Sponsors
Introduced March 25, 2026 by Jerry Moran · Last progress March 25, 2026
The bill creates a comprehensive, uniform federal privacy regime that gives most Americans clearer rights, stronger security safeguards, and centralized enforcement — at the cost of reducing state-level flexibility and private lawsuits, imposing significant compliance costs (especially on small firms), and creating potential gaps and practical hurdles that could limit some beneficial uses of data.
All Americans (consumers) get a consistent, nationwide privacy framework that clarifies core rights (notice, consent, access, deletion) so individuals know and can exercise the same basic privacy protections across states.
People with sensitive data (health, biometrics, financial, precise geolocation) gain stronger, clearer controls — including express consent, limits on re‑identification, and deletion/de‑identification requirements — reducing risk of misuse.
Consumers and organizations benefit from stronger security and lifecycle protections (comprehensive security programs, vendor safeguards, encryption, privacy officers) that lower the risk of breaches, fraud, and identity theft.
States lose the ability to enact stronger privacy protections and individuals are barred from private lawsuits under the Act, which risks weakening protections where stronger state laws or private enforcement previously provided more robust or faster remedies.
Small businesses, service providers, and some covered entities face substantial new compliance, contracting, technical, and staffing costs (privacy officers, security programs, consent/notice systems) that may be passed to consumers or force service reductions.
Numerous exemptions, retained sectoral carve‑outs, and narrow exceptions (employment data, public/pseudonymized data, small‑business exemptions, research/security exceptions) leave coverage gaps and could allow some profiling or uses to continue despite the new baseline.
Based on analysis of 13 sections of legislative text.
Establishes a uniform federal privacy law setting consent rules, individual data rights, security and accountability requirements, service‑provider obligations, FTC enforcement, and state preemption.
Creates a uniform federal privacy and data-security framework that governs how covered entities collect, use, share, secure, and delete personal data. It requires clear consent rules, strong individual rights (access, correction, deletion, portability), written privacy policies, mandatory security programs, service‑provider contract requirements, accountability steps for very large data holders, and makes violations enforceable by the Federal Trade Commission with civil penalties and state attorney‑general enforcement under coordinated rules. Establishes federal preemption of most state privacy and related laws (while preserving specific enumerated state and federal laws), directs a major staffing increase and funding authorization for enforcement, requires interagency and international coordination and reporting, and phases the law in with a one‑year general effective date and immediate effect for the preemption provision.