Sponsors (15)
This is not an official government website.
Copyright © 2026 PLEJ LC. All rights reserved.
Creates baseline privacy duties for online service providers that handle identifying and sensitive data. Providers must exercise care, loyalty, and confidentiality when handling such data, secure sensitive data, notify users of breaches, avoid using data to harm or unfairly advantage themselves against users, and limit disclosures to parties that adopt the same duties or are supervised. Gives the Federal Trade Commission rulemaking and enforcement authority to implement and enforce the law, lets state attorneys general and certain state consumer protection officers sue for violations and seek civil penalties, and prevents companies from contractually waiving the law’s rights and remedies. The core provider obligations begin 180 days after enactment, while other provisions are effective on signature.
The bill establishes a strong federal baseline of privacy protections and enforcement for online users—covering sensitive data, duties for providers, and new enforcement tools—while imposing meaningful compliance costs, regulatory uncertainty, and litigation risks that could raise prices, reduce or删
Nearly all internet users gain a federal privacy baseline: a broad class of "sensitive data" (SSNs, health records, biometrics, credentials, many identifier combinations) is specially protected and covered services must follow duties of care, loyalty, and confidentiality (limits on sale/disclosure and breach notice).
Americans gain stronger federal enforcement and redress: the FTC is the named federal enforcer, state attorneys general can sue in federal court, and civil penalties tied to days of noncompliance or number of users increase deterrence and chances violations are stopped.
Patients and people seeking care get explicit protection because health information is treated as sensitive data, strengthening medical privacy online.
Consumers and many businesses face higher costs: new compliance, audit, and contractual oversight obligations can raise prices, reduce free features, or limit services as firms pass on costs.
Broad definitions (e.g., "reasonably linkable," common identifier combinations, nonpublic user content treated as sensitive) greatly expand regulated data, creating regulatory uncertainty, litigation risk, and potential delays or reduced product features.
Smaller providers, nonprofits, and startups may be disproportionately harmed: costs of compliance and potential penalties could force them to scale back services, drop features, or exit markets.
Introduced December 18, 2025 by Brian Emanuel Schatz · Last progress December 18, 2025