“A bill to protect the privacy of consumers.”
No CRS summary available for this bill.
This section designates the short title of the Act as the “Consumer Data Privacy and Security Act of 2026” and sets forth the table of contents.
This section defines terms used in the Act, including (1) biometric information (i.e., information from processing an individual's physical, biological, physiological, genetic, or behavioral characteristics that identifies the individual); (2) collection (i.e., acquiring personal data by any means); (3) Commission (i.e., Federal Trade Commission); (4) covered entity (i.e., any entity determining the purpose and means of collecting or processing personal data that is subject to FTC authority under 15 U.S.C. 45(a)(2), a common carrier under the Communications Act of 1934, or a nonprofit organization, excluding service providers); (5) de-identify; (6) delete; (7) individual (i.e., a natural person residing in the United States); (8) material change; (9) personal data (i.e., information identifying or linkable to a specific individual, excluding de-identified data, unreadable data, certain employee data, publicly available information, pseudonymized data, and other specified categories); (10) pseudonymization; and (11) privacy officer.
This section establishes requirements prohibiting covered entities from collecting or processing an individual's personal data without (1) the individual's explicit or implicit consent for a specific purpose or (2) compliance with a permissible purpose (text cuts off but includes exceptions for certain necessary processing). It authorizes third parties to rely on consents obtained by the original covered entity after reasonable due diligence and requires new consents for different or additional purposes not covered by permissible purposes. Service providers may obtain consents on behalf of covered entities. The section further specifies consent rules, deeming implicit consent from failure to decline after notice and reasonable response time (except requiring express affirmative consent for sensitive personal data or non-permissible disclosures to third parties, which must be clear, prominent, and non-inferred from inaction). Notices must be concise and include data types, purposes, privacy policy access, rights information, and disclosures about third-party sharing or sensitive data, presented separately if combined with other matters. Covered entities must enable consent withdrawal at any practicable time, effective without undue delay but not retroactive.
This section requires a covered entity to publicly disclose, in a clear and prominent location using easy-to-understand language, a privacy policy describing its personal data policies and practices, individual rights (including those under section 5) and how to exercise them, and specified contents—including the entity's identity and contacts, categories of personal data collected and purposes, retention and deletion practices, third-party disclosures and receipts of personal data, processes for notifying of material changes, steps for individuals to minimize data collection or processing and related implications, and the policy's effective date. It further requires availability of previous policy versions; notification of material changes (e.g., to data categories, purposes, disclosures, or retroactivity) to affected individuals via direct notice if feasible or prominent public notice otherwise; and prohibitions on processing pre-change personal data inconsistently with the prior policy (or sensitive personal data without affirmative consent) until notice and opportunity to exercise rights. Exceptions apply to personal data collection or processing reasonably necessary and limited to in-person transactions without further incompatible uses, legal compliance (including subpoenas), preventing imminent safety dangers, or protecting rights or security against crimes, threats, fraud, or unlawful activity.
This section establishes individual rights with respect to personal data collected or processed by covered entities, including rights to access, correction, and erasure (except for data collected for permissible purposes under section 3(c)), along with related obligations for covered entities to provide clear, no-cost mechanisms to exercise such rights at least twice in any 12-month period (with the first two requests free). Specifically, the section requires covered entities to (1) confirm collection or processing of an individual's data and, if applicable, provide a copy or accurate representation of such data, a list of third-party recipients, and data portability in a structured, machine-readable electronic format (absent contrary individual request or technical infeasibility); (2) maintain procedures to ensure data accuracy, allow verified disputes and corrections (with exceptions for publicly available information), and provide appropriate mechanisms based on risks and benefits; and (3) delete or de-identify data (and direct service providers to do the same) upon verified request. Additionally, covered entities must verify requester identity using reasonable efforts (potentially requesting additional information solely for that purpose); may charge reasonable fees or decline manifestly unfounded, frivolous, or excessive requests; and must decline requests after undertaking [text cuts off in provided provision]. (Thus, for small businesses, compliance timelines for erasure requests account for technical feasibility, cost, and burden.)
This section requires each covered entity and service provider to develop, document, implement, and maintain a comprehensive data security program with reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of personal data from unauthorized access, use, destruction, acquisition, modification, or disclosure. The required safeguards must be appropriate to (1) the entity's size, complexity, and resources; (2) the nature and scope of its activities; (3) the technical feasibility and cost of tools, audits, and measures; (4) the sensitivity of the data; and (5) the potential for harm such as economic loss, identity theft, fraud, or physical injury. At a minimum, the program must (1) designate responsible employee(s); (2) identify and assess material internal and external risks (including employee training, information systems, attack response, and known vulnerabilities); (3) implement and regularly assess safeguards to control those risks; (4) require third parties receiving personal data to maintain comparable safeguards; and (5) evaluate and adjust safeguards for changes in technology, threats, or operations.
This section defines an applicable entity as a covered entity or service provider that annually collects and processes personal data of more than 20,000,000 individuals or sensitive personal data of more than 1,000,000 individuals. It requires each applicable entity to (1) designate a privacy officer to oversee personal data policies and practices, monitor compliance with the Act, oversee privacy impact assessments and a comprehensive privacy program, and serve as a contact for regulators; (2) for applicable covered entities, conduct and document a privacy impact assessment—approved by the privacy officer—prior to new collection/processing activities or material changes in sensitive personal data processing; and (3) implement a comprehensive privacy program to safeguard personal data throughout product/service lifecycles, including through technical safeguards (e.g., encryption, de-identification), policy verification, and respect for data subject preferences, taking into account entity size, data sensitivity/volume, risks, and Act requirements.
