The ENCRYPT Act of 2025 prevents states from requiring companies to alter security functions, decrypt information, or prohibit the sale of products/services that use encryption.
Ted Lieu
Representative
CA-36
The ENCRYPT Act of 2025 prevents states from requiring companies to alter security functions in their products or services to allow government surveillance or to decrypt encrypted information. It also stops states from banning the sale of products or services that use encryption. This bill ensures that manufacturers, developers, sellers, and providers of computer hardware, software, electronic devices, and online services cannot be forced to compromise security features for government access. The act defines "state" broadly to include all U.S. states, territories, and federally recognized Indian Tribes.
ENCRYPT Act Seeks to Block States From Forcing Tech Backdoors or Demanding Decryption
The proposed ENCRYPT Act of 2025 looks to establish a clear federal line on digital privacy and security. In simple terms, it prevents any state, territory, or tribal government from requiring tech companies—those making hardware, software, devices, or providing online services like email or cloud storage—to build ways for government agencies to bypass security features or decrypt user information. It also stops states from banning products just because they use encryption.
Keeping Digital Doors Locked
So, what does this actually mean for the tech you use every day? The bill explicitly prohibits states from mandating that companies alter security functions to allow government surveillance or physical searches. Think of the encryption that protects your private messages, financial data, or stored files – this act says states can't force the makers of those services (defined broadly as "covered products or services" available to the public) to create a 'master key' or backdoor for state-level agencies. If a company uses encryption, states also can't demand they decrypt information for authorities.
Why One Federal Rule Matters
The ENCRYPT Act aims to create a uniform standard across the country, preempting state or local laws that might try to impose these kinds of requirements. By defining "State" broadly to include U.S. states, D.C., territories, and federally recognized tribes, it ensures consistency. For tech companies operating nationwide, this potentially simplifies compliance, avoiding a complex patchwork of different state rules about encryption. For users, it means the security of their devices and online communications wouldn't depend on which state they happen to be in.
The Privacy Standard
Essentially, this legislation draws a line, emphasizing protection for encrypted communications and data against state-level mandates for access. It focuses on preventing states from compelling companies to weaken the security tools millions rely on. While aiming to bolster privacy and secure digital tools, the practical effect is that states would be barred from creating laws that require tech providers to assist in bypassing the encryption they offer to customers.