Sponsors
The bill creates a nationwide privacy regime that gives individuals clearer rights and stronger federal enforcement while standardizing rules for businesses — but it shifts power to the federal level, imposes significant compliance costs (especially on small firms), leaves some enforcement and implementation gaps, and removes the ability for individuals to sue directly.
Nationwide consumers and businesses get a single federal privacy framework that standardizes rights and compliance across states, reducing conflicting rules and duplicative obligations.
Individuals (broad U.S. population) gain stronger, clearer personal-data rights — including consent controls, notice of changes, access, portability, correction, deletion, and mechanisms to withdraw consent — making it easier to understand and control how data about them is used.
Federal enforcement capacity is strengthened (larger FTC staffing and scaled civil penalties), increasing the likelihood of faster investigations and stronger deterrence against large-scale privacy/security violations.
Residents in states with stronger privacy laws and state/local governments could lose protections and authority because the federal standard preempts inconsistent state rules.
Small and some medium businesses face substantial new compliance, documentation, vendor‑management, and operational costs (privacy officers, impact assessments, security programs), which are likely to be passed to consumers or reduce available services.
Individuals cannot bring private lawsuits under the Act (no private right of action), so harmed people must rely on government enforcement (FTC or state AGs), potentially limiting direct compensation and recourse.
Based on analysis of 13 sections of legislative text.
Establishes a single federal privacy framework: notice/consent rules, individual rights, security and accountability requirements, FTC enforcement with civil penalties, and preemption of many state laws.
Introduced March 25, 2026 by Jerry Moran · Last progress March 25, 2026
Creates a single federal privacy and data-security framework that mostly preempts state and local privacy and security laws for covered entities, defines what personal data is, sets notice and consent rules, gives individuals rights to access, correct, delete, and port their data, mandates security programs and accountability for large processors, and makes the Federal Trade Commission the primary enforcer with civil penalties and oversight. The law requires covered entities and service providers to follow contractual limits on onward disclosures, requires privacy policies and notices, obligates the FTC to add staff and report on enforcement, and preserves limited state and federal law exceptions while barring a private right of action.