SECURE Data Act: Langworthy Cosponsors Federal Bill That Would Preempt the New York Privacy Law the State Senate Just Passed
Rep. Langworthy is an original cosponsor of H.R. 8413, the SECURE Data Act, a federal consumer-privacy bill introduced April 21, 2026. The bill’s preemption clause (Section 15) would override any state law that “relates to” the federal framework. On June 3, 2026 — the same day a House subcommittee held its first hearing on H.R. 8413 — the New York State Senate passed S9088A, a data-broker registration and deletion bill, by a vote of 51 to 10. S9088A is precisely the kind of state law H.R. 8413 is designed to preempt. The federal bill contains no private right of action, meaning New Yorkers whose data is misused could not sue the company themselves; enforcement would run only through the FTC and state attorneys general. This is Rep. Langworthy’s fourth federal preemption initiative targeting New York State law in four months.
Why This Matters for NY-23
New York State has spent the last seven years building a layered framework of consumer-data protections: the SHIELD Act (2019), the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and now an active data-broker delete bill (S9088A) and a comprehensive New York Privacy Act (S3044). H.R. 8413 would replace that layered framework with a federal floor that is, by the California Privacy Protection Agency’s analysis, materially weaker on consumer rights — and would lock in that ceiling for New Yorkers regardless of what their state legislature decides.
The Bill and Langworthy’s Role
Bill: H.R. 8413 — Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (“SECURE Data Act”) Introduced: April 21, 2026 Sponsor: Rep. John Joyce (R-PA-13) Lead author / driving force: Although Joyce is the formal sponsor, the bill is widely characterized as the Guthrie-Joyce bill — Energy & Commerce Chair Brett Guthrie (R-KY) is identified as a co-author in the U.S. Chamber’s coalition support statement and in multiple industry-side legal analyses. Original cosponsors (8): Mr. Fry (SC), Mr. Kean (NJ), Mr. Obernolte (CA), Mr. Langworthy (NY-23), Mr. Goldman (TX), Mr. Griffith (VA), Mr. Balderson (OH), Mrs. Fedorchak (ND) Referred to: Energy & Commerce Committee; Judiciary Committee Hearing: Subcommittee on Commerce, Manufacturing, and Trade — June 3, 2026
Rep. Langworthy’s cosponsorship is verified directly in the GPO-authenticated introduced bill text:
“Mr. JOYCE of Pennsylvania (for himself, Mr. FRY, Mr. KEAN, Mr. OBERNOLTE, Mr. LANGWORTHY, Mr. GOLDMAN of Texas, Mr. GRIFFITH, Mr. BALDERSON, and Mrs. FEDORCHAK) introduced the following bill”
— H.R. 8413 (Introduced version), 119th Congress
Rep. Langworthy has not issued a press release explaining his cosponsorship. No statement on the bill appears on langworthy.house.gov as of June 6, 2026.
What the Bill Actually Does
The SECURE Data Act would create a single federal consumer-privacy framework and prohibit states from going further. Four structural choices matter most:
1. Federal preemption ceiling, not floor (Sec. 15)
Section 15 reads verbatim:
“No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.”
— H.R. 8413, Section 15, GPO-authenticated introduced text
This is a “relates to” preemption standard, which is the broadest preemption formulation in federal privacy law. It is structurally different from a federal floor (which would set a minimum and let states exceed it). The California Privacy Protection Agency, in its April 27, 2026 opposition letter, summarizes the effect:
“The preemption language in the SECURE Data Act is broad and seeks to preempt any state law that ‘relates to the provision of the Act.’ Removing the important rights and obligations provided under the CCPA and the Delete Act without providing equivalent protections, as this bill seeks to do, would be a significant step backwards for privacy.”
Note on quotation: CalPrivacy’s letter quotes the bill in the singular (“the provision of the Act”). The bill text uses the plural — “the provisions of this Act” — as shown verbatim above. The substantive point is unchanged either way.
