New bill targets data privacy gaps beyond HIPAA and FERPA

The new bill, H.R. 8413, recently had a federal privacy legislation hearing. Designed to protect personal records at the federal level, the bill has received mixed feedback.

What happened

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade recently held a hearing on the SECURE Data Act, also known as H.R. 8413, which attempts to establish uniform rules for how personal data is collected, used, or sold by companies.

The Act was drafted by Republicans, and, if passed, would pre-empt all state privacy laws. The goal of the act is to make a single, federal standard, rather than the current varying state privacy laws.

In the know

Many states have already created laws addressing how businesses handle and protect data. Currently, 20 states have consumer data protection laws, largely modeled after California’s landmark California Consumer Privacy Act. The act outlines several core rights for consumers, including:

• The right to delete, meaning consumers can demand personal data be deleted by businesses, with certain exceptions.
• The right to opt-out, which allows consumers to opt-out of sharing or selling their information to third-parties.
• The right to know, which means consumers can request what personal data a business has collected and how they have used it.

While many states have used California’s law as a starting point, most have slight differences that can create confusion among consumers and businesses, especially given how many businesses operate across multiple states.

Going deeper

According to Legis1, the June hearing was the product of over 16 months of internal committee development, which was the undertaking of the Privacy Work Group, established by Kentucky’s Republican Chairman, Brett Guthrie in early 2025. The bill was formally introduced in April 21st, 2026.

The legislation would give consumers the right to access, correct, and delete their personal data, as well as opt out of targeted ads and data sales at the national level. Companies that make over $25 million in revenue and collect data on 200,000 or more consumers would need to follow the legislation.

The big picture

The legislation follows multiple prominent data breaches, including the large breach against Instructure’s Canvas platform, amongst other institutional data breaches and the ever-rising threats against healthcare. While many of these organizations are covered by HIPAA or the Family Educational Rights and Privacy Act (FERPA), many companies slip through the cracks. For instance, in 2023, biotechnology company 23andMe faced a massive data breach, exposing sensitive genetic and personal information of nearly 7 million US customers. Despite the sensitive nature of the information, which is frequently considered related to health data, 23andMe technically fell out of the scope of HIPAA and was not subject to HIPAA requirements, which created challenges when it came to holding 23andMe accountable for the breach. Similarly, FERPA generally only applies to educational organizations that receive funds from the U.S. Department of Education, meaning that some private educational institutions may not be required to comply.

The proposed bill aims to close these varying gaps, but it has received some pushback. It currently has no Democratic cosponsors, although the issue is generally bipartisan. According to Legis1, some believe that federal laws could become limiting for states that currently have stricter requirements. Ultimately, the bill has significant support, including a companion bill in the senate, but bills like this have faced trouble moving forward in the past. In 2022, for instance, the American Data Privacy and Protection Act passed through the House Energy and Commerce Committee, but failed to pass in the house, due to concerns that it could weaken state privacy standards.

FAQs

What’s next for the bill?

Following the hearing, which took place earlier this month, the lawmakers will begin a process of “legislative markup,” where they will continue to discuss and make changes to the bill. If it successfully passes the committee following any changes, it will then go to the House and Senate floors.

Will this bill impact HIPAA covered entities?

This bill will impact organizations that collect data on 200,000 or more consumers and make above $25 million in revenue, which means certain healthcare organizations may be impacted, but others may not be. The exact impacts on healthcare or educational institutions will be made more clear as the bill is amended and progresses.