On July 1, 2026, the California Assembly’s Committee on Privacy and Consumer Protection passed SB 690, a bill that would amend the California Invasion of Privacy Act (CIPA) to cut off the flood of litigation that has hit companies across industries for the last several years.

By way of background, dozens of states have passed comprehensive privacy laws to regulate website cookies and pixels. Despite that, plaintiffs have increasingly turned to wiretapping and pen register laws like CIPA—statutes never designed for online tracking—to bring thousands of lawsuits and arbitrations in recent years. Indeed, some pro se plaintiffs and firms appear to be sending thousands of demand letters a week, with courts expressing concern that it is approaching vexatious conduct.

SB 690 was introduced in 2025 to add a “commercial purpose” exception to CIPA, clarifying that the use of cookies and pixels on commercial websites does not constitute unlawful wiretapping or eavesdropping, nor does it constitute as a pen register. SB 690 overwhelmingly passed the California Senate last year, then stalled, apparently due to political and lobbying pressure.

At the July 1, 2026 hearing, the committee amended SB 690 in two significant ways.

First, the committee narrowed the “commercial purpose” exception to cover only “conduct occurring on an internet website, online application, or mobile application.” Such conduct would no longer be subject to CIPA’s private right of action. Enforcement would shift exclusively to the California Attorney General.

Second, and more consequentially, the “commercial purpose” exception would apply retroactively: it would reach pending claims in any lawsuit commenced within two years before SB 690’s operative date of SB 690, if it passes.

The California legislature now enters summer recess. SB 690 is expected to move to the Appropriations Committee in August. The Privacy and Consumer Protection Committee vote is welcome news for the business community, but the bill still has a long way to go—and plenty of time for political and lobbying groups to mount a fight. In the meantime, companies should continue to balance statutory and regulatory compliance, business needs, and risk mitigation efforts, while tracking SB 690’s progress.

In recent years, a handful of pro se plaintiffs and plaintiffs’ firms have sent tens of thousands of demand letters to businesses, threatening class action lawsuits under the California Invasion of Privacy Act (CIPA) unless those businesses pay settlements averaging $10,000 to $25,000.

The demands typically assert claims under CIPA arising from businesses’ alleged use of common tracking technologies on their websites. One of the most prominent theories is based on Section 638.51 of CIPA, which prohibits the installation of “pen registers” or “trap and trace” devices without a court order. The viability of this legal theory has not been squarely addressed by any appellate court yet—though appeals are pending, including in Variety Media, LLC v. Superior Court—and thus trial courts have mostly allowed pen register claims to survive early motions to dismiss. This has only emboldened plaintiffs. By some estimates, plaintiffs’ firms asserting these claims have used CIPA allegations to collect over half a billion dollars in settlement payments from businesses.

Businesses rallied for reform, but early efforts at a legislative fix—known as Senate Bill 690—seemingly stalled.

Last night, however, the California Assembly’s Committee on Privacy and Consumer Protection held a meeting that gave businesses a glimmer of hope. A long line of local and national business associations and community members appeared at the meeting to voice their strong support for a revised version of SB 690, which is more narrowly focused on stemming the tide of demands asserting claims under CIPA’s pen register provision. As amended, the bill contemplates a retroactive elimination of Section 638.51’s private right of action. The bill received 10 votes, with the vote left open for absent committee members. The tone of the discussion appeared cautiously optimistic. Both proponents and opponents seemed to recognize that work remains to be done, but that the bill could reach a point that would be tolerable for both sides.

The legislature enters its summer recess on adjournment on July 2, 2026, and reconvenes on August 3, 2026. For SB 690 to have any meaningful impact this year, it will need to be passed into law before the legislature adjourns on August 31, 2026.

Wiretapping class actions based on websites’ use of common tracking technologies continue to rise. And because many courts have allowed these cases to survive motions to dismiss, businesses often feel pressure to settle early—even when they have strong defenses.

