Don’t Sell Kids’ Data Act of 2025
- Bill Number
- H.R. 6292
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Commerce
- Status
- Introduced
- Latest Action
- 2025-12-11: Forwarded by Subcommittee to Full Committee in the Nature of a Substitute (Amended) by Voice Vote.
- Last Updated
- 2025-12-13T09:07:15Z
AI-Generated Summary
Purpose
The "Don't Sell Kids' Data Act of 2025" aims to protect the privacy of children (individuals under 13) and teens (individuals aged 13 to under 18) by prohibiting data brokers—companies that buy and sell personal information about people—from handling their personal data. It establishes rules for data deletion and provides enforcement mechanisms to prevent the commercialization of minors' information.
Key Provisions
- Prohibition on Handling Minors' Data: Data brokers cannot collect, use, maintain, sell, license, rent, trade, transfer, disclose, or otherwise share personal data of a child or teen if they know or reasonably should know the individual's age. Personal data includes any information that identifies or can be linked to an individual, such as names, addresses, or unique device identifiers.
- Limited Exception: Data brokers may only collect, use, or maintain such data if strictly necessary to comply with the law's prohibitions or deletion requirements, and not for any other reason.
- Data Deletion Requirements:
- Data brokers must delete all existing personal data on children and teens.
- They must create a public mechanism (e.g., on their website) allowing teens, parents/guardians of children, or authorized agents to request deletion.
- Within 10 days of a request, brokers must identify, delete the data, and notify the requester.
- Brokers must provide clear, plain-language public notices about this process.
- Enforcement Mechanisms:
- Federal Trade Commission (FTC): Violations are treated as unfair or deceptive practices under the FTC Act, allowing the FTC to investigate, sue, and impose penalties like fines.
- State Enforcement: State attorneys general can sue on behalf of residents for injunctions (court orders to stop violations), damages, or other relief, after notifying the FTC. States can intervene if the FTC acts first.
- Private Lawsuits: Affected individuals (children, teens, or their guardians) can sue data brokers in federal court. A violation alone counts as a legal injury. Successful plaintiffs can get at least $1,000 per violation (or actual damages), plus up to triple damages for willful violations, injunctions, attorney fees, and costs. Rights cannot be waived via terms of service or arbitration agreements.
- Effective Date: The law takes effect 180 days after enactment.
- Definitions:
- Data Broker: A business that sells or shares personal data it didn't collect directly from the person (excludes service providers acting on behalf of individuals/governments, certain product/service providers, user-directed transmissions, or news publishers).
- Knows: Actual knowledge or what can be reasonably inferred from circumstances.
- Service Provider: An entity handling data at the direction of the individual, their guardian, or government.
Significant Changes to Existing Law
This bill introduces new federal restrictions targeted at data brokers, building on but expanding beyond the Children's Online Privacy Protection Act (COPPA), which mainly regulates websites collecting data from children under 13 with parental consent. It extends protections to teens (ages 13-17), bans nearly all handling of minors' data by brokers (not just collection), mandates proactive deletion of existing data, and creates private rights of action for individuals—features not as comprehensively covered in prior laws like the FTC Act or state privacy statutes. It also clarifies that data brokers exclude certain entities, refining who is regulated.
Potential Impacts
- On Citizens: Enhances privacy for minors by limiting how their data (e.g., from apps, browsing, or devices) can be bought/sold, reducing risks like targeted advertising, identity theft, or exploitation. Parents and teens gain easy tools to request data erasure, potentially increasing awareness of data rights.
- On Government Agencies: The FTC gains expanded enforcement powers, similar to its role in consumer protection, which may require additional resources for investigations. State attorneys general can pursue cases more readily, fostering coordinated federal-state action.
- On Businesses: Data brokers face operational limits, possibly disrupting revenue from minors' data markets (estimated to be significant in advertising). They must invest in age-verification systems, deletion processes, and compliance notices, with risks of lawsuits or fines for non-compliance.
- On International Relations: Minimal direct impact, though it could influence global data flows if U.S. brokers handle international minors' data, aligning with broader privacy trends like Europe's GDPR but focused domestically.
Main Stakeholders Affected
- Minors and Families: Children and teens as primary beneficiaries; parents/guardians as enforcers via deletion requests and lawsuits.
- Data Brokers and Tech Companies: Entities like data aggregators or ad tech firms that trade personal information, required to overhaul practices.
- Government Entities: FTC for federal oversight; state attorneys general for local enforcement; courts handling private suits.
- Advocacy Groups: Privacy organizations (e.g., those pushing for child protection) and consumer rights advocates, who may support or litigate under the law.
- Exempted Businesses: Service providers (e.g., cloud storage acting for users), news outlets, and non-data-centric companies, which face fewer changes.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens individual privacy as a enforceable right, with violations automatically qualifying as "injuries" for lawsuits (addressing standing issues in privacy cases). It integrates with the FTC Act for seamless enforcement but preserves state laws, avoiding preemption conflicts. The non-waivable private right of action could lead to increased litigation, similar to class-action trends in consumer protection.
- Constitutional: May raise First Amendment questions if restrictions on data sharing are seen as limiting commercial speech, though courts have upheld similar privacy rules (e.g., COPPA). No direct challenges to due process or equal protection are evident, as it targets commercial actors fairly.
- Political: Represents a bipartisan push for child privacy amid rising concerns over tech surveillance, potentially setting a precedent for broader data broker regulations. It balances business interests (via exceptions) with protectionism, but could spark debates on federal overreach into commerce or the scope of "personal data."
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Recent Actions
- 2025-12-11: Forwarded by Subcommittee to Full Committee in the Nature of a Substitute (Amended) by Voice Vote.
- 2025-12-11: Subcommittee Consideration and Mark-up Session Held
- 2025-11-25: Referred to the Subcommittee on Commerce, Manufacturing, and Trade.
- 2025-11-25: Referred to the House Committee on Energy and Commerce.
- 2025-11-25: Introduced in House
- 2025-11-25: Introduced in House
Bill Versions
- Don’t Sell Kids’ Data Act of 2025 — issued 2025-11-25 — PDF (12 pages)