2. No private right of action (Sec. 12)
Section 12 limits enforcement to (a) the Federal Trade Commission and (b) state attorneys general acting in parens patriae. There is no provision authorizing private civil actions by individuals.
Two additional design choices in Sec. 12 favor the regulated party over the consumer:
- 45-day right to cure (Sec. 12(c)). Neither the FTC nor a state AG may initiate any action until 45 days after providing the company written notice of the alleged violation. If the company cures within those 45 days, “there shall be no violation of this Act.”
- State AG subordination during federal action (Sec. 12(b)(3)(B)). If the FTC or U.S. Attorney General has filed a civil action, no state AG may bring an action against the same defendant for the same violation during the pendency of the federal case.
An individual New Yorker whose data is misused could not bring a lawsuit against the company on their own behalf under this Act. A private right of action remains the most consistently divisive provision in federal privacy debates.
3. Secretary of Commerce code-of-conduct mechanism (Sec. 8)
Companies may submit a “code of conduct” to the Secretary of Commerce for approval. Compliance with an approved code creates a rebuttable presumption of compliance with the Act — meaning a company operating under a Commerce-approved code starts in a legally favorable position when challenged. The Commerce Department, not the FTC, is the gatekeeper for this approval process. Section 8(e) further directs the Secretary to publish small-business codes of conduct within two years.
4. Applicability thresholds and exemptions (Sec. 13)
The Act applies only to entities that meet both a volume and a revenue threshold:
“(A) collects and processes personal data of more than 200,000 consumers annually … and has an annual gross revenue of $25,000,000 or more …; or (B) collects and processes personal data of 100,000 or more consumers annually … and derives 25 percent or more of the annual gross revenue of the person from the sale of such personal data.”
— H.R. 8413, Section 13(a)(2), GPO-authenticated introduced text
Sec. 13(b) further exempts: federal/state/local government entities and their processors; financial institutions subject to Gramm-Leach-Bliley; HIPAA-covered entities and business associates; and nonprofits (including anti-fraud nonprofits).
5. Federal-law carveouts that stay (Sec. 14)
Section 14 explicitly preserves obligations under: COPPA (child online privacy), Gramm-Leach-Bliley (financial), HIPAA and HITECH (health), the Fair Credit Reporting Act, FERPA (student records), the federal substance-use confidentiality rule, and the federal regulations on protection of human research subjects. These sectoral federal regimes continue to apply alongside H.R. 8413.
How H.R. 8413 Would Affect New York Specifically
New York has built its consumer-data protection in layers — and has more legislation actively in motion. The table below maps each New York law or pending bill against H.R. 8413’s preemption clause.
Current New York Law
| New York Law | What It Does | Status Under H.R. 8413 |
|---|---|---|
| SHIELD Act (2019) — GBL § 899-aa, § 899-bb | Data breach notification; requires “reasonable safeguards” for private information; AG enforcement up to $250,000 for failed notification, $5,000 per safeguard violation | Breach notification and security-safeguard provisions likely partially preserved; any provisions interpreted as “relating to” the federal Act would be preempted |
| NY DFS Cybersecurity Regulation — 23 NYCRR 500 | Requires financial-services companies to maintain a cybersecurity program | Likely preserved — Sec. 13(b)(3) exempts GLBA financial institutions; Sec. 14 carves out GLBA obligations |
| NY GBL § 349 — Deceptive Acts and Practices | Allows individual New Yorkers to sue companies for deceptive practices, including some data-related deception | Likely preserved as general consumer-protection law, not “relating to” the federal privacy Act — but this question would be litigated |
Pending New York Legislation
| New York Bill | What It Would Do | Status as of June 6, 2026 | Status Under H.R. 8413 |
|---|---|---|---|