Much of that pressure comes from the threat of a class wide judgment reaching eight or nine figures. However, a trend is emerging that could affect whether businesses should decide to defend instead of settle: courts are showing increasing skepticism that wiretapping claims are as suitable for class treatment as plaintiffs’ lawyers suggest.

A federal court in the Northern District of California recently denied class certification in Ingraham v. Capital One Financial Corp., No. 24-cv-05985-TLT (N.D. Cal. June 16, 2026). The plaintiffs alleged that tracking technologies used on the defendant’s website enabled third parties to intercept users’ personal and financial data without consent. The plaintiffs’ claims survived an early motion to dismiss. But when it came time to certify a class, the court said no.

The Problem (for Plaintiffs): Too Many Individual Questions

To certify a class under Federal Rule of Civil Procedure 23(b)(3), plaintiffs must show that common questions “predominate” over individual ones. In internet tracking cases, that’s proving difficult. The Ingraham court identified three independent reasons why individual issues overwhelmed common questions:

1. Data transmission varied by user. Different tracking technologies collected different types of data. Browser settings and user behavior affected what was shared. Even the named plaintiffs couldn’t agree on what information had been transmitted about them.

2. Consent required case-by-case analysis. Consent is central to claims under the California Invasion of Privacy Act (CIPA) and the federal Electronic Communications Privacy Act (ECPA). But consent turns on each user’s subjective understanding of the disclosures—and class members were exposed to different privacy policies depending on factors like California residency.

3. Standing demanded individualized proof. Article III standing—the constitutional requirement that a plaintiff demonstrate actual injury—required a fact-intensive inquiry for each class member: what data was shared, how it was shared, for what purpose, and whether that data was truly private.

A Pattern Is Emerging

Ingraham is not an outlier. It joins Calhoun v. Google LLC (N.D. Cal. June 2025), which denied certification on consent grounds, and In re Meta Pixel Tax Filing Cases (N.D. Cal. Mar. 2026), which cited individualized standing and statute of limitations issues. A pattern is emerging: even where tracking claims survive dismissal, the individualized nature of consent, data transmission, and standing creates significant barriers to class treatment.

The Takeaway

Almost every day, a business is served with a demand letter or lawsuit asserting claims based on the business’s use of tracking technologies on its website. When deciding whether to litigate or settle, the Ingraham decision should factor into the risk-benefit analysis. Contrary to what plaintiffs’ lawyers may suggest, class certification is far from guaranteed in internet tracking cases—and that means plaintiffs have risk, too. They face the prospect of spending years litigating a case that, if not certified, may never be economically viable. A reasonable settlement should account for both the business’s and plaintiffs’ risks. For businesses that haven’t yet faced such litigation, Ingraham offers some reassurance, but it’s far from a free pass. Internet tracking claims regularly survive early motions to dismiss. And in most jurisdictions, a ruling on class certification won’t come until years into the litigation. Companies using third-party tracking tools should take proactive steps to avoid litigation in the first place: assess disclosure practices, evaluate what data is being shared, and work with qualified counsel to ensure privacy policies align with current legal expectations.

Federal prosecutors recently brought insider trading charges against numerous attorneys, who were previously employed at various prominent law firms. The indictments in United States v. Nourafchan, No. 1:26-cr-10115 (D. Mass. 2026) and United States v. Fejal, No. 1:26-cr-10133-LTS (D. Mass. Apr. 2026) allege that these attorneys tipped off third parties about confidential M&A deals brought in by their law firms, enabling the third parties to profit from securities trades based on the information.

As discussed in further detail below, these recent insider trading cases (1) may test the boundaries of the First Circuit’s ruling in United States v. Abdelaziz, No. 21-1878 (1st Cir. 2023), which held that disparate defendants unaware of one another cannot be charged in a single conspiracy; and (2) offer important lessons about insider threats, third-party risk management, and the limits of traditional cybersecurity programs in preventing misuse by trusted insiders.

