Sponsors (4)
The bill gives consumers broad, centralized ability and transparency to remove personal data and funds enforcement without taxpayer appropriations, but it raises business compliance costs, concentrates sensitive operational data in a registry that could be compromised or err in matching, and may preempt stronger state privacy laws.
Individuals (including seniors, students, and low-income people) can submit one deletion request that compels all registered data brokers to delete their personal information and stop future collection, giving people meaningful control over their online privacy.
Consumers gain transparency because data brokers must register in a machine-readable public registry disclosing contact information, data types collected, sources, and opt-out availability.
No-fee deletion requests plus mandated security safeguards reduce financial and procedural barriers and lower some risks for people trying to remove their data.
The bill's very broad definition of 'personal information' (including browsing history, biometrics, communications, genetic data, and inferences) could impose high compliance costs on many firms and lead to higher prices or reduced services for consumers.
The federal preemption clause could limit stronger state privacy protections unless the FTC permits them, potentially reducing protections for residents of states with more robust laws.
Requiring data brokers to submit detailed data inventories and operational information to a registry creates a risk that sensitive information could be exposed if the registry is compromised, harming the same consumers it aims to protect.
Based on analysis of 2 sections of legislative text.
Requires FTC rules to register data brokers annually, publish registration data, and run a centralized system letting individuals request deletion and stop future collection of persistent‑identifier personal data.
Introduced April 3, 2025 by Bill Cassidy · Last progress April 3, 2025
Requires the Federal Trade Commission to create rules that make commercial “data brokers” register annually with the agency and to run a centralized system that lets people request deletion of their personal data held by registered brokers. Registrations must be published in a downloadable, machine‑readable form (with narrow safety/confidentiality exceptions), and registrants must provide standardized details about the types and sources of data collected, opt‑out practices, contact information, and certain credentialing information. The agency must issue the regulations within one year and brokers must register within 18 months of enactment. The text provided for one part of the centralized-system requirement is incomplete, so a portion of the bill’s provision about what brokers may do before collecting certain persistent‑identifier data could not be fully summarized.