The ENCRYPT Act of 2025 preempts state and local governments from mandating technology companies to weaken security or provide decryption access to user data.
Ted Lieu
Representative
CA-36
The ENCRYPT Act of 2025 establishes federal preemption over state laws regarding technology security. This bill explicitly prevents state and local governments from mandating that technology companies build security backdoors or provide decryption capabilities for user data. It also prohibits states from banning the sale of products or services solely because they utilize strong encryption.
ENCRYPT Act Blocks State Demands for Tech Backdoors: Your Digital Privacy Gets a Federal Shield
The aptly named Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2025 (ENCRYPT Act) is essentially a federal declaration of independence for your digital security. This bill steps in to prevent state and local governments from forcing technology companies—think Apple, Google, or even your favorite encrypted messaging app—to deliberately weaken their products or build in security flaws, often called "backdoors." This isn't about making new rules; it's about stopping 50 different states from making bad ones that could expose everyone’s data.
The Anti-Backdoor Mandate: What It Means for Your Phone
Section 2 of the ENCRYPT Act is the core of the bill, establishing strong federal preemption. In plain English, this means states can no longer force tech manufacturers to design products so that law enforcement can easily snoop on users or physically access their devices. If you’re a remote worker relying on secure communication with clients, or just someone who doesn't want their health data exposed, this is huge. It ensures that the security built into your device—like the strong encryption on your text messages or cloud storage—stays intact, regardless of where you live. For the companies, it means they only have to meet one national standard for security mandates, rather than navigating a patchwork of conflicting rules across the country.
Protecting the Keys to the Kingdom
The bill also explicitly bans states from requiring tech companies to hold or provide decryption keys for user-encrypted data. Imagine your bank requires strong authentication for your online account; the ENCRYPT Act ensures that a state government can’t force the bank to keep a master key to unlock your vault. If a company uses strong, end-to-end encryption, the state can’t mandate that the company must be able to unlock that data for them. Furthermore, states cannot ban the sale of any product or service—from a secure router to a private messenger app—just because it uses strong encryption, provided that product is available to the public and moves across state lines.
Who Wins and Who Faces New Hurdles?
The clear winners here are consumers and the tech industry. For the average person, this bill establishes a baseline of robust digital security, protecting sensitive data from state-level surveillance requirements. For tech companies, it simplifies compliance by preventing costly, contradictory state laws that could force them to compromise their products' security features. However, state and local law enforcement agencies are the group facing new restrictions. This federal preemption limits their ability to compel companies to provide access to encrypted data during investigations, potentially increasing the complexity of accessing evidence in criminal cases. In essence, the bill prioritizes the collective security and privacy of millions of users over the investigative efficiency of local authorities, setting a clear boundary between privacy rights and government access.