This bill, titled the SECURE Data Act, aims to create a comprehensive national framework for consumer privacy rights and the protection of personal data. It applies to entities that conduct business in the U.S. or process data of U.S. residents, meeting specific thresholds for consumer data volume or revenue derived from data sales. The legislation defines key terms such as controller , processor , sensitive data , and data broker , setting the scope for its provisions. Consumers are granted several core privacy rights, including the right to confirm data processing and access a copy of their personal data, correct inaccuracies, and delete their data. They also have the right to obtain their data in a portable format and to opt out of processing for targeted advertising , the sale of personal data , and profiling that leads to significant decisions. For sensitive data , explicit consent is required, with specific provisions for children and teens that necessitate parental consent. Controllers must adhere to principles of data minimization , limiting data collection to what is adequate and necessary for disclosed purposes, and generally cannot use data for secondary purposes without consent. They are prohibited from discriminating against consumers for exercising their privacy rights and must provide clear, accessible privacy notices detailing data categories processed, purposes, and how to exercise rights. Disclosures are also required for data sales and targeted advertising. The bill mandates that controllers establish and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the data. Data brokers are required to register annually with the Federal Trade Commission (FTC) and post conspicuous notices on their websites, informing consumers how to exercise their privacy rights. Processors must adhere to controller instructions and assist in meeting the Act's requirements, with contractual obligations for data processing procedures. Rules are established for deidentified and pseudonymous data , requiring controllers to take measures to prevent re-identification and publicly commit to not re-identifying such data. The bill also outlines a system for approving voluntary codes of conduct for controllers and processors, which can provide a rebuttable presumption of compliance with the Act. The Secretary of Commerce is designated as the principal advisor for cross-border data flows and is authorized to enter into international agreements. Enforcement of the Act falls primarily under the jurisdiction of the Federal Trade Commission , treating violations as unfair or deceptive acts or practices. State Attorneys General are also empowered to bring civil actions on behalf of their residents. Both the FTC and State Attorneys General must provide a 45-day written notice and opportunity to cure alleged violations before initiating enforcement actions. The bill explicitly preempts state laws related to its provisions, creating a uniform national standard. Several entities and types of data are exempted from the Act's applicability, including governmental entities, financial institutions subject to the Gramm-Leach-Bliley Act, and entities covered by HIPAA. The bill also clarifies its relationship with existing federal laws, stating it does not relieve obligations under statutes like COPPA or HIPAA, but repeals certain provisions of the Communications Act of 1934 related to personal data. The majority of the Act will take effect two years after enactment, with some sections becoming effective in one year.