The Five P’s: What Congress Gets Right on Data Protection but Needs Structure to Successfully Enable Privacy | American Enterprise Institute
Publish Date: 2026-05-01 05:32:00
Source Domain: www.aei.org
The House Energy & Commerce Committee’s Privacy Working Group has introduced something rare in Washington: a privacy bill with real teeth. The Secure Data Act, unveiled on April 22, proposes a sweeping federal framework that would supersede the patchwork of state privacy laws that has bedeviled compliance officers and consumers alike for a decade. It includes consumer rights, data minimization, broker registration, and Federal Trade Commission enforcement authority.
Much of it is sensible. But reading the Act through the lens of how data breaches occur reveals a persistent blind spot that no amount of rulemaking has yet fully closed. The problem is not only that companies collect too much data; the deeper, costlier problem is that they collect it, store it carelessly, and then are surprised when it walks out the door. Fixing that failure can be organized around five foundational principles, which I’ll call the Five P’s of Privacy. Or, as I think of it, data security.
- Providence: Know where your data comes from and who has had access to it.
- Purpose: Collect only what you can justify collecting.
- Protection: Secure your data proportional to its sensitivity.
- Privacy: Honor the consumer’s reasonable expectations.
- Preparation: Assume breach and have a tested response plan.
Providence. The question of data origin and lineage is where accountability begins. The Secure Data Act correctly requires controllers to disclose the categories of data they process and with whom they share it. Yet origin-tracking remains underdeveloped. When a breach occurs, organizations routinely discover data they didn’t know they had, sourced from vendors they barely remember onboarding. This is known as “vendor sprawl.” A chain-of-custody standard, analogous to what the US Food and Drug Administration requires for pharmaceutical supply chains, would force controllers to answer the simple question—do you know where all your data is? Most cannot…
