Online Privacy Act of 2026
- Bill Number
- H.R. 8014
- Origin Chamber
- House
- Congress
- 119th Congress, Session 2
- Status
- Introduced
- Latest Action
- 2026-03-19: Referred to the Committee on Energy and Commerce, and in addition to the Committees on the Judiciary, and Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- Last Updated
- 2026-04-14T06:23:31Z
AI-Generated Summary
Purpose
The Online Privacy Act of 2026 (H.R. 8014) aims to protect the privacy of personal information for U.S. residents by granting individuals specific rights, imposing privacy and security obligations on businesses that handle such data online (covered entities), and creating a new federal agency—the Digital Privacy Agency (DPA)—to enforce these rules. It seeks to minimize data collection, limit sharing, prevent harms like discrimination or harassment, and promote secure practices.
Key Provisions
- Individual Rights (Title I):
- Access: View categories of personal data held, sources, sharing lists, and automated decision processes.
- Correction: Dispute and fix inaccurate data that could cause significant harm.
- Deletion: Request removal of personal data.
- Portability: Download or transfer data in portable categories (e.g., high-user services) via APIs.
- Human Review: Challenge automated decisions causing harm.
- Autonomy: No behavioral personalization (e.g., algorithms influencing behavior) without consent.
- Informed: Notification if contact info is collected without a relationship.
- Impermanence: Data retention limited to consented durations.
- Exceptions for security, fraud, law enforcement; small businesses partially exempt; no fees except for excessive requests.
- Business Requirements (Title II):
- Data Minimization: Collect/process/maintain/disclose only what's necessary; ancillary uses need notice/consent.
- Disclosure Rules: Consent for sharing (specific for sales); bans on re-identification, discriminatory uses (e.g., in jobs/housing), "dark patterns" (deceptive designs).
- Communications: Strict limits on accessing message contents.
- Notice/Consent: Clear, testable processes; revocable; privacy policies required.
- Security & Breaches: Reasonable safeguards; notify DPA/individuals/other firms within 72 hours/14 days if harm likely.
- Small business exemptions; service providers (data processors acting on instructions) have lighter duties.
- Digital Privacy Agency (Title III):
- Independent executive agency led by Senate-confirmed Director (6-year term).
- Powers: Rulemaking, investigations, audits, complaints database, civil rights office, advisory boards (users, research, startups, products).
- Coordinates with FTC (transfers some privacy duties); $550M/year funding (2026-2030).
- Enforcement (Title IV):
- DPA investigations/subpoenas, hearings, lawsuits; states/private suits allowed.
- Private Actions: Injunctions; damages (non-class via nonprofits representing individuals).
- Penalties: Up to FTC max per affected person/day; whistleblower rewards.
- Criminal: New federal doxxing ban (up to 5 years prison for harmful disclosures).
- Other:
- Government limits on unredacted records; journalism protections.
- NIST/NSF: Privacy R&D, standards, education.
- Effective 1 year post-enactment.
Significant Changes to Existing Law
- New Comprehensive Framework: First national baseline privacy law beyond sector-specific rules (e.g., doesn't override HIPAA, COPPA).
- New Agency: DPA takes FTC privacy enforcement roles; independent structure like CFPB.
- Criminal Addition: Adds 18 U.S.C. §881 banning doxxing with intent to harm.
- Private Enforcement: Enables individual/nonprofit suits for damages (limited to avoid class actions).
- Data Flows: Restricts transfers to non-U.S./non-compliant entities unless certified/safe harbors.
Potential Impacts
- Citizens: Stronger control over data (e.g., deletion/portability), reduced risks of harm (financial, physical, discrimination); easier switching services.
- Government Agencies: DPA creation adds bureaucracy/costs; limits on record disclosures; coordination with states/FTC.
- Businesses: Compliance costs (esp. large tech); small firms get exemptions/ramp-up; innovation push via privacy tech research.
- International Relations: Curbs data exports without safeguards; no data localization mandate.
Main Stakeholders Affected
- Individuals: U.S. residents (rights holders).
- Covered Entities: Online businesses handling personal data (>de minimis); small businesses (<$25M revenue, <250K users) get breaks.
- Service Providers: Processors (e.g., cloud hosts) with safe harbors if compliant.
- Digital Privacy Agency/FTC: New enforcer; staff transfers.
- States: Attorneys general/privacy regulators can sue/enforce.
- Nonprofits/Whistleblowers: Represent in suits, get fees/rewards.
- Government: Restricted data sharing; NIST/NSF funded activities.
Notable Legal, Constitutional, or Political Implications
- Legal: Preemption only for weaker state laws (stronger allowed); severability clause; no arbitration waivers; deference to DPA interpretations.
- Constitutional: Protects free expression (journalism exemption, request denials for safety); balances with privacy harms.
- Political: Creates powerful agency amid tech regulation debates; private suits risk litigation flood but limited by structure; civil rights focus addresses equity concerns.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Recent Actions
- 2026-03-19: Referred to the Committee on Energy and Commerce, and in addition to the Committees on the Judiciary, and Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2026-03-19: Referred to the Committee on Energy and Commerce, and in addition to the Committees on the Judiciary, and Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2026-03-19: Referred to the Committee on Energy and Commerce, and in addition to the Committees on the Judiciary, and Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2026-03-19: Introduced in House
- 2026-03-19: Introduced in House
Bill Versions
- Online Privacy Act of 2026 — issued 2026-03-19 — PDF (151 pages)