| S9088A (Gonzalez) — Data Broker Registration and Deletion | Requires data brokers to register with the NY Attorney General; creates a single statewide deletion mechanism; civil penalties | Passed NY Senate June 3, 2026 (51-10) — currently in Assembly Consumer Affairs and Protection Committee | At significant risk of preemption. The CalPrivacy Protection Agency lists NY S9088 (footnote 14) among the state data-broker delete bills that parallel California’s Delete Act — the law CalPrivacy says H.R. 8413 would override. Whether S9088A’s deletion-mechanism provisions “relate to” the federal Act’s data-broker registry (Sec. 5) would be litigated |
| S3044 (Gonzalez) — New York Privacy Act | Comprehensive privacy law: consent before processing, access, correction, deletion, opt-out of sale and targeted advertising, private right of action | In Senate Internet & Technology Committee (committee vote 6-1 in favor May 27, 2025) | Substantively preempted. The private right of action — the most consequential difference from H.R. 8413 — would be eliminated for New Yorkers |
What This Means in Practice
The California Privacy Protection Agency’s opposition letter walks through specific provisions of California’s CCPA and Delete Act that would be eliminated under H.R. 8413. The same logic applies to New York’s pending legislation:
No global opt-out signal requirement. H.R. 8413 does not require businesses to honor browser-based opt-out preference signals (OOPS). Instead, Sec. 10 directs the Secretary of Commerce to conduct a study on “universal opt-out mechanisms.” New York’s pending NYPA would require honoring opt-out signals — that requirement would not survive preemption.
No centralized data-broker deletion mechanism. H.R. 8413 establishes a data-broker registry with minimal disclosure requirements but does not create a one-stop deletion tool. New York’s S9088A specifically creates that mechanism — and would be preempted.
Privacy requests are capped at two per year free of charge. Sec. 2(d)(3)(A) provides that “a consumer may submit to each controller 2 requests … related to such consumer privacy right in a year free of charge.” Sec. 2(d)(3)(B) permits a controller to charge a fee — or refuse the request as “manifestly unfounded” — for additional requests. The CCPA does not cap free requests; New York’s pending NYPA does not either.
Weaker data minimization. H.R. 8413 limits data minimization to collection only; the CCPA and the pending NYPA apply it to collection, use, retention, and sharing.
No private right of action. This is the most consequential difference. Under New York’s pending NYPA, an individual New Yorker whose data is misused could sue. Under H.R. 8413, they could not.
The Timing: NY Senate and U.S. House Acted on the Same Day
| Date | Event |
|---|---|
| April 21, 2026 | H.R. 8413 introduced in U.S. House. Langworthy cosponsors. |
| April 27, 2026 | California Privacy Protection Agency issues formal opposition letter. |
| May 29, 2026 | NY S9088 amended (S9088A); recommitted to Consumer Protection. |
| June 3, 2026 | U.S. House Subcommittee on Commerce, Manufacturing, and Trade holds hearing on H.R. 8413. NY State Senate passes S9088A 51-10. |
| June 4, 2026 | NY S9088A delivered to Assembly Consumer Affairs and Protection Committee. |
A New York consumer-protection bill cleared the State Senate on the same day Rep. Langworthy’s federal preemption bill received its first congressional hearing.
Industry Coalition Behind H.R. 8413
Fifty-seven business associations signed onto a coalition statement organized by the U.S. Chamber of Commerce supporting H.R. 8413. The list spans every major data-using industry — including the trade associations representing the platforms, ad-tech firms, data brokers, and retail loyalty programs that would be subject to the federal framework. The sector table below groups representative signatories by sector; the complete 57-signatory list (including additional groups like AdvaMed, American Resort Development Association, American Staffing Association, Association of Test Publishers, and the 21st Century Privacy Coalition not shown in the sector summary) is at the U.S. Chamber URL in Sources.
