Sponsors
The bill substantially strengthens individual privacy rights, centralizes enforcement, and limits data monetization—benefiting consumers and victims—while imposing significant compliance costs, expanded federal investigatory power, and regulatory complexity that could chill innovation, increase litigation, and raise taxpayer and business burdens.
Almost all Americans gain stronger, enforceable privacy rights: expanded access, correction, deletion, portability, notice, human review of automated decisions, and affirmative consent requirements for behavioral personalization.
A new centralized Digital Privacy Agency with dedicated funding improves federal enforcement, provides a single intake and remedy pathway, and creates new consumer remedies (refunds, restitution, disgorgement, damages) and whistleblower incentives.
Companies must limit collection/use of data (data minimization, de‑identification/substitution) and speed breach notifications, reducing profiling and quicker mitigation of privacy harms for consumers.
Covered businesses — especially small and mid‑sized firms — face substantial new compliance, technical, and administrative costs (documentation, auditing, APIs, verification, security programs) that could raise prices, reduce services, or push firms out of markets.
The bill significantly expands federal investigatory and enforcement powers (compulsory demands, expedited production, large per‑person civil penalties, exclusive administrative review and deference to the Agency), creating high liability risk for organizations and concerns about due process and limited judicial checks.
Criminalizing certain disclosures (doxxing) and broadly defining 'disclose' and 'personal information' risks overcriminalization and chill on lawful speech and reporting about public information.
Based on analysis of 10 sections of legislative text.
Establishes a federal privacy law with individual data rights, limits on behavioral personalization, a new Digital Privacy Agency, investigatory powers, and a new criminal offense for harmful doxxing.
Introduced March 19, 2026 by Zoe Lofgren · Last progress March 19, 2026
Creates a new federal privacy regime that limits how companies collect, use, and share people’s personal information, gives people rights to access, correct, delete, and port their data, and restricts certain forms of automated "behavioral personalization." It establishes an independent Digital Privacy Agency (DPA) to enforce those rules, investigates violations, and issue civil orders, and it creates a new federal crime for knowingly disclosing personal information with intent to threaten or facilitate violent harm. The bill sets definitions and thresholds, requires notice/consent or strong restrictions for many secondary uses of data, protects a journalism carve-out, voids contractual waivers and predispute arbitration for claims under the Act, preserves many existing federal privacy laws, and tasks NIST and NSF with voluntary privacy frameworks, education, research, and limited appropriations for those programs.