The draft SECURE Data Act (also known under the longer title of The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act) is officially on the table in the U.S. In this article, we look at how the bill compares with GDPR and consider what it may mean for UK and EU businesses.
The bill establishes a national framework for consumer privacy rights and the protection of personal data. It is backed by both the U.S. House of Representatives Energy & Commerce Committee and Judiciary Committee leadership.
Previous attempts at establishing a comprehensive federal data privacy regime in the U.S. have not been successful and turning this bill into law will require many additional steps and is subject to revision, amendment and updates during that process. That said, this bill is a renewed push to establish a uniform and comprehensive federal privacy law. The current U.S. landscape for consumer data privacy requires regulated businesses to navigate a bi-partisan coalition of states (21 thus far) that have passed their own state privacy laws. You can read our quick takeaways for an overview of what the SECURE Data Act is initially proposing and what it could mean for existing state privacy laws as superseded by a federal law.
How does the initial draft SECURE Data Act compare to GDPR?
Our table explores some of the similarities and differences between the draft SECURE Data Act and GDPR (in GDPR's broad sense and noting there are divergences between UK and EU GDPR, particularly as a result of the UK Data (Use and Access) Act 2025).
| Topic | Initial Draft SECURE DATA Act | GDPR |
| Who is caught? | Would apply only to larger businesses (revenue over $25,000,000) and / or businesses that process a lot of personal data (over 100,000 people). For more detail on the thresholds, see here.
| Applies broadly to all economic operators, including micro, small and medium-sized enterprises. |
| Scope of personal data | Would apply only to personal data linked to a U.S. consumer, meaning individuals acting in their individual or household capacity, and would not include individuals acting in their commercial (business-to-business) or employment context.
| Applies to personal data linked to individuals regardless of whether they are acting in a private or commercial capacity.
|
| Territorial scope | The SECURE Data Act has extraterritorial reach if an organization outside the U.S. is engaged in commerce in the US.
| The GDPR has extra territorial effect and can apply to organizations outside the UK/EU, even if they have no offices, staff or servers there. For example, if an organization outside the UK/EU targets or monitors individuals in the UK/EU.
|
| Some Key Data Processing Principles | The SECURE Data Act would set out a number of principles relating to the processing of personal data; this is not an exhaustive list. Data would need to be processed in a transparent manner. The principle of data minimization would apply, and controllers would be required to limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose. Data security obligations would be imposed on the controller who must implement, and maintain reasonable administrative, technical, and physical data security practices.
| GDPR sets out a number of principles relating to the processing of personal data; this is not an exhaustive list. Data must be processed lawfully, fairly and in a transparent manner. The principle of data minimization applies and organizations must only process the personal data that is necessary for the purpose. Data must be processed in a manner that ensures appropriate security of the personal data including using appropriate technical or organizational measures.
|
| Some Key Definitions | An ‘‘identified or identifiable natural person’’ is a person who can be readily identified, directly or indirectly. The term "controller" refers to a person who, alone or jointly with others, determines the purpose and means of processing personal data. The term "processor" is a person that processes personal data on behalf of a controller. The term "pseudonymous data" refers to personal data which cannot be attributed to an individual without the use of additional information. A number of definitions/concepts have no equivalent in GDPR. For example, "data broker" and "covered nation".
| The data subject is defined as an "identified or identifiable natural person". The term "controller" refers to a person/entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. The term "processor" is a person/entity which processes personal data on behalf of a controller. The term "pseudonymisation" refers to the processing of personal data in such a way that it cannot be attributed to a data subject without the use of additional information. A number of definitions have no equivalent definition in the draft SECURE Data Act. For example, "personal data breach" and obligations on the controller to notify such a breach, in certain circumstances, to the relevant supervisory authority.
|
| Individual rights | Consumers would have a number of rights (which are not absolute and are subject to certain exceptions):
| Data subjects have a number of rights regarding the processing of their personal data (which are not absolute and are subject to certain exceptions) including:
|
Controller and processor roles
| The Act includes clear separation of controller and processor roles. The Act would require the data processor to undergo assessments to demonstrate compliance with the Act. The Act would require a contract between the controller and processor to govern the processor's data processing procedures. The contract must include certain minimum requirements.