| Sector | Trade Associations Supporting H.R. 8413 |
|---|---|
| Technology / Internet platforms | NetChoice, BSA (Business Software Alliance), CTA (Consumer Technology Association), CCIA (Computer & Communications Industry Association), ITI (Information Technology Industry Council), SIIA, TechNet, Chamber of Progress, ACT (Association for Competitive Technology), Entertainment Software Association, XR Association |
| Advertising / Marketing / Data | Association of National Advertisers, American Advertising Federation, 4A’s (American Association of Advertising Agencies), Digital Advertising Alliance, Network Advertising Initiative (NAI), Privacy for America, Insights Association, Main Street Privacy Coalition |
| Telecom / Broadband / Cable | NCTA—The Internet & Television Association, USTelecom, CTIA, INCOMPAS |
| Retail / Hospitality / Restaurants | National Retail Federation, Retail Industry Leaders Association, FMI—The Food Industry Association, National Association of Convenience Stores, American Hotel and Lodging Association, National Restaurant Association, International Franchise Association |
| Finance / Insurance / Real Estate | American Financial Services Association, American Council of Life Insurers, Insured Retirement Institute, National Association of REALTORS, American Land Title Association, Electronic Transactions Association |
| Manufacturing / Auto / Energy | National Association of Manufacturers, Alliance for Automotive Innovation, American Petroleum Institute, Energy Marketers of America, National Electrical Manufacturers Association |
| General business | U.S. Chamber of Commerce, Business Roundtable, Small Business & Entrepreneurship Council |
The full list is published at the U.S. Chamber’s website. The Association of National Advertisers issued a separate endorsement on April 23, 2026.
Public Opposition
| Organization | Position | Source |
|---|---|---|
| California Privacy Protection Agency | Formal opposition letter, April 27, 2026 — itemizes preempted state protections | CPPA letter to E&C |
| Electronic Privacy Information Center (EPIC) | Testimony opposing the bill at June 3 hearing (witness: Caitriona Fitzgerald, Deputy Director). Per hearing coverage, EPIC’s position was that the bill’s data protections “are weak and do not go far enough.” | Hearing coverage; verbatim oral testimony to be cited from the official hearing transcript once posted |
| The Leadership Conference on Civil and Human Rights | Letter opposing the bill | civilrights.org |
| Rep. Frank Pallone (D-NJ), E&C Ranking Member | Statement characterizing the bill as “assembled from industry-friendly state privacy laws … pushed by Big Tech” (full text via E&C Democrats press release) | democrats-energycommerce.house.gov |
The Pattern: Fourth Federal Preemption Initiative Since February 2026
This is the fourth federal preemption initiative Rep. Langworthy has introduced, cosponsored, or signed since February 2026, each targeting a state law (most often a New York State law):
| Bill / Action | Date | State Law Targeted | Industry Coalition |
|---|---|---|---|
| Energy Choice Act (H.R. 3699) | Cmte passage Dec 3, 2025; rollout push Feb 2026 | NY All-Electric Buildings Act | 70+ fossil fuel, propane, home-builder groups |
| Dietary Supplement Regulatory Uniformity Act (H.R. 7366) | Introduced Feb 4, 2026 | NY supplement-to-minors ban (S5823C) | NPA, CRN, AHPA, CHPA |
| AI Regulation Letter to Commerce Secretary | Feb 19, 2026 | NY RAISE Act; Colorado AI Act | Tech industry (Microsoft, Google, Meta, Amazon) |
| SECURE Data Act (H.R. 8413) — this entry | Cosponsored April 21, 2026 | NY S9088A (data brokers); NY S3044 (NY Privacy Act); SHIELD Act provisions | 57 trade associations |
See Federal Preemption Pattern: Three Bills, One Playbook for the earlier three.
Donor Footprint
$270,500 across 21 PACs whose organizations signed the SECURE Data Act endorser-coalition letter have contributed to Rep. Langworthy’s two campaign committees (Langworthy for Congress C00817932; Langworthy Congressional Victory Cmte C00832188) across the 2024 and 2026 cycles.
