Congress Unveils SECURE and GUARD Privacy Bills, Eyes National Data Standard
House Republicans introduced the SECURE and GUARD privacy bills, aiming to set a federal data protection standard.
Why it matters: A national privacy regime would reshape compliance for corporate legal teams by preempting state laws and establishing consistent consumer data rights. Legal tech, financial services, and any entity handling large-scale data would need to overhaul policies and processes.
- The SECURE Data Act (H.R. 8413) and GUARD Financial Data Act (H.R. 8398) were introduced on April 22, 2026.
- SECURE grants consumers rights to access, correct, delete, and port personal data, and opt out of targeted ads and data sales.
- GUARD updates the Gramm-Leach-Bliley Act, requiring data minimization, expanded opt-out rights, and affirmative consent.
- Both bills preempt state privacy laws, with enforcement by the FTC and state AGs—no private right of action.
On April 22, 2026, House Republicans advanced privacy reform by introducing two bills designed to overhaul data protection across the United States: the SECURE Data Act (H.R. 8413) and the GUARD Financial Data Act (H.R. 8398).
- The SECURE Data Act proposes a new national data privacy baseline. Covered entities—those processing data for over 200,000 individuals and grossing more than $25 million, or handling 100,000 individuals' data and deriving at least 25% of revenue from its sale—would need to grant consumers control over their information, including rights to access, correction, deletion, data portability, and the ability to opt out of targeting and sales.
- The GUARD Financial Data Act updates the Gramm-Leach-Bliley Act, introducing stricter data minimization, new deletion rights for former customers, and a 45-day response deadline for consumer requests. Affirmative consent would be required for collecting or sharing sensitive financial data.
- Both bills would supersede state privacy regimes, seeking to streamline rules nationwide. Enforcement powers would be vested with the FTC and state attorneys general. There is no private right of action—a detail likely to draw debate.
Rep. John Joyce, a leader behind the effort, said, “This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safekeeping.”
However, some critics, including Alan Butler of EPIC, warn that GUARD relies on “an outdated notice-and-choice regime,” potentially allowing continued misuse of consumer data under the guise of transparency.
Nick Hart of the Data Foundation emphasized industry demand for reform, noting, “A strong federal privacy framework is long overdue, and the Data Foundation is committed to supporting Congress in advancing meaningful policy improvements.”
For legal and compliance teams, these bills could mean a complete overhaul of current data governance frameworks if enacted. Businesses operating in multiple states would benefit from uniformity but may face stricter obligations and deadlines for consumer rights responses.
By the numbers:
- April 22, 2026 — Introduction date for both privacy bills
- $25M — Minimum annual gross revenue for SECURE Data Act applicability (if >200,000 individuals' data processed)
- 45 days — Deadline for financial institutions to reply to consumer data requests under GUARD
Yes, but: There is no private right of action, raising questions about how robustly consumer rights will be enforced.