Data Care Act of 2025
- Bill Number
- S. 3570
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Commerce
- Status
- Introduced
- Latest Action
- 2025-12-18: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-03-21T11:03:25Z
AI-Generated Summary
Purpose
The Data Care Act of 2025 aims to protect end users' personal data by imposing specific duties on online service providers that collect and use such data. It establishes standards of care, loyalty, and confidentiality to prevent misuse, unauthorized access, or harmful sharing of data, treating these providers like fiduciaries (trusted parties responsible for acting in users' best interests).
Key Provisions
- Definitions:
- End user: Any individual who interacts with or uses an online service over the internet or digital networks.
- Individual identifying data: Information collected online that can be linked to a specific person or their device.
- Online service provider: Businesses engaged in interstate commerce that collect such data, even incidentally.
- Sensitive data: Highly personal information, including Social Security numbers, biometric data (like fingerprints), health details, financial account info, precise location, or nonpublic communications.
- Duties for Providers (Section 3):
- Duty of Care: Providers must reasonably secure data against unauthorized access and promptly notify affected users of breaches involving sensitive data.
- Duty of Loyalty: Providers cannot use data (or derived data) in ways that benefit the provider while harming users financially/physically or that would be unexpectedly offensive to a reasonable person.
- Duty of Confidentiality: Providers cannot disclose, sell, or share data without contracts that bind recipients to the same duties; they must audit third parties' compliance.
- These duties extend to any third party receiving the data.
- The Federal Trade Commission (FTC) can expand breach notifications to other data types and exempt smaller or low-risk providers based on factors like size, data sensitivity, and costs.
- Enforcement (Section 4):
- Violations are treated as unfair or deceptive practices under the FTC Act, allowing the FTC to investigate, fine, and enforce like other consumer protection rules.
- Enforcement extends to nonprofits and common carriers (e.g., telecom companies), which are often exempt from standard FTC oversight.
- State attorneys general can sue on behalf of residents for civil penalties (calculated by days of violation or number of harmed users, up to FTC maximums, adjusted for inflation), but must notify the FTC first and cannot proceed if the FTC is already acting.
- States retain their own investigatory powers.
- Protections Against Waivers (Section 5): Users cannot waive their rights or remedies under this Act through contracts or agreements.
- Relation to Other Laws (Section 6): The Act does not override existing federal or state privacy/security laws and preserves FTC authority under other statutes.
- Effective Date (Section 7): Takes effect upon enactment, with duties applying 180 days later.
Significant Changes to Existing Law
- Introduces explicit fiduciary duties (care, loyalty, confidentiality) for data handling, going beyond the FTC's current reliance on general "unfair or deceptive acts" standards under the FTC Act (15 U.S.C. § 45).
- Expands FTC jurisdiction to nonprofits and common carriers, which are typically exempt.
- Allows state-level enforcement with federal coordination, similar to but broader than some existing state privacy laws (e.g., California's CCPA), while avoiding preemption of other privacy rules.
- Mandates contracts and audits for data sharing, creating new accountability for third parties not previously required at the federal level.
Potential Impacts
- On Citizens: Enhances data privacy by requiring better security, limiting harmful uses (e.g., manipulative advertising or discriminatory practices), and ensuring breach notifications, potentially reducing identity theft, financial harm, and privacy invasions for everyday internet users.
- On Government Agencies: Empowers the FTC with rulemaking and enforcement tools, increasing its workload but providing a unified federal framework; states gain new litigation authority, possibly leading to more coordinated privacy actions without duplicating efforts.
- On Online Service Providers and Businesses: Imposes compliance costs (e.g., security upgrades, audits, contracts), which could raise operational expenses, especially for smaller entities, but may encourage industry-wide privacy improvements.
- On International Relations: No direct impacts mentioned, though it could influence U.S. tech companies' global data practices and set a precedent for international privacy standards, potentially affecting data flows in cross-border commerce.
Main Stakeholders Affected
- End Users/Consumers: Primary beneficiaries, gaining stronger protections for their personal data.
- Online Service Providers: Entities like social media platforms, e-commerce sites, and apps that collect user data; they face new compliance burdens.
- Third Parties: Data brokers, advertisers, or partners receiving shared data, now subject to the same duties via contracts.
- Federal Trade Commission (FTC): Leads enforcement and rulemaking, with expanded authority.
- State Attorneys General and Consumer Protection Offices: Can pursue state-level actions, representing residents' interests.
- Nonprofits and Common Carriers: Newly included in oversight, such as educational organizations or telecom firms handling user data.
Notable Legal, Constitutional, or Political Implications
- Legal: Strengthens consumer privacy as an enforceable federal right, integrating with the FTC Act without creating a new agency; civil penalties could deter violations but may lead to litigation over what constitutes "reasonably foreseeable harm" or "offensive" uses. The non-waiver provision limits arbitration clauses common in user agreements.
- Constitutional: Could raise First Amendment concerns if duties restrict data-derived speech (e.g., targeted ads), though focused on harm prevention; commerce clause supports federal regulation of interstate online activities.
- Political: Bipartisan support (introduced by senators from both parties) signals growing consensus on tech accountability; may spur debates on balancing innovation with privacy, potentially influencing future laws like comprehensive data protection similar to Europe's GDPR.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (14)
Sen. Merkley, Jeff [D-OR], Sen. Murphy, Christopher [D-CT], Sen. Baldwin, Tammy [D-WI], Sen. King, Angus S., Jr. [I-ME], Sen. Sanders, Bernard [I-VT], Sen. Booker, Cory A. [D-NJ], Sen. Duckworth, Tammy [D-IL], Sen. Smith, Tina [D-MN], Sen. Durbin, Richard J. [D-IL], Sen. Welch, Peter [D-VT], Sen. Warren, Elizabeth [D-MA], Sen. Klobuchar, Amy [D-MN], Sen. Bennet, Michael F. [D-CO], Sen. Luján, Ben Ray [D-NM]
Recent Actions
- 2025-12-18: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2025-12-18: Introduced in Senate
Bill Versions
- Data Care Act of 2025 — issued 2025-12-18 — PDF (15 pages)