The Association of National Advertisers today endorsed the SECURE Data Act, a House Republican bill introduced on April 21, 2026, that would replace all US state privacy laws with a single federal framework. The trade group, whose members collectively control the majority of US advertising expenditure, said the legislation represents the most viable path to a national consumer privacy standard - and explicitly framed its support around the economic weight of the advertising industry.

"This legislation charts the best path to a national privacy standard by building on the common bipartisan framework that has already been signed into law by more than 20 states," according to the Association of National Advertisers. The statement, communicated on April 22, 2026, went on to say the legislation "establishes a comprehensive national policy that protects all Americans without jeopardizing the 29 million U.S. jobs supported by advertising."

The figure is not incidental. The ANA's decision to anchor its public endorsement in a specific employment number signals a deliberate strategy: frame federal preemption not merely as a compliance convenience but as a structural protection for a significant portion of the American workforce. Whether that framing proves persuasive in Congress will depend on how skeptical members weigh the jobs argument against concerns from state attorneys general who stand to lose enforcement authority.

The bill and its sponsors

The SECURE Data Act - formally the "Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act" - was introduced by Representative Joyce of Pennsylvania on April 21, 2026, during the 119th Congress, 2nd Session, and referred to committee on the same date. As PPC Land reported, the bill creates a national framework for consumer privacy rights through five core consumer rights: access, correction, deletion, portability, and opt-out from targeted advertising, the sale of personal data, and automated profiling with legal consequences.

The ANA statement credited "the diligent efforts of Chairman Guthrie, Vice Chairman Joyce, and all of the participants in the data privacy working group" for producing what it described as "this common-sense standard." The organisation said it looks forward "to working together to strengthen and advance this legislation, so Americans in every state have the same robust protections under federal law."

Why the patchwork problem matters to advertisers

To understand why the ANA moved quickly to back the bill, it helps to trace what the existing compliance environment actually looks like for a national advertiser. At the start of 2025, fourteen US state privacy laws were already enforceable, with six more added throughout the year. Each state carries distinct definitions of "sale" and "sharing" of personal data, separate consent requirements, different opt-out mechanisms, and varying effective dates. Indiana, Kentucky, and Rhode Island added their own frameworks effective January 1, 2026.

The result is a compliance infrastructure that has grown in cost and complexity with every new state law. Data processing contracts must be customised. Privacy notices must reflect jurisdiction-specific language. Consent management platforms must route signals according to the applicable state framework. Google, for its part, has had to implement Restricted Data Processing mode across an expanding list of states and has rolled out Universal Opt-Out Mechanism support to eight additional states as of June 2025. None of that overhead disappears without federal legislation that preempts the state regimes entirely.

The SECURE Data Act addresses exactly that problem. Section 15 of the bill states plainly that no state may "prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law" relating to the provisions of the Act. This is total preemption - a federal ceiling, not a floor. For advertisers and ad tech vendors, a single national standard means one set of consent requirements, one definition of targeted advertising, one threshold for what constitutes a data broker, and one enforcement regime.

The 20-state bipartisan argument

The ANA's specific framing - that the bill "builds on the common bipartisan framework that has already been signed into law by more than 20 states" - is a notable rhetorical choice. Rather than asking Congress to write a privacy law from scratch, the argument runs, the SECURE Data Act is codifying something that already has widespread acceptance among state elected officials across the political spectrum. That framing is designed to blunt the objection that federal preemption disregards state-level democratic processes. If over 20 states have already adopted compatible frameworks, the argument goes, Congress is standardising an existing consensus rather than overriding it.

The architecture of the bill reinforces this reading. Its definitions of sensitive data, consent, and controller obligations borrow heavily from the wave of state laws enacted since Virginia's Consumer Data Protection Act in 2021. The definition of consent - "a clear affirmative act that signifies the freely given, specific, informed, and unambiguous agreement by a consumer" - maps closely to both Virginia and Colorado frameworks, as well as to GDPR's consent standard. No pre-checked boxes. No inferred consent from continued service use. These are not novel concepts invented by House Republicans; they are the settled vocabulary of the state laws already on the books.

What the bill means for the ad tech ecosystem

The SECURE Data Act's treatment of targeted advertising has specific implications for programmatic advertising professionals. The bill defines targeted advertising as displaying an ad selected based on personal data obtained from a consumer's activities "over time and across nonaffiliated websites or online applications." Critically, contextual advertising is excluded - as are ads responding to a consumer's own search query and, notably, processing data "solely for measuring or reporting advertising or content performance, reach, or frequency, including independent measurement."

That last carve-out matters to publishers and audience measurement vendors. Under the bill, reach and frequency reporting, attribution, and independent measurement are not classified as targeted advertising and therefore do not trigger opt-out obligations. That is a more permissive treatment than some state laws, where the definitions of "sharing" personal data can sweep in measurement activities that platforms argue are essential to advertiser accountability.

The data broker provisions are more operationally demanding. The bill defines a data broker as a controller that collects and processes personal data about consumers who are not customers or subscribers, and that derives 50 percent or more of annual gross revenue from the sale of that data. Within 12 months of enactment, data brokers must register with the FTC and disclose, among other things, a description of each category of personal data sold, whether a purchaser credentialing process exists, and any unauthorised access incidents reported to a federal or state authority in the prior year. Within 18 months, the FTC must establish a publicly searchable central registry of registered data brokers. The FTC's existing guidance on data practices has already indicated a broad and expansive view of what constitutes privacy-implicating conduct; the registry requirement would give that view legislative grounding.

