Why It Matters
A wave of data breaches, including an alleged theft of personal records belonging to 275 million students from the Canvas learning management system, has given fresh urgency to what has long been one of Washington's most elusive legislative goals: a single, enforceable federal privacy bill that applies to every American.
The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will hold a federal privacy legislation hearing on Wednesday, June 3, on H.R. 8413, the SECURE Data Act, a Republican-drafted comprehensive data security law that would, for the first time, establish uniform national rules governing how companies collect, use, and sell personal data. The bill would preempt all state privacy laws, including California's landmark CCPA, creating a single federal standard that could reshape data practices for virtually every American-facing business.
According to IAPP, the legislation "embodies the work undertaken by the Privacy Working Group established by Chairman Brett Guthrie (R-KY) in February 2025," meaning Wednesday's congressional hearing on privacy is the product of over 16 months of internal committee development. The bill was formally introduced on April 21, 2026, and referred simultaneously to the Energy and Commerce Committee and the House Judiciary Committee.
The data protection legislation would grant consumers the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising and data sales. Companies with annual revenue above $25 million that collect data on 200,000 or more consumers, or any company deriving 25% or more of its revenue from data sales, would be covered. Most provisions would take effect two years after enactment, with core consumer rights kicking in after one year.
A Senate companion bill, S. 4211, signals bicameral momentum. Its text states an "express intention of Congress to promote consistency in consumer expectations, competitive parity, and innovation through the establishment of a uniform Federal privacy framework" that preempts state law, the most politically explosive provision in either chamber's version.
Breaches as Backdrop
The privacy law examination is landing at an acutely uncomfortable moment for data-dependent industries. In early May, the hacking group ShinyHunters claimed to have stolen records on approximately 275 million users from Instructure's Canvas platform, the country's most widely used learning management system, in what Inside Higher Ed described as a "pay or leak" extortion scheme. Malwarebytes reported that the stolen data allegedly includes names, email addresses, enrolled courses, and private messages. The claims have not been independently verified or adjudicated, but the scale of the alleged breach (affecting students, teachers, and staff) has drawn significant attention.
The day before the hearing, BreachSense logged the Champaign-Urbana Public Health District as a new victim of the INC_RANSOM ransomware group. The HIPAA Journal's May 2026 breach roundup documented at least nine healthcare entities hit in a single month, including the University of Nebraska Medical Center and the World Trade Center Health Program. Together, these incidents illustrate precisely the enforcement gap the SECURE Data Act is designed to close: without a unified federal data security standard and breach notification requirement, victims navigate a patchwork of state rules that vary widely in their protections and timelines.
Who's in the Room
The federal privacy legislation hearing will be chaired by Rep. Gus Bilirakis (R-FL), with Rep. Russ Fulcher (R-ID) as vice chair and Rep. Jan Schakowsky (D-IL) as ranking member. Four of the bill's eight cosponsors - Reps. Russell Fry (R-SC), Tom Kean Jr. (R-NJ), Jay Obernolte (R-CA), and Craig Goldman (R-TX) - sit on the subcommittee, giving the legislation meaningful internal support. The lead sponsor, Rep. John Joyce (R-PA), is not a subcommittee member.
The bill has zero Democratic cosponsors, which is a notable departure from the bipartisan coalitions that have historically formed around privacy legislation, including the ill-fated American Data Privacy and Protection Act of 2022. That partisan gap will be on full display at the witness table. Kate Goodloe of the Business Software Alliance and Ashli Watts of the Kentucky Chamber of Commerce are expected to represent industry perspectives broadly supportive of a federal framework, particularly one that preempts the state-by-state compliance burden. Caitriona Fitzgerald of the Electronic Privacy Information Center (EPIC) is expected to press for stronger consumer protections. Tyler Bridegan of Womble Bond Dickerson rounds out the panel with a legal practitioner's perspective.
The Bottom Line
Federal preemption of state privacy laws is where the bill's political coalition gets complicated. California, Colorado, Virginia, and more than a dozen other states have enacted their own comprehensive privacy regimes. Industry broadly favors a single national standard over a growing patchwork. Consumer advocates and many Democratic members argue that federal preemption would effectively weaken protections in states that have moved further than Congress. That tension will define the fault lines at Wednesday's hearing and determine whether this federal privacy bill can move beyond the subcommittee level.
The IAPP's pre-hearing analysis, published five days before the session, described the SECURE Data Act as "the latest attempt to pass a comprehensive federal privacy bill," a framing that captures both the genuine legislative momentum and the long history of near-misses that precedes it.