The “Varsity Blues” Conspiracy Defense

The decision in United States v. Abdelaziz is relevant to a potential defense that the defendants and Nourafchan and Fejal could raise in response to the conspiracy allegations. In Abdelaziz, two parents were convicted at trial of conspiracy to commit fraud and bribery, among other claims, as part of the broader “Varsity Blues” prosecutions—a series of federal cases that were brought against parents who allegedly bribed college officials to secure admission for their children. The defendants in Abdelaziz were charged alongside numerous other parents based on allegations that they participated together in a single overarching conspiracy.

The First Circuit vacated the conspiracy convictions finding that the government failed to prove an overarching conspiracy. The First Circuit further held that similar conduct by individual, disparate defendants who were unaware of and indifferent to one another does not establish a single conspiracy, and that joining such defendants in one case created an unacceptable risk that the jury convicted them based on others’ conduct rather than their own.

Given that the cases in Nourafchan and Fejal are both before the same federal district court that administered the underlying trial in Abdelaziz and include conspiracy claims against defendants employed at different firms but who engaged in similar conduct, the defendants may attempt to rely on the First Circuit precedent in Abdelaziz as a defense. 

Insider Threats Are a Data Governance Issue

Regardless of whether a defense based on the First Circuit’s ruling in Abdelaziz is successful, the indictments in Nourafchan and Fejal also serve as an important lesson that unauthorized use of information does not always originate from phishing campaigns, ransomware incidents, or network intrusions by external threat actors.

Unauthorized disclosure by insiders poses many of the same risks as those that result from external compromises. For example, insider misuse can similarly expose key company information such as intellectual property, strategies, active litigation or regulatory investigations, trade secrets, financial information, and other confidential business records that could be used in a manner to harm a company and its reputation. For example, the alleged conduct in Nourafchan and Fejal has the potential harm to both the law firms and their clients—including through reputational damage, litigation exposure, and regulatory scrutiny.

Relatedly, the allegations in these cases are evidence that a law firm’s reputation, size, or brand is not a substitute for implementing third-party risk management controls to protect confidential information once it is shared. Instead of relying on a service provider’s reputation, companies should evaluate the actual access controls, monitoring capabilities, incident response procedures, and insider threat safeguards providers have implemented.

Conclusion

The significance of the insider trading allegations in Nourafchan and Fejal extends well beyond the criminal charges. On the legal front, these cases may test the reach of the First Circuit’s Abdelaziz ruling. On the operational front, the cases illustrate how information security failures can emerge not only from sophisticated external attacks, but also from individuals operating within systems that lack sufficiently granular access controls and monitoring mechanisms.

On June 4, 2026, House Representatives Jay Obernolte (R-Calif.) and Lori Trahan (D-Mass.) released a 269-page bipartisan discussion draft called the “Great American AI Act” in an attempt to seek feedback from experts, stakeholders, and the public before formally introducing the bill. The Great American AI Act would establish a national standard for governing artificial intelligence and would preempt state regulations targeting AI development for a period of three years.  The framework aims to create uniform federal rules for AI, establish worker protections for whistleblowers, bolster U.S. AI research and development, and codify a Center for AI Standards and Innovation within the Commerce Department that would be tasked with developing voluntary guidelines, best practices, and standards for AI security.  The draft proposal also requires safety testing and independent auditing requirements and introduces transparency reporting obligations for certain AI companies.

On the Senate side, Marsha Blackburn (R-Tenn.) released a draft proposal in March 2026 called the “TRUMP AMERICA AI Act.” That proposal preempts state laws, rules, or regulations only to the extent it conflicts with a provision of the Act. Among other things, the proposal requires a provider of a “high-risk artificial intelligence system” to undergo audits regarding viewpoint or political affiliation discrimination. The proposal also incorporates two bipartisan bills: the “Kids Online Safety Act,” which would require covered online platforms to implement tools and safeguards to protect users under the age of 17 against online harm, and the “NO FAKES Act,” which would hold AI companies liable for unauthorized use of a creator’s voice or visual likeness. 

Taken together, the House and Senate proposals signal that momentum is building in Congress to act on federal AI legislation. However, significant hurdles remain regarding reaching a consensus on federal preemption and how aggressively to regulate AI development. Whether lawmakers can bridge the gap between the industry’s desire for regulatory clarity and the demand for meaningful accountability will determine if or when Congress finally passes a comprehensive AI framework.

