As more states enact and expand their comprehensive privacy laws, small businesses must navigate an increasingly complex and fragmented regulatory landscape that pulls resources away from innovation, hiring, and growth. Against this backdrop, the House Energy and Commerce Committee Privacy Working Group recently released the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act, H.R. 8413), a consensus-based bill that would preempt state laws with a uniform national standard and establish a voluntary code of conduct framework for small businesses to implement effective privacy protections. Policymakers should pass the SECURE Data Act to give small businesses a clear, consistent framework to deliver meaningful privacy protections to their customers and compete in the digital economy.
Today, a growing number of state privacy laws are placing disproportionate compliance burdens on small businesses. To date, 22 states have adopted comprehensive privacy laws, each with its own set of definitions, consumer rights, enforcement mechanisms, and applicability thresholds. While these laws generally include applicability thresholds that carve small businesses out, recent amendments in some states have lowered those thresholds to capture more and more businesses. In 2025, for example, both Connecticut and Montana amended their laws to lower applicability thresholds and pull more businesses into scope. For founders and small teams, these continual shifts in the state privacy landscape mean navigating a regulatory map that is still being drawn in real time, while larger companies, which already meet these thresholds, can rely on a comparatively established, if still fragmented, patchwork. This dynamic compounds the strain on small businesses and forces them to divert limited time and resources towards monitoring state legislatures and understanding evolving compliance obligations.
The SECURE Data Act’s strong preemption provision would relieve small businesses of the burden of navigating this costly, complex patchwork. According to a 2025 economic and fiscal impact statement, the California Privacy Protection Agency estimated that small businesses could face initial compliance costs of $6,058 to $38,225 for proposed privacy regulations, while ongoing compliance costs could amount to $16,377 annually. More broadly, in a 2022 report, the Information Technology and Innovation Foundation estimated that a 50-state patchwork could cost small businesses up to $23 billion per year. By preempting related state laws such as the California Consumer Privacy Act, the bill would streamline compliance and eliminate the need for a developer operating across state lines to track legislative updates and repeatedly interpret new or expanding privacy rules. For small teams operating on shoestring budgets, the simplicity of a uniform national standard frees up time and resources to focus on scaling, not statutes.
Beyond establishing a uniform standard, the SECURE Data Act introduces a framework that would enable small businesses to turn privacy compliance into a competitive advantage. The bill sets up voluntary codes of conduct, through which small businesses could publicly self-certify compliance with an independently administered code of conduct that is cost-effective and appropriate for participants’ risks, sizes, and limitations. In return, they’d receive a rebuttable presumption of compliance with privacy protections. In practice, this offers small businesses a clear and credible way to demonstrate trustworthiness to potential clients and customers. In a B2B marketplace where larger companies routinely require vendors, processors, subcontractors, and service providers to meet certain privacy obligations, small businesses could use their public participation in a code of conduct as a standardized way to prove readiness and win contracts. In fact, in their 2026 Data and Privacy Benchmark Study, Cisco found that 96 percent of survey participants reported that external, independent privacy certifications influence vendor selection decisions. In a market where privacy expectations increasingly shape purchasing and vendor decisions, privacy certifications offer advantages that directly boost small businesses’ ability to compete.
Importantly, the SECURE Data Act’s code of conduct framework would also offer small businesses flexibility instead of imposing a one-size-fits-all compliance model. Because participation in a code of conduct would be voluntary, small businesses could assess whether an approved code aligns with their operations, customer base, and growth plans, and opt in accordingly. For businesses operating primarily in one state, this framework allows them to avoid implementing new federal obligations that do not reflect their customers’ expectations or operational requirements.
Finally, the SECURE Data Act would help small businesses better serve their customers and deliver on commitments to protect their privacy. ACT’s members want to protect their customers’ data, and the bill provides a strong framework, consistent with ACT’s Four Ps of Privacy, to do so. It would establish key consumer rights, including the rights to access, correct, delete, and port data, and the code of conduct structure would offer a practical path for implementing those protections effectively. By making strong privacy practices clearer and more accessible, the bill would enable small businesses to both meet consumer expectations and uphold consistent, high standards in data collection and processing.
The SECURE Data Act would replace today’s fragmented, costly privacy landscape with a uniform, workable standard that aligns with ACT’s priorities for federal privacy legislation, including strong preemption, protections against unauthorized access, no private right of action, and a practical path to compliance through the voluntary codes of conduct framework. By reducing compliance burdens and creating a scalable framework, it would allow small businesses to focus their time and resources on building, growing, and competing. Policymakers in the 119th Congress should pass the SECURE Data Act to support this growth, protect consumer privacy, and strengthen competition across the digital economy.