This is documented from FEC bulk pas2 24/26 files, joined to the FEC committee master (cm.txt), filtered to contributions where the candidate ID (H2NY23228) or one of the two committee IDs above is the recipient.
By Sector
| Sector (alignment with SECURE Data Act coalition) | Total | PACs |
|---|---|---|
| Telecom / ISP / Cable (NCTA, USTelecom, CTIA members) | $121,000 | Charter Communications PAC ($35K), Cox Enterprises PAC ($25K), Comcast/NBCUniversal PAC ($16K), Verizon PAC ($14K), AT&T Employee PAC ($12K), NCTA—The Internet & Television Association PAC ($13K), T-Mobile T-PAC ($6K) |
| Retail / Hospitality / Franchise / Convenience (NRF, RILA, Restaurant Assn, IFA, AHLA, NACS, NAR members) | $77,000 | International Franchise Assn PAC ($24K), National Assn of Realtors PAC ($18K), Walmart PAC ($16K), National Restaurant Assn PAC ($15K), American Hotel & Lodging PAC ($4K), National Assn of Convenience Stores PAC ($4K) |
| Oil / Energy (API + Energy Marketers signed the letter) | $61,000 | Marathon Petroleum Employees PAC ($20K), Chevron Employees PAC ($20K), ExxonMobil PAC ($12K), Energy Marketers of America Small Business Cmte PAC ($9K) |
| Big Tech direct (Google’s PAC + BSA’s PAC) | $3,500 | Google LLC NETPAC ($2K), BSA Business Software Alliance Inc. PAC ($1.5K) |
| Subtotal — Coalition members | $270,500 | 21 PACs |
Per-PAC contribution caps and party-line patterns matter here. Each PAC’s federal contribution to a single candidate per cycle is capped at $5,000. The Charter PAC’s $35K, for example, reflects 12 separate $5,000-or-less transactions across multiple election cycles and primary/general elections, not a single special-occasion transfer. These PACs give to many House Republicans on the Energy & Commerce committee, not exclusively to Langworthy.
What this means
This is not a documented quid-pro-quo with Big Tech corporate PACs. Meta, Amazon, Microsoft, Apple, Oracle, and Salesforce corporate PACs have given Langworthy’s committees zero dollars. Google’s NETPAC contribution is small ($2,000, from November 2023) and predates H.R. 8413 by more than two years.
What it is is a documented financial alignment with the broader coalition behind the bill — particularly the cable/telecom/ISP industry organized through NCTA—The Internet & Television Association, which co-signed the support letter and whose member PACs have contributed $121,000 to Rep. Langworthy.
Methodology
Query: pas224.txt and pas226.txt, filtered where OTHER_ID IN (C00817932, C00832188) OR CAND_ID = H2NY23228, joined against cm24.txt/cm26.txt for committee names. Sector classification done by hand against the U.S. Chamber’s published SECURE Data Act endorser-coalition list. Pre-2024 cycle data not included in this scan — the historical pattern would show additional totals from the 2022 cycle when Langworthy first ran for this seat. 2026 Q2 PAC transfers (covering April-June 2026 activity, which would include any direct industry response to the H.R. 8413 cosponsorship) are not yet filed; the next FEC quarterly report is due July 15, 2026. This entry will be updated when that data lands.
What Rep. Langworthy Has Said About Federal Preemption of New York Law
From his February 2026 introduction of the Dietary Supplement Regulatory Uniformity Act:
“New York is notorious for baseless overregulation that burdens small businesses without making anyone safer or improving public health.” — Rep. Langworthy press release, February 4, 2026
From his February 2026 letter to Commerce Secretary Lutnick on the New York RAISE Act:
State AI regulations create a “patchwork of conflicting state laws” that “poses risks to U.S. competitiveness.” — Evans/Langworthy joint letter, February 19, 2026
H.R. 8413 fits the same rhetorical frame. The bill’s supporters describe state privacy laws as a “patchwork” that creates regulatory uncertainty for business. The CalPrivacy Protection Agency, which administers California’s data-broker delete law, has the strongest counter on the record: the state-by-state laws being criticized as a “patchwork” are providing protections that the federal replacement explicitly removes.
