Article

The Five P’s: What Congress Gets Right on Data Protection but Needs Structure to Successfully Enable Privacy

AEIdeas

By Shane Tews

April 30, 2026

The House Energy & Commerce Committee’s Privacy Working Group has introduced something rare in Washington: a privacy bill with real teeth. The Secure Data Act, unveiled on April 22, proposes a sweeping federal framework that would supersede the patchwork of state privacy laws that has bedeviled compliance officers and consumers alike for a decade. It includes consumer rights, data minimization, broker registration, and Federal Trade Commission enforcement authority.

Much of it is sensible. But reading the Act through the lens of how data breaches occur reveals a persistent blind spot that no amount of rulemaking has yet fully closed. The problem is not only that companies collect too much data; the deeper, costlier problem is that they collect it, store it carelessly, and then are surprised when it walks out the door. Fixing that failure can be organized around five foundational principles, which I’ll call the Five P’s of Privacy. Or, as I think of it, data security.

  • Providence: Know where your data comes from and who has had access to it.
  • Purpose: Collect only what you can justify collecting.
  • Protection: Secure your data proportional to its sensitivity.
  • Privacy: Honor the consumer’s reasonable expectations.
  • Preparation: Assume breach and have a tested response plan.

Providence. The question of data origin and lineage is where accountability begins. The Secure Data Act correctly requires controllers to disclose the categories of data they process and with whom they share it. Yet origin-tracking remains underdeveloped. When a breach occurs, organizations routinely discover data they didn’t know they had, sourced from vendors they barely remember onboarding. This is known as “vendor sprawl.” A chain-of-custody standard, analogous to what the US Food and Drug Administration requires for pharmaceutical supply chains, would force controllers to answer the simple question—do you know where all your data is? Most cannot answer it honestly.

Purpose is addressed more directly in the Act’s data minimization provisions, which require that collection be “adequate, relevant, and reasonably necessary” for the disclosed purposes. For decades, the implicit corporate philosophy was the opposite: collect everything, store it forever, and figure out uses later. That posture, incentivized by cheap cloud storage and the gold rush economics of behavioral advertising, is precisely what created the massive data reservoirs that now serve as targets for bad actors. The Act’s permitted-purposes framework is a meaningful corrective, but only if enforcement is credible. A 45-day right-to-cure provision is reasonable for technical violations; it borders on being too forgiving for companies that have systematically accumulated data they had no business collecting.

Protection is at the heart of the matter. The Act mandates “reasonable safeguards” and creates a rebuttable presumption of compliance for entities that follow recognized risk-management frameworks. This incentive structure is well-designed, with carrots before sticks. But “state-of-the-art” security, the standard referenced in the Act, means very different things to a Fortune 500 company and to a regional data broker with twelve employees. Codes of conduct approved by the Secretary of Commerce can help bridge that gap, but only if they are genuinely adopted and regularly audited, not merely signed and shelved.

Privacy. The individual’s right to control how their information is used receives the most detailed treatment in the Act: access, correction, deletion, portability, and the right to opt out of targeted advertising. These are real rights, meaningfully codified. The tiered protections for sensitive data and minors reflect appropriate legislative seriousness. The open question is whether consumers will use these mechanisms. The infrastructure for exercising them must be as frictionless as the infrastructure for surrendering consent currently is.

Preparation is the most conspicuously underemphasized in federal legislation. Breach response, incident rehearsal, and recovery planning are mentioned obliquely in the security-safeguards language. But there is no explicit mandate for tested response protocols. Given that the median time to detect a data breach remains measured in months, not days, a company that has never simulated a breach response is not secure. It is merely a company that has not yet been publicly embarrassed.

The Secure Data Act is a serious and largely welcome piece of legislation. It correctly identifies that the collection of personal data, without corresponding responsibility for its protection, has become a systemic risk to consumers, markets, and national security. 

The Five P’s remind us that rules about what data you collect will always be incomplete without equally rigorous guidelines for what you do with it once you have it. The Secure Data Act addresses how data is collected. It must also address how dangerously easy it has become to do nothing until something goes wrong. The failure to protect data collected unnecessarily is not a technology problem. It is a governance problem, and governance problems require governance solutions. Congress has now begun the harder conversation.