This section establishes rules governing disclosures of personal data by covered entities to service providers, requiring such disclosures only pursuant to a binding contract that (1) directs the service provider to collect or process data solely as instructed, (2) specifies applicable purposes, means, instructions, policies, and practices, and (3) includes the service provider's representation of having appropriate compliance procedures and controls. The section further requires covered entities to conduct due diligence on service providers' privacy and security practices—accounting for the covered entity's size, complexity, resources, and expected risk of harm—and investigate and remediate known or probable noncompliance (with contracts not relieving either party's obligations under the Act). Additionally, the section imposes obligations on service providers, including (1) prior notice to covered entities of any legally required data processing (unless prohibited by law), (2) advance notice of relevant policy or practice changes, (3) assistance enabling covered entities to comply with individual rights requests under section 5 (e.g., providing access, corrections, deletions, de-identifications, or returns of reasonably accessible data), (4) deletion, de-identification, or return of data upon service completion (except as required by law), and (5) assurances of compliance.
This section establishes Federal Trade Commission (FTC) enforcement of the Act by treating violations as unfair or deceptive acts or practices under FTC Act §18(a)(1)(B) (15 U.S.C. 57a(a)(1)(B)); grants the FTC all powers, jurisdiction, duties, privileges, and immunities under the FTC Act (15 U.S.C. 41 et seq.); and overrides FTC Act exemptions (§§4, 5(a)(2), 6; 15 U.S.C. 44, 45(a)(2), 46) to apply such enforcement to common carriers and nonprofit organizations described in §2(4) of the Act. (Thus, the FTC gains authority over entities such as telecommunications providers and nonprofits typically exempt from FTC jurisdiction.) It further authorizes civil penalties for knowing violations not exceeding $42,530 per affected individual—determined by considering factors including degree of harm to personal data privacy and security, intent, entity size and resources, compliance efforts, self-reporting, and mitigation—regardless of FTC Act §5(m) (15 U.S.C. 45(m)) limits. This section also authorizes state attorneys general to bring parens patriae civil actions in federal district court for injunctive relief, compliance, or such penalties on behalf of state residents; requires written notice to the FTC at least 10 days prior (or immediately upon filing if infeasible), with copies of the complaint; permits FTC intervention, participation, and appeals; and mandates consolidation of multiple such actions for pretrial and trial in the U.S. District Court for the District of Columbia (with exceptions not specified).
This section preempts state and local laws relating to the privacy or security of personal data—including consumer rights to access, correction, and deletion—for covered entities, except for specified state laws on (1) data breach notifications, (2) criminal or civil procedure rules, (3) fraud or public safety standards, (4) student privacy under the Family Educational Rights and Privacy Act, (5) financial information held by financial institutions (as defined in the Gramm-Leach-Bliley Act), (6) protected health information under HIPAA, (7) employment-related data, and (8) anti-discrimination protections. It also supersedes other federal privacy and security laws except for specified statutes (e.g., Children's Online Privacy Protection Act, Fair Credit Reporting Act, Gramm-Leach-Bliley Act Title V, HIPAA and HITECH Act, Family Educational Rights and Privacy Act, Electronic Communications Privacy Act, and Driver's Privacy Protection Act), provides deemed compliance for entities meeting those laws' requirements, and exempts covered entities from Federal Communications Commission regulations on personal data (except those solely for 911 or other emergency lines).
This section (1) directs the Chair of the Commission to appoint no fewer than 440 additional attorneys, technologists, and support personnel to enforce this Act and other laws relating to privacy and data security that the Commission is authorized to enforce, notwithstanding any other provision of law; (2) requires the Commission to submit to Congress, not later than one year after enactment, a report assessing its available resources to carry out this Act and identifying any additional resources, including personnel, required for effective implementation; and (3) authorizes appropriations of such sums as necessary to carry out the section.
This section establishes requirements concerning international coordination, FTC reporting to Congress, and GAO studies related to enforcement of the Act. Specifically, it (1) directs the FTC to coordinate enforcement actions with foreign data protection authorities consistent with subsections (j) and (k) of section 6 of the Federal Trade Commission Act (15 U.S.C. 46); (2) requires the Secretary of Commerce, in consultation with the FTC and other agencies, to identify foreign personal data processing laws that could disrupt cross-border data transfers, develop mechanisms to prevent such disruptions, and submit progress reports to Congress not later than 1 year after enactment and annually thereafter for 5 years; (3) requires the FTC to submit reports to Congress, and post them publicly online, not later than 180 days after enactment and annually thereafter on the Act's effectiveness, compliance, violations, enforcement actions and priorities, and resource needs; and (4) directs the Comptroller General to submit reports to the President and Congress not later than 3 years after enactment and every 3 years thereafter surveying federal data privacy and security laws for inconsistencies with the Act, impacts on small businesses, amendment recommendations amid technological and economic trends, and federal enforcement activities.
This section establishes a severability clause, providing that if any provision of the Act or its application to any person or circumstance is held unconstitutional, the remainder of the Act and the application of the provision to other persons or circumstances shall not be affected.