Sponsors
The bill substantially strengthens Americans' privacy and control over their personal data—especially for children—while imposing meaningful compliance, litigation, and operational costs that could raise prices, reduce some data‑driven services, and complicate security and regulatory practices.
All users (consumers, students, families) gain stronger property-like rights and direct control over their personal data: they retain ownership and can access, correct, delete/de‑identify, and port covered data.
Users receive greater limits on collection, retention, tracking, and monetization plus transparency about who received their data, reducing intrusive profiling and enabling accountability of large operators and data brokers.
Children and families are better protected because minors’ covered data cannot be shared with third parties without parental consent.
Covered businesses (large online operators, data brokers, and many smaller firms) will face substantial compliance costs to implement access, deletion, portability, notice/icon, and other requirements, and firms may pass those costs to consumers as higher prices or reduced services.
Users may see reduced availability of free, ad-supported or heavily personalized services if companies cannot monetize data as before or must offer feature parity without data use.
Covered entities face elevated litigation exposure because the bill creates a private right of action with statutory damages ($100–$750 per violation), increasing legal risk and potential costs for businesses.
Based on analysis of 3 sections of legislative text.
Declares users own their data and requires companies to give access, correction, deletion, and portability rights while limiting collection, sharing, and monetization of personal data.
Introduced May 4, 2026 by Michael Cloud · Last progress May 4, 2026
Declares that data a person creates is their property and gives users strong new privacy rights: the right to access, correct, delete (or de‑identify), and port their personal data. It bans asking for a user’s contact list or contact details unless both the user and each contact give written consent, limits what companies can collect, retain, share, track, and monetize, and sets timing, consent, and technical rules for how requests must be handled. Requires companies and commercial data operators to respond to verified user requests quickly (no later than 90 days), provide at least two opportunities per year to exercise rights, fulfill requests free of charge, delete certain sensitive data quickly (e.g., browsing history, biometrics within 60 days), and provide data portability in a machine‑readable format without licensing restrictions. Includes special protections for minors and transparency about third parties who receive data.