Vermont recently passed a major update to its data broker law (HB 211), joining California and Texas as one of the few states with privacy laws targeting businesses that collect and sell consumer data. Here’s what businesses that collect consumer information and share it with third parties need to know:

  • Broader definitions – The law now captures more types of consumer data and narrows when a direct relationship with a consumer actually exists. Translation: more businesses may qualify as data brokers than before.
  • Affiliate exception – Sharing data with affiliates is now excluded from the definition of a sale, aligning Vermont with Texas. California remains the only data broker state without this carve-out.
  • Higher registration fees and steeper penalties – Vermont’s annual registration fee is now $900 (the highest among data broker states), and daily penalties for failing to register jump from $50 to $200 per day.
  • New consumer deletion rights – Businesses must now maintain a webpage where consumers can request deletion of their data, and those requests must be honored within 30 days.

The amendment is currently awaiting the governor’s signature. Once signed, it will significantly raise the stakes for businesses that qualify as a data broker under Vermont law.

Bottom line: If your company buys, sells, or shares consumer data, now is the time to assess your obligations under Vermont’s law (and similar laws in California and Texas).

A bipartisan coalition of 44 state attorneys general has formally objected to the House version of the Kids Internet and Digital Safety Act (H.R. 7757), urging congressional leaders to reject the legislation in favor of its Senate counterpart. The coalition sent a letter to key lawmakers arguing that the House bill undermines state enforcement authority and shields technology companies from meaningful accountability for harms to minors.

While H.R. 7757 is intended to strengthen protections for children and teenagers online, the coalition contends that the bill does the opposite. In their letter, the 44 attorneys general claim that the legislation would broadly preempt state consumer protection and privacy laws across multiple policy areas, while simultaneously permitting federal intervention in a way that could curtail states’ ability to enforce their own, often more stringent, regulatory frameworks.

The coalition also identified substantive gaps in the proposed legislation. Among other deficiencies, the attorneys general cited the absence of a comprehensive duty-of-care requirement that would obligate platforms to proactively mitigate risks to minors. They further noted that the bill offers insufficient protections related to age assurance mechanisms and fails to adequately address emerging technologies, including artificial intelligence tools, that could be exploited to target (and profit off of) children.

Alternatively, the coalition expressed its support for the Senate version of the legislation, the Kids Online Safety Act (S.B. 1748), of which the attorneys general preferred the superior approach because it strikes the appropriate balance of holding technology companies accountable without displacing existing state laws that may provide stronger consumer protections. The Senate version of the bill supported by the coalition preserves state enforcement authority, allowing attorneys general to continue pursuing actions against platforms that harm minors.

This opposition comes amid ongoing investigations by numerous state attorneys general into popular social media platforms accused of targeting and harming minors. The 44 signatories represent a geographically and politically diverse cross-section of the country, spanning states and territories from California and New York to Tennessee, South Carolina, and Wyoming, as well as the District of Columbia, American Samoa, and the U.S. Virgin Islands.

For technology companies operating platforms used by minors, the coalition’s position signals continued and potentially intensifying state-level regulatory and enforcement activity. This letter also underscores the importance of monitoring legislation and its interaction with existing obligations under the state privacy law patchwork.

Instagram now allows creators to tag products directly in Reels (short-form, vertical videos) using affiliate links and earn commissions on resulting purchases, marking parent company Meta’s most significant push into native social commerce to date. While this native affiliate tool presents a compelling commercial opportunity, it also introduces meaningful legal exposure across advertising compliance, intellectual property, and data privacy. Retailers that move quickly to establish robust compliance frameworks and updated contractual protections will be best positioned to capitalize on this shift while mitigating regulatory risk.