| GDPR includes clear separation of controller and processor roles. The data controller must only use processors that provide sufficient guarantees that they will implement appropriate technical and organizational measures to ensure their processing meets GDPR requirements. GDPR requires the controller and processor to enter into a binding contract which contains a number of compulsory provisions.
|
| Cross-border data flows | The Act includes a specific section on international data flows. The Act would direct the Secretary of Commerce to advise on policy relating to the international flow of personal data.
| GDPR includes detailed provisions on cross border transfers that relate to ensuring an adequate level of privacy protection when data is sent outside the UK / EU.
|
| Restrictions on sensitive data | Higher standard for processing “sensitive data.” The Act provides an opt-in framework: companies would have to obtain a consumer’s “specific, informed, and unambiguous agreement” before collecting, selling, or using consumers’ sensitive data in any way. "Sensitive data" includes racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a child or teen; and (4) precise geolocation data. | Higher standard of protection for special categories of personal data. There are 10 conditions under which special categories of personal data can be processed. One of which is explicit consent from the data subject. GDPR special category data is defined similarly to US "sensitive data" with the notable differences being the GDPR also includes political opinions and trade union membership but does not cover precise geolocation data. Child data is not classified as special category data but is given specific protection elsewhere in the GDPR.
|
| Automated Decision Making | The Act largely does not address personal data being processed for automated decision making, except in the context of profiling to make legal or significant decisions through automated means.
| Contains provisions on automated decision making and profiling (noting there are some divergences between the UK and EU regimes).
|
| Enforcement | The Federal Trade Commission (FTC) would be the primary enforcer of the Act, with the authority to enforce the Act against FTC-regulated businesses and common carriers subject to the Communications Act. The FTC would have rights to seek injunctive relief. State attorneys general would also have the ability to enforce the Act, including rights to seek injunctive relief.
| Enforcement is by the relevant supervisory authority. In the UK this is the Information Commissioner's Office. In the EU, this is the supervisory authority in the relevant member state (for example, CNIL in France). The supervisory authorities have broad powers including the right to issue reprimands, ban processing, and order rectification or erasure of data.
|
| Fines / compensation | No GDPR style fines regime, however, the FTC would have authority to obtain civil penalties, which are presently up to $53,068 per violation (periodically adjusted for inflation). State regulators would have the authority to seek damages (limited to actual harm to residents of their state).
| Administrative fines apply up to a maximum of £17,500,000 or 4% of an undertaking's total worldwide annual turnover, whichever is higher. These fines can be significant. Express right for individuals to claim compensation for breaches of the GDPR.
|
What does this mean for UK and EU businesses?
UK and EU businesses which operate internationally are likely to cautiously welcome this development. Having a uniform and comprehensive federal privacy law should reduce the need for UK and EU businesses to juggle multiple U.S. state laws.
UK and EU businesses are likely to have questions about what the development means for the existing EU-U.S. adequacy decision and the UK's adequacy regulations for the U.S. They may be wondering whether they will need to update any existing transfer risk assessments for international data transfers to the U.S. No steps are required at this time, but if the SECURE Data Act is advanced and ultimately enacted, then companies may need to revisit their Transfer Impact Assessments to reflect the change in US data privacy regulation.
What if you want to know more about the draft SECURE Data Act?
At Womble Bond Dickinson, we have experienced lawyers on both sides of the Atlantic who can support with expansion in the United States, ensuring you are appropriately protected and have access to our network of contacts who can provide wider business support.
WBD US' content hub explores change in the Federal Government and offers legal insights into regulatory, economic, and legislative developments impacting your business and industry. Our U.S. Privacy & Cybersecurity team, Digital Solutions Sector team, and Federal Government team will be providing more granular breakdowns, on the content hub, of this proposed bill, its potential impacts, and the pathways required for it to become law.
You can also reach out to Andrew Kimble (if your query relates to UK data privacy matters) or Taylor Ey (if your query relates to US data privacy matters).
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-05-04-19-24-11-660-69f8f25b774ca254ae036d6c.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-05-04-15-31-54-006-69f8bbea774ca254ae023ac4.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-04-24-12-50-20-213-69eb670c7a26a7ef164c98cf.jpg)