H.R. 2508

119th CONGRESS 1st Session

To preempt State data security vulnerability mandates and decryption requirements.

IN THE HOUSE OF REPRESENTATIVES · March 31, 2025 · Sponsor: Mr. Lieu

Table of contents

• H.R. 2508
  • SEC. 1. Short title
  • SEC. 2. Preemption of State data security vulnerability mandates and decryption requirements

SEC. 1. Short title

• This Act may be cited as the or the .

SEC. 2. Preemption of State data security vulnerability mandates and decryption requirements

• (a) In general
  • A State or political subdivision of a State may not—
    • mandate or request that a manufacturer, developer, seller, or provider of covered products or services—
      • design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency or instrumentality of a State, a political subdivision of a State, or the United States; or
      • have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible using its product or service; or
    • prohibit the manufacture, sale or lease, offering for sale or lease, or provision to the general public of a covered product or service because such product or service uses encryption or a similar security function.
• (b) Definitions
  • In this section:
    • The term means any computer hardware, computer software, electronic device, or online service that— covered product or service
    • The term means a service provided over the internet that makes available to users— online service
    • The term means each of the several States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.