The Upshot

  • Retailers can now leverage creators as a performance-driven sales channel with outcome-based compensation tied to actual transactions.
  • The Federal Trade Commission’s (FTC) Endorsement Guides impose clear disclosure obligations on both creators and brands, and platform-provided labels like “Paid Partnership” do not satisfy those obligations on their own.
  • Companies must update influencer and affiliate agreements to address FTC compliance, indemnification, content monitoring, and intellectual property protections.
  • Data privacy considerations arise from Meta’s expanded visibility into consumer purchasing behavior linked to creator content and the retailer’s SKUs.

As retailers are no doubt seeing in their creator pipelines, Instagram has rolled out native affiliate links that let creators tag products directly in Reels and earn commissions on resulting sales. This marks Instagram’s second attempt at an affiliate program after sunsetting its previous experiment in 2022. The move is part of Meta’s broader strategy to capitalize on the social commerce market by embedding affiliate commerce directly into the content creation flow and keeping transactions and data within its ecosystem. Creators can tag up to 30 products per Reel using the new “Add Products” option, with tagged content appearing in Meta’s Partnership Ads Hub. When users tap on a tagged product, they are redirected to complete the purchase via the retailer’s app or mobile site. The feature is live in the United States, Brazil, India, Indonesia, and Thailand, with plans to expand to Instagram’s wider network of commerce markets.

Why This Matters for Retailers

Instagram’s native affiliate tools allow retailers to work directly within Meta’s ecosystem rather than negotiating with multiple third-party affiliate platforms. The platform effectively transforms the creator ecosystem into a decentralized, performance-driven sales force, aligning retailer marketing spend with actual sales rather than potential reach. This model threatens to displace third-party “link-in-bio” platforms like ShopMy and LTK. Retailers should anticipate a surge in shoppable creator content tied to their Stock Keeping Units (SKUs), which will require more rigorous compliance oversight and clearer internal approval gates.

Key Legal Considerations

  1. FTC Endorsement and Disclosure Requirements: The FTC’s Endorsement Guides, revised in June 2023, require that any “material connection” between an endorser and a marketer, including affiliate commissions, be disclosed clearly and conspicuously. The FTC expects disclosures in plain language (such as “ad” or “sponsored”), placed where they are hard to miss, and not buried in hashtags or behind “see more” buttons. Platform-provided tools like Instagram’s “Paid Partnership” label do not necessarily satisfy the creator’s independent disclosure obligation. Retailers bear significant responsibility here. The FTC has stated that companies cannot avoid liability by relying on affiliate marketers instead of conducting marketing in-house, and must have reasonable programs to train and monitor the creators they engage. Retailers should consider creating (or refreshing) a documented creator compliance program, including written disclosure guidelines, periodic training, sampling-based content audits, and a remediation playbook for non-compliant posts.
  2. Contractual Protections: As affiliate relationships become more decentralized, retailers should refresh their form influencer and affiliate agreements (and any creator-platform terms incorporated by reference) to address FTC disclosure compliance, truthful product representation, indemnification for violations of consumer protection laws, content monitoring and preapproval workflows, audit and takedown rights, termination for compliance failures, and scope limitations on product claims for regulated categories (e.g., health, beauty, financial services, children’s products). Retailers should also evaluate whether existing master services agreements with agencies and creator networks need to be amended to flow these obligations down to individual creators.
  3. Intellectual Property Considerations: Instagram’s earlier “Shop the Look” feature drew criticism for adding shopping links to creator content without permission, sometimes linking to cheap lookalike products rather than the actual items featured. Retailers should ensure their commerce catalogs are accurate and up to date, as tagged products must be registered as individual items in the verified commerce catalog to maintain correct pricing and availability. If that registration has not been completed, creators cannot tag a retailer’s products in their Reels regardless of their affiliate status. Retailers should also confirm that their trademark, copyright, and image-use licenses extend to creator-generated content surfaced through the affiliate tool, and that brand guidelines are reflected in creator onboarding materials.
  4. Data Privacy: Meta’s integration of affiliate commerce gives the platform unprecedented visibility into consumer purchasing behavior linked to creator content and retailer SKUs. Retailers should review Meta’s data-sharing practices and update their privacy notices, consent mechanisms, and vendor data-processing terms to address data flowing through affiliate transactions, with attention to state privacy laws such as the California Consumer Privacy Act (and the broader patchwork of state comprehensive privacy laws), the FTC’s evolving views on dark patterns and sensitive data, and international frameworks like the General Data Protection Regulation (GDPR) where the retailer operates abroad. Retailers should also assess whether affiliate-driven traffic triggers any new data subject rights workflows or Data Protection Impact Assessment (DPIA) obligations.

