Sponsors
Introduced March 19, 2026 by Zoe Lofgren · Last progress March 19, 2026
The bill substantially strengthens individual privacy rights, data‑security standards, and centralized enforcement—providing greater control and remedies for many Americans—while imposing significant compliance costs, regulatory uncertainty, and potential service reductions that could raise prices, complicate journalism, and strain cross‑border data flows.
Most Americans (consumers and individuals) gain broader, clearer privacy protections: the bill expands what counts as personal data (including 'linked or reasonably linkable' data), narrows behavioral personalization and targeted profiling, creates rights to access, correct, delete, port data, and requires human review of automated decisions.
Consumers and privacy professionals get a centralized federal Digital Privacy Agency and enforcement architecture: a single complaints hotline, public incident database, coordinated investigations with DOJ and state attorneys general, and a civil‑rights office to address discriminatory data practices.
Individuals receive stronger data‑security and accountability measures: mandated breach notification (e.g., prompt/72‑hour where feasible), limits on employee access, and required access logs and auditing to reduce insider misuse and faster awareness of incidents.
Small and large businesses face substantial new compliance costs and legal exposure: requirements for technical safeguards, access/portability systems, contracts, auditing, and the potential for large civil penalties (including per‑person multipliers and daily fines) will raise costs that are likely passed to consumers.
Consumers may see reduced personalization, fewer free features, and slower innovation: bans/limits on targeted profiling, restrictions on ancillary data uses, and data‑substitution requirements could shrink ad revenue models and prompt providers to limit features or charge for services.
The new agency and rulemaking structure create regulatory uncertainty and concentrated power: a Director with long terms, exemptions from some appointment rules, broad discretion to define harms and de‑identification, and judicial‑deference provisions increase unpredictability about future enforcement and obligations.
Based on analysis of 10 sections of legislative text.
Creates a federal digital privacy law that grants individual data rights, limits data collection/use, creates a Digital Privacy Agency, criminalizes malicious disclosures, and funds privacy research.
Creates a new federal digital privacy framework that gives people rights over their personal data (access, correction, deletion, portability), limits how companies collect and use data, and requires entities to document and restrict employee access and automated decision-making. It establishes an independent Digital Privacy Agency (DPA) with investigatory and enforcement powers, makes certain malicious disclosures of personal information a federal crime, and funds privacy research, standards, and education at NIST and NSF.