For identity resolution vendors, audience extension networks, and matching platforms, whether they meet the 50 percent revenue threshold will be a critical threshold to assess. Many companies operating in the programmatic supply chaintouch personal data about non-customers, but the revenue composition test narrows which ones are formally classified as data brokers under this bill.

Enforcement and the state attorney general question

The bill splits enforcement between the FTC and state attorneys general. The FTC retains primary federal authority; state AGs can bring actions under the federal framework. What they cannot do is enforce their own, separate state privacy statutes - those are preempted.

That distinction is not academic. California's privacy enforcement has been among the most active in the country. The state secured a $1.55 million settlement with Healthline Media in July 2025, followed by a $1.4 million settlement with mobile gaming company Jam City in November 2025. Both settlements were reached under the California Consumer Privacy Act. Under total federal preemption, California's attorney general would lose the ability to bring CCPA actions - gaining only the ability to enforce the federal Act alongside the FTC. Whether federal enforcement would match California's pace and ambition is a genuinely open question, and one that privacy advocates are likely to press during the bill's committee consideration.

The bill's consent standard for sensitive data - which covers racial and ethnic origin, religious belief, mental or physical health diagnoses, sexual orientation, immigration status, genetic and biometric data, precise geolocation data (within 1,750 feet), and data collected from children and teens - requires affirmative consent before processing. For health publishers and location-based advertising, that requirement replicates the enforcement logic California applied in the Healthline case, where sharing article titles suggesting medical diagnoses with advertisers was the specific conduct sanctioned. A federal standard would apply that same logic nationally, rather than leaving it to state-by-state enforcement.

Children and teens

Children under 13 retain COPPA protections that the bill explicitly preserves. Teenagers - defined as those aged 13 through 15 - receive additional treatment: a controller may not process their sensitive data without verifiable parental consent. The bill does not replace COPPA but sits alongside it, and for advertisers operating services with mixed age audiences, the interaction between the bill's teen category and COPPA's under-13 framework creates a compliance layer that will require legal review. The FTC published comprehensive COPPA amendments in April 2025 with a compliance deadline of April 22, 2026 - the same date as the ANA's endorsement statement. The overlap is a reminder that federal children's privacy obligations are already expanding independently of the SECURE Data Act.

Processor obligations and supply chain contracts

The bill distinguishes controllers from processors - entities that handle data on a controller's behalf. Processor contracts must specify instructions, the nature and purpose of processing, the type of personal data involved, the duration, and the rights and obligations of both parties. Each person handling personal data must be bound by a duty of confidentiality. If a processor engages a subcontractor, those same obligations flow down through the subcontract. The rule of construction is explicit: nothing in the processor section relieves a controller or processor from liability for a processing role.

For ad tech vendors operating as processors under large publisher or advertiser contracts, this supply-chain liability structure is familiar from GDPR Article 28 and from the state laws that have adopted similar processor obligations. What changes is the breadth of applicability: if enacted, the bill would apply this framework to any company subject to the FTC Act that meets the bill's thresholds, which are set by annual revenue and volume of data processed.

The ANA's position in context

The ANA is not the only advertising industry voice, but it is among the most influential. Its membership spans the largest national advertisers across consumer goods, retail, financial services, and technology. An endorsement from the ANA at the point of a bill's introduction, rather than during committee markup, signals that the organisation intends to invest political capital in the legislation's passage. The statement explicitly called out the bill's lead sponsors - Chairman Guthrie and Vice Chairman Joyce - by name, suggesting direct coordination with the House committee working group that developed the draft.

What the ANA did not address directly is the preemption question. The statement praised the bill for "codifying an approach that's endorsed by state elected officials across the political spectrum" but made no mention of how total preemption interacts with California, which has a significantly more aggressive privacy enforcement regime than the 20-state baseline the ANA is invoking. That omission is likely deliberate. Highlighting preemption as a benefit to the advertising industry in the same breath as invoking consumer protection would complicate the political messaging. The jobs argument - 29 million workers - provides cleaner political terrain.

Whether the SECURE Data Act advances through the 119th Congress will depend on factors well beyond industry endorsement: the Senate's appetite for preempting state privacy regimes, the White House's position, and the degree to which privacy advocates, state attorneys general, and consumer groups mount organised opposition. The ANA has placed its marker early. The committee process will determine whether the bill's bipartisan framing holds.

Timeline

Summary

Who: The Association of National Advertisers (ANA), a major US advertising industry trade group, issued a formal endorsement statement. The bill was introduced by Representative Joyce of Pennsylvania, with Chairman Guthrie and Vice Chairman Joyce leading the House data privacy working group.

What: The ANA endorsed the SECURE Data Act, a House Republican bill that would establish a single national consumer data privacy framework, preempting all existing and future state privacy laws. The ANA's statement cited 29 million US jobs supported by advertising and praised the bill's bipartisan foundations across more than 20 states.

When: The SECURE Data Act was introduced on April 21, 2026, and referred to committee on the same date. The ANA's endorsement statement was issued on April 22, 2026.

Where: The legislation was introduced in the US House of Representatives during the 119th Congress, 2nd Session. Enforcement under the bill would fall to the Federal Trade Commission and state attorneys general operating under federal authority.

Why: The ANA backed the bill because it would replace a patchwork of more than 20 state-level privacy regimes with a single national standard, reducing compliance costs and legal complexity for advertisers and ad tech vendors. The organisation also argued the legislation protects the 29 million US jobs tied to the advertising industry, framing federal preemption as an economic protection as well as a regulatory simplification.

Share this article
The link has been copied!