Conclusion

Instagram’s native affiliate tools are accelerating the shift of creator marketing from a brand-awareness exercise into a measurable, transaction-driven sales channel—with retailers sitting at the center of the resulting legal exposure. The retailers that come out ahead will be the ones that pair the commercial upside with disciplined contracting, a documented disclosure and monitoring program, accurate commerce catalogs, and a privacy posture that anticipates Meta’s expanding visibility into purchase behavior. Getting the legal foundation in place now, before enforcement activity and consumer claims catch up to the technology, will allow retailers to scale their creator programs with confidence rather than retrofit compliance under pressure.

Our Firm’s Capabilities

Ballard Spahr regularly counsels retailers on FTC advertising compliance, intellectual property protection, data privacy, and the structuring of commercial agreements for creator and affiliate programs. We are well-positioned to help retailers navigate this evolving landscape and have experience drafting compliant affiliate agreements and disclosure policies, refreshing form contracts, and conducting risk assessments of social commerce strategies. We welcome the opportunity to discuss how Instagram’s new affiliate tools may affect your company’s program.

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.” The bill also shifts compliance obligations away from broad governance and impact assessments and toward targeted consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

However, whereas the original AI Act contained conditional exemptions for some federally regulated entities, the new version has eliminated those exemptions—thereby bringing into scope many additional entities that have thus far avoided state regulation of ADMT.

A Long and Tortured History

Signed in May 2024, SB 24-205 was the nation’s first comprehensive state AI law. It imposed obligations on developers and deployers of “high-risk artificial intelligence systems” used in “consequential decisions”—including employment, housing, health care, insurance, education, lending, legal services, and essential government services. Key features included reasonable care requirements to avoid algorithmic discrimination, mandatory implementation of risk-management programs, impact assessments, consumer notices, correction and appeal rights, and enforcement by the Attorney General under the Colorado Consumer Protection Act. While there was no private right of action, many feared that there would be attempts to exploit alleged ambiguities for private litigation.

When Governor Polis signed the AI Act into law in 2024, he did so with reservations, asking the legislature to revisit the law during the 2025 session before it was scheduled to go into effect in February 2026. The legislature could not come to an agreement during the general 2025 session, and, during the 2025 special session, it could agree only to extend the law’s effective date to June 2026. 

In an effort to break the logjam, a working group consisting of lawmakers, the Governor’s office, the Attorney General’s office, and other stakeholders convened in fall of 2025, prior to the 2026 legislative session. The working group released its proposal on March 17, 2026, but even its members stated that the proposal needed further work. However, that proposal gave the legislature a new framework from which it could negotiate a consensus bill.

On May 1—with the close of the legislative session nearing—SB 26-189 was released. It moved quickly after introduction, advancing through the Senate Business, Labor, and Technology Committee, Senate Appropriations, the full Senate, House Judiciary, and House Appropriations, before the House passed it on third reading on May 9, 2026.

Key Updates  and SB 26-189

For most businesses that operate as deployers of AI, SB 26-189 is meaningfully narrower than SB 24-205. Key differences include:

  • Scope of covered technology. SB 24-205 regulated “high-risk artificial intelligence systems,” while SB 26-189 focuses on “covered ADMT” that process personal data used to materially influence consequential decisions in sectors including employment, housing, lending, insurance, health care, education, and essential government services.
  • Eliminated Exemptions. Whereas the original AI Act had limited and conditional exemptions for various federally regulated entities, the new bill does not.
  • Governance obligations. SB 24-205 required broader reasonable-care, risk-management, impact-assessment, annual-review, and public-summary obligations for deployers. SB 26-189 shifts deployers’ obligations toward targeted disclosure, explanation, correction, and the right to request human-review, although it still maintains the three-year record-retention obligations.
  • Litigation and enforcement risk. SB 26-189 makes clear that the Colorado AI Act does not create a private right of action, and it closes alleged ambiguities that some argued existed in the prior law. Nonetheless, companies can still be held liable for discrimination under existing laws.
  • Three-Year Cure Period. A 60-day right-to-cure provision allows developers and deployers to remedy violations before enforcement action—but this provision expires January 1, 2030.
  • AG Rulemaking. Unlike the original AI Act where rulemaking was permissive, rulemaking under the new bill is mandatory. Further, rulemaking must be completed by January 1, 2027.

What Businesses Can Do Now

Even though we will see AG rulemaking, companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, and operational changes to implement consumer rights may take several months to execute. Further, based on the Attorney General’s approach to the Colorado Privacy Act rulemaking, we can expect that the rules will clarify, rather than change, the scope of the AI law

In other words, while we have waited for years for the changes, we now have a sprint for the finish line.

On April 22, 2026, the House Energy & Commerce Committee released the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act seeks to establish a comprehensive federal framework for consumer privacy rights and the protection of personal data. Subject to certain exemptions, the SECURE Data Act applies to businesses subject to the FTC Act or common carriers subject to title II of the Communications Act of 1934 that either (a) collect and process personal data of more than 200,000 consumers annually and have an annual gross revenue of $25 million or more, or (b) collect and process personal data of 100,000 consumers annually and “derive[] 25 percent or more of the[ir] annual gross revenue . . . from the sale of such personal data.” The SECURE Data Act’s framework will require operational changes for many businesses, including those already complying with state privacy laws.  Below is an overview of several material provisions of the SECURE Data Act.

Consumer Privacy Rights

Section 2 of the SECURE Data Act grants consumers the right to access, correct, delete, and obtain a copy of their personal data. It further grants consumers the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, and “[r]eliance on profiling to make a decision that had a legal or similarly significant effect on the consumer.” Controllers must establish and disclose in a privacy notice the means by which a consumer may submit a request to exercise these rights. 

Further, the SECURE Data Act prohibits controllers from processing sensitive data of a consumer without first obtaining the consumer’s consent.

Controller Data Use and Minimization Obligations

Section 3 of the SECURE Data Act requires controllers to provide a privacy notice to consumers that identifies, among other things, “[e]ach category of personal data processed by the controller,” “[e]ach purpose for processing personal data,” and “[e]ach category of personal data the controller shares with any other controller or any governmental entity.” Controllers also are required to disclose to consumers the sale of their personal data.

Section 3 further requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the controller’s disclosed data processing purposes. The SECURE Data Act also restricts the processing of personal data for purposes beyond those originally disclosed unless the controller first obtains the consumer’s consent.

State Preemption

The SECURE Data Act preempts all state laws that “relate[] to the provisions of this Act.” The SECURE Data Act, however, permits state attorneys general to bring civil actions on behalf of their residents in federal court to enjoin violations of the act, enforce compliance with the act, and seek damages and equitable relief.

Key Takeaways

The SECURE Data Act, if enacted, would represent a significant shift in the U.S. data privacy landscape by establishing a single federal standard that preempts the current patchwork of state privacy laws. If enacted, businesses that have already invested in compliance with state frameworks such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act, should evaluate whether their existing programs satisfy the SECURE Data Act’s requirements, particularly with respect to data broker registration requirement, data use and minimization obligations, and the consumer rights provisions.

The SECURE Data Act was introduced alongside proposed updates to financial privacy laws in the GUARD Financial Data Act – an effort to update the Gramm-Leach-Bliley Act’s longstanding notice-and-opt-out regime applicable to financial institutions’ handling of consumer financial data. See an article from Ballard Spahr’s Consumer Finance Monitor for more details: GLBA Modernization Legislation: Key Implications for Financial Institutions’ Data Practices.