The ENCRYPT Act of 2025 would preempt state and local data-security vulnerability mandates and decryption requirements for covered products and online services. It bars states from mandating security designs intended to enable surveillance or decryption, and it prohibits states from restricting the sale or lease of encrypted products or services because they use encryption.
The bill defines what counts as a covered product or service and sets a broad scope for what is covered, including hardware, software, electronic devices, and online services that travel in interstate or foreign commerce and are available to the general public. By creating a nationwide standard, the ENCRYPT Act aims to reduce state-by-state regulatory fragmentation and provide clear guidance to manufacturers, developers, and platform operators about what they can and cannot design or offer.
At a Glance
What It Does
States may not require security designs to enable surveillance or decrypt information, and they may not prohibit the sale, lease, or provision of encrypted products or services. The act also provides definitions for covered products/services, online services, and the concept of State.
Who It Affects
Manufacturers, developers, sellers, and providers of covered products or services; entities operating online services that affect interstate commerce; and state or local governments enforcing data-security mandates.
Why It Matters
Creates a uniform national framework for encryption-related requirements, reducing regulatory fragmentation and protecting encryption-enabled technologies across interstate commerce.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The ENCRYPT Act of 2025 seeks to guard encryption across devices and online platforms by stopping state and local governments from imposing data-security mandates that would force backdoors, surveillance capabilities, or decryption requirements. In short, states would no longer be able to compel manufacturers to alter security features to enable monitoring, nor could they ban encryption-based products simply because they use encryption.
To ensure clarity, the bill defines what counts as a covered product or service and specifies that this includes hardware, software, electronic devices, and online services available to the public and used in interstate commerce. The result is a uniform national standard that regulators and companies can rely on, reducing the complexity and cost of complying with multiple state rules.
The act also explicitly expands the scope of what is considered a State, including the District of Columbia, commonwealths, territories, possessions, and federally recognized Indian Tribes, ensuring broad preemption where state actions could impinge on encryption technologies.Overall, the ENCRYPT Act of 2025 shifts the regulatory landscape away from a patchwork of state encryption mandates toward a single federal baseline, protecting the confidentiality and integrity of communications and data stored or transmitted by covered products and online services.
The Five Things You Need to Know
The bill preempts state data-security mandates and decryption requirements for covered products and services.
Covered products/services include hardware, software, electronic devices, and online services used in interstate or foreign commerce.
States cannot require backdoors or surveillance-enabled security changes in products or facilitate decryption.
States cannot ban the sale or lease of encrypted products solely because they use encryption.
The definition of State is broad, covering DC, commonwealths, territories, possessions, and federally recognized Indian Tribes.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
The act is officially titled the ENCRYPT Act of 2025, establishing its purpose as protecting private telecommunications and encryption across interstate commerce.
Preemption of State Data Security Vulnerability Mandates and Decryption Requirements
Section 2(a) sets forth the preemption: a state or political subdivision may not require a manufacturer, developer, seller, or provider of a covered product or service to design or alter security functions to enable surveillance or decryption. It also prohibits states from restricting the manufacture, sale, or lease of encrypted products or services. Section 2(b) provides definitions for covered products or services, online services, and the term State to ensure broad applicability across jurisdictions, including D.C., territories, and federally recognized tribes.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Manufacturers and developers of covered products or services benefit from a uniform nationwide standard that reduces multi-state compliance complexity and costs.
- Online service providers and digital platforms benefit from stability in encryption expectations, avoiding state-level hindrances to offering encrypted communication and data storage.
- Interstate retailers and distributors of encrypted products benefit from a consistent market access environment free of conflicting state mandates.
- Consumers relying on encryption gain from a consistent national protection framework ensuring privacy and security across products and services.
Who Bears the Cost
- State and local governments must revise or repeal encryption-related mandates, incurring administrative and legislative costs.
- Regulators tasked with enforcing or updating data-security rules may experience shifts in workload and budget needs as mandates are preempted.
- Firms that previously prepared for or aligned with specific state encryption restrictions may face transitional costs in policy and product strategy to align with federal preemption.
Key Issues
The Core Tension
Balancing nationwide uniformity in encryption protections with states' ongoing interest in addressing local security and privacy concerns, without eroding opportunities for targeted safeguards or regional innovation.
The bill’s reliance on federal preemption raises questions about the balance between national uniformity and state-level security interests. While uniform encryption protections benefit nationwide commerce and consumer privacy, states often pursue tailored safeguards or address local security concerns that could be hampered by a blanket rule.
The text provides definitions and scope but does not outline enforcement mechanisms or remedies for violations, leaving questions about how preemption interacts with existing or future state measures. There is also potential uncertainty about how this interacts with other federal privacy or security laws, and whether any carve-outs or exceptions could emerge through future amendments.
Core tensions arise around capacity for states to pursue encryption-related protections versus the benefits of a predictable national framework. The breadth of the defined term State — including Tribes and DC — broadens the reach of preemption, which could limit localized policy experiments and adaptations to unique regional security needs.
Smart readers will want to see how this interacts with evolving federal security standards and what minimal baseline of security is implied by
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.