House Republicans Propose Comprehensive Federal Privacy Law Regime: SECURE Act and GUARD Act
Secure Act (HB 8413)
Guard Act (HB 8398)
House Republicans have introduced a pair of bills to establish a new comprehensive federal privacy law framework that would preempt current state frameworks and expand consumer rights and impose new obligations with the potential to also affect international data flows and transfers and commerce. One bill would modernize the current 1999 Gramm-Leach-Bliley Act imposing privacy obligations on the financial sector and the other bill would impose privacy obligations on all non-financial sectors. However, passage of the measures this session is uncertain due to the compressed legislative calendar, other legislative priorities, the absence of bipartisan support and push back from the states.
Non Financial Sectors /SECURE Act – The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Act, HR 8413), would establish a comprehensive Federal consumer privacy framework preempting state frameworks that would be enforced by the Federal Trade Commission and state attorneys generals, with the Department of Commerce assigned responsibility for developing policies on cross-border data flows/transfers and privacy in global commerce. It imposes obligations on data brokers/controllers/processors. requires industry codes of conduct and opt-in consent for sensitive data (including teens), and establishes a data broker registry. It provides for phases in compliance over a two year time period.
Financial Sector/ GUARD Act amending GLBA – The Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act (GUARD Act, H.R. 8398) would modernize the Federal financial privacy framework, known as the Gramm-Leach Bliley Act (GLBA). It would prohibit depository institutions from collecting data they do not need and prohibit them from retaining it for longer than necessary, create new access and deletion rights for both current and former customers and convert the current GLBA customer opt-out right to an affirmative opt-in right before institutions could disclose sensitive personal information.
FINRA Transformation Project Update
Like other agencies, FINRA is undertaking to transform both its operations, knowledge and rulebooks to keep pace with rapid changes in the capital markets and in the financial sector more broadly. In April 2025 FINRA announced FINRA FORWARD, a group of three initiatives to modernize FINRA rules, enhance how it supports member firm compliance and cybersecurity and fraud risk mitigation. In April 2026, it released its first progress report on these initiatives.
U.S. States’ Privacy Fines Topped $3.4B in 2025 and Expected to Accelerate
In 2025, privacy-related fines issued by U.S. states reached a record-breaking $3.425 billion, a total that exceeds the combined penalties of the previous five years. According to Gartner, this surge marks a definitive transition from a “grace period” of regulatory education to a phase of aggressive, full-scale enforcement. The sharp increase is primarily attributed to the maturation of state privacy laws, the formation of interstate enforcement consortiums, and new amendments designed to regulate the personal data used in AI model training and automated decision-making. Gartner predicts that this trend will only accelerate through 2028 as more states—currently 22 with passed laws and 24 with pending legislation—standardize their oversight frameworks.
The report highlights a critical compliance gap for many organizations, noting that programs established around 2020 have often been allowed to “atrophy,” leaving them vulnerable to modern regulatory scrutiny. Most of the recorded violations stem from shortcomings in the “privacy user experience,” specifically regarding subject rights, consent management, and the transparency of privacy notices. As personal data becomes increasingly central to AI innovation, Gartner advises CISOs and privacy leaders to prioritize rigorous program audits. Companies must ensure their data protection strategies are not only active but also defensible against the rising tide of penalties that now target businesses of all sizes across technology, automotive, and consumer sectors.
