A Guide for Marketers and Compliance Teams
This is a guest post written by email industry expert Gayla Huber.
The SECURE Data Act (Securing Data and Establishing Consumer Uniform Rights and Enforcement over Data Act) is a proposed federal privacy law that would establish a single national standard for data protection in the United States.
If this law passes, it will change how marketers and compliance teams collect, use, and manage consumer data, especially as AI becomes more common in marketing.
The U.S. does not have a single federal privacy law yet, but proposals like the SECURE Data Act show a move toward more data accountability. However, we have seen this several times over the last decade or more, and it never comes to fruition.
What is the SECURE Data Act?
The SECURE Data Act is meant to replace the many state privacy laws with one federal framework for data privacy.
Currently, more than 20 states have enacted their own privacy regulations, creating complexity for businesses operating across state lines.
The main goal of the SECURE Data Act? To set one national standard for data privacy compliance.
Possible benefits for businesses:
- Reduced state-by-state compliance requirements
- Simplified consent and data management strategies
- More consistent enforcement expectations
However, the bill also involves tradeoffs, especially regarding state-level AI and data regulation innovation.
Who the SECURE Data Act Applies To
“In general.—This Act shall apply to any person that is subject to the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or is a common carrier subject to title II of the Communications Act of 1934 (47 U.S.C. 201 et seq.) and—
- with respect to the business of the person—
- (A) conducts business in the United States or offers for use or sale to a resident of the United States a product or service; or
- (B) processes or engages in the sale of personal data of a resident of the United States; and
- with respect to personal data and annual gross revenue in the course of such business—
- (A) collects and processes personal data of more than 200,000 consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and has an annual gross revenue of $25,000,000 or more (as adjusted on January 1 each year by the percentage increase (if any), during the preceding 12-month period, in the Consumer Price Index for All Urban Consumers published by the Bureau of Labor Statistics); or
- (B) collects and processes personal data of 100,000 or more consumers annually (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) and derives 25 percent or more of the annual gross revenue of the person from the sale of such personal data.”
Industries most affected by these rules are:
- Lead generation companies
- Adtech and martech platforms
- Businesses using personalization or targeting
Key Consumer Data Rights
The SECURE Data Act would give consumers rights similar to those in current state privacy laws.
Consumers would have the right to:
- Access their personal data
- Correct inaccurate information
- Request data deletion
- Receive a portable copy of their data
- Opt out of targeted advertising and data sales
How the SECURE Data Act Connects to AI Transparency
The SECURE Data Act does not directly regulate AI, but it does affect the data used to train and run AI systems, such as:
- Training data sets
- Customer inputs and prompts
- Behavioral and targeted data
Marketing and compliance teams will need to combine data privacy compliance with AI governance.
Compliance Requirements for Businesses
The biggest changes would affect how businesses manage their operations internally.
The SECURE Data Act reinforces several core compliance requirements:
- Data minimization (collect only necessary data)
- Opt-in consent for sensitive data
- Clear and accessible privacy notices
- Defined timelines for consumer data requests
This change means companies will need to move from simply following rules to actively taking responsibility for their data practices. Good actors in the space are already doing most of this, so there should not be any whiplash for most.
Impact on Data Brokers and the Data Ecosystems
One of the most important parts of the bill deals with data brokers, and I have so many questions.
The SECURE Data Act requirements for data brokers:
- Annual registration with the Federal Trade Commission (FTC)
- Creation of a public registry of data brokers
Typically, when we see companies having to register anywhere, it means more operating costs. Also, this is going to hurt good actors who WILL register, when bad actors will NOT. All in all, just another killer for any small business or start-up.
Key Limitations of the SECURE Data Act
Despite its scope, the bill does have some positive limitations for businesses.
- No private right of action
- No universal opt-out mechanism
- No required privacy impact assessments
- Limited direct regulation of AI systems
Even though the bill does not directly regulate AI, it is clear that regulators want more insight into how AI systems work and how they affect consumers.
The Most Controversial Part: Preemption
The SECURE Data Act would override all current state privacy laws and stop states from creating so many different privacy laws. We as an industry want this and have wanted this so that we don’t have to deal with a patchwork of state laws.
As a result, privacy is quickly becoming the foundation for AI regulation.
Will the SECURE Data Act Pass?
Short answer: Do not count on it, in its current form.
While the SECURE Data Act has strong Republican support, Democrats oppose it, with no indication of bipartisan momentum.
Previous federal privacy bills, including the American Data Privacy and Protection Act (2022) and the American Privacy Rights Act (2024), met similar challenges and ultimately stalled.
What Marketers and Compliance Teams Should Do Now
The direction is clear, even if the timing is not.
Instead of waiting for a federal law, start getting your organization ready for stricter data requirements now. Making changes today can help you stay compliant and get ahead of the competition.
Recommended actions:
- Audit data collection and usage methods
- Review third-party data sharing agreements
- Update and simplify privacy notices
- Strengthen consent and preference management
The Bottom Line
Whether or not the SECURE Data Act becomes law, it highlights the following:
Privacy and AI transparency are becoming one and the same. Businesses need to explain how they collect, use, and apply data. Companies that are open and responsible with their data practices will be more successful in the future.
About the Author
Gayla Huber is a recognized leader in compliance, marketing technology, and brand protection, currently serving as President of IntegriShield, a company she has led since 2015. With over two decades of industry experience, Gayla has built a reputation as a “compliance ninja” and digital problem-solver, helping companies in highly regulated industries navigate the complexities of risk management, regulations, and brand safety.
Gayla Huber,
President
IntegriShield
Legal Disclaimer
Nothing in this text should be construed as legal advice. As with any legal requirements, it is always recommended to get professional legal advice to ensure your email program is compliant with all relevant laws in different countries and regions.
Interested in contributing to the OPTIZMO blog? We welcome guest perspectives from industry professionals looking to share insights with the email marketing community. Reach out to marketing@optizmo.com to submit your request and connect with our team.
To learn more about email deployment, email compliance, and other industry insights, check out our full blog here.