Questions This Raises
The NY State Senate passed S9088A 51-10 on the same day Rep. Langworthy’s federal bill received its first congressional hearing. Has Rep. Langworthy stated whether he believes New York State should be permitted to enact its own data-broker delete law if the SECURE Data Act becomes federal law?
The bill contains no private right of action. Has Rep. Langworthy stated a position on whether individual New Yorkers should retain the ability to sue companies that misuse their personal data?
The bill creates a Secretary of Commerce “code of conduct” approval mechanism that produces a rebuttable presumption of compliance. Under what circumstances should an executive-branch department — rather than a court or independent regulator — be the gatekeeper for whether a privacy law has been complied with?
Rep. Langworthy has not issued a press release on his cosponsorship of H.R. 8413. What would he tell NY-23 constituents whose privacy protections under the SHIELD Act, the pending NYPA, and S9088A would be partially or wholly preempted?
The endorser coalition includes every major tech, ad-tech, telecom, and data-broker trade association. No consumer-advocacy organization signed the support letter; the public opposition is from a state privacy regulator (CalPrivacy), a civil-rights coalition (Leadership Conference), and a privacy advocate (EPIC). When industry and consumer advocates split this cleanly on a “consumer protection” bill, which side is reflecting the consumer interest?
Related Fact-Checks
- Federal Preemption Pattern: Three Bills, One Playbook — the earlier three preemption initiatives (Energy Choice, Dietary Supplements, AI letter)
- Energy Choice Act: What the Bill Does, Who Supports It, and What It Leaves Out — the template for industry-coalition + preemption analysis
Sources
Bill Text and Status (Primary):
- H.R. 8413 introduced version — GPO PDF — GPO-authenticated; names Langworthy as original cosponsor
- H.R. 8413 introduced version — GPO XML — machine-readable, bioguide IDs encoded
- Congress.gov — H.R. 8413
- House Energy & Commerce — hearing notice, June 3, 2026
- House Energy & Commerce — post-hearing summary
New York State Legislation (Primary):
- NY S9088A — bill text and action history — passed NY Senate 51-10, June 3, 2026
- NY S3044 — New York Privacy Act, 2025-2026 session
- NY SHIELD Act — Attorney General resource page
Opposition Analyses (Primary):
- California Privacy Protection Agency — opposition letter, April 27, 2026
- CalPrivacy press release on opposition letter
- Leadership Conference on Civil and Human Rights — letter opposing
- Rep. Pallone (E&C Ranking Member) — statement
Industry Coalition (Primary):
- U.S. Chamber of Commerce — support letter for H.R. 8413
- U.S. Chamber of Commerce — coalition welcome statement
- BSA — welcome statement
- Digital Advertising Alliance — endorsement
Background Analysis:
- IAPP — SECURE Data Act analysis
- Hunton/Andrews Kurth — privacy law blog analysis
- Epstein Becker Green — analysis
Campaign Finance (Primary):
- FEC bulk data:
indiv22.txt,indiv24.txt,indiv26.txt,pas224.txt,pas226.txt— committees C00817932 (Langworthy for Congress) and C00832188 (Langworthy Congressional Victory Cmte)
This entry documents publicly available legislative records, bill text, the GPO-authenticated introduced version of H.R. 8413, the New York State Senate’s official action history on S9088A, formal letters from regulators and advocacy organizations, and FEC bulk campaign finance data. Where a finding is conservative or incomplete — particularly on industry-lobbying disclosures, which will not be filed until late July 2026 — this is stated explicitly in-line.
Last updated: June 6, 2026