overall while still reinforcing the long-term expectation that companies must be able to justify why they keep the data they have.
The SECURE Data Act also touches AI in meaningful ways. The bill includes opt-outs for fully automated profiling used for decisions with legal or similarly significant effects. That language can clearly implicate some uses of AI, particularly in hiring, lending, insurance, and other high-impact decisions. Butler noted that privacy law may become the first practical form of AI regulation for many enterprises. Training datasets, customer prompts, telemetry collection, and retention periods all become harder to defend when regulators ask whether the data is truly necessary. Additionally, one of the most disruptive provisions involves teens, stating that a controller may not process the sensitive data of a teen without obtaining verifiable parental consent. The bill defines sensitive data to include personal data collected from a teen, meaning almost any interaction involving a known user between 13 and 15 years old could trigger the requirement.