Consumer Data Privacy and Security Act of 2026
- Bill Number
- S. 4211
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 2
- Policy Area
- Commerce
- Status
- Introduced
- Latest Action
- 2026-03-25: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-04-21T02:37:08Z
AI-Generated Summary
Purpose
The Consumer Data Privacy and Security Act of 2026 aims to protect U.S. consumers' privacy by establishing uniform federal rules for how companies collect, use, share, and secure personal data (information that identifies or links to a specific person, like names, emails, or device IDs).
Key Provisions
- Definitions: Defines key terms like personal data (excludes de-identified, employee, or public info), sensitive personal data (e.g., SSNs, biometrics, health info, precise location), covered entities (businesses under FTC rules, telecoms, nonprofits that decide data use), service providers (companies processing data for others), third parties (unaffiliated entities receiving data), and small businesses (under 500 employees, low revenue/data volume).
- Collection and Processing (Sec. 3): Companies need consumer consent (implicit via notice/non-response for non-sensitive; express affirmative for sensitive or third-party sharing) or a permissible purpose (e.g., fulfilling contracts, legal compliance, fraud prevention, internal ops). Limits retention of sensitive data; special bankruptcy notice rules.
- Right to Know (Sec. 4): Requires clear, public privacy policies detailing data practices, rights, retention, sharing; notice of material changes (significant policy shifts affecting data use).
- Individual Control (Sec. 5): Consumers get rights to access, correct, or delete data (twice/year free); small businesses exempt from access/correction. Verification required; exceptions for security/legal needs.
- Security (Sec. 6): Mandates risk-based data security programs tailored to company size/data sensitivity.
- Accountability (Sec. 7): Large entities (over 20M individuals' data or 1M sensitive) must appoint a privacy officer, conduct privacy impact assessments for sensitive data changes, and run comprehensive privacy programs.
- Service Providers (Sec. 8): Strict contracts; must assist with consumer requests, delete data post-service, notify of legal demands/changes.
- Enforcement (Sec. 9): FTC treats violations as unfair practices (civil penalties up to $42,530/person with knowledge, considering harm/intent); state AGs can sue (with notice); no private lawsuits.
- Preemption (Sec. 10): Overrides most state privacy laws but preserves breach notices, health/finance/employment laws, etc.; saves key federal laws (e.g., HIPAA, COPPA).
- Other: Boosts FTC resources (440+ staff); guidance/reports; international coordination; effective 1 year post-enactment (preemption immediate).
Significant Changes to Existing Law
- Creates first comprehensive federal privacy framework, preempting patchwork state laws (e.g., California's CCPA) for uniformity.
- Expands FTC jurisdiction to telecoms (common carriers) and nonprofits.
- Allows implicit consent (opt-out) for routine data use, unlike stricter opt-in in some state laws.
- Introduces small business exemptions and permissible purposes without consent, easing burdens vs. some state rules.
- No private right of action, limiting lawsuits compared to state laws allowing them.
Potential Impacts
- Citizens: Greater transparency/control over data (access/deletion rights), reduced unauthorized sharing; implicit consent may increase data collection.
- Government Agencies: FTC gains enforcement power/resources; state AGs get limited role; reduces state-level enforcement.
- Businesses: Compliance costs (policies, officers, security) hit large firms hardest; small businesses get relief; service providers face new contracts/duties.
- International Relations: Promotes cross-border data flows via Commerce Dept. coordination with foreign privacy regimes (e.g., EU GDPR).
Main Stakeholders
- Consumers: U.S. residents whose data is collected/processed.
- Covered Entities: Most businesses, telecoms, nonprofits handling personal data.
- Service Providers/Third Parties: Data processors/resellers (e.g., cloud services, advertisers).
- Small Businesses: Exemptions for access/correction rights.
- FTC and State AGs: Primary enforcers.
- Employees: Excluded from most rules (employment data carve-out).
Notable Legal, Constitutional, or Political Implications
- Legal: Strong preemption fosters national consistency/innovation but limits state experimentation; severability preserves rest of law if parts struck down; FTC rulemaking authority for definitions/purposes.
- Constitutional: No direct challenges noted; balances privacy rights with business free speech/commerce via permissible purposes/exemptions.
- Political: Promotes "competitive parity" for businesses; no private suits curbs litigation explosion; FTC empowerment may spark oversight debates; small business focus appeals bipartisanly.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Recent Actions
- 2026-03-25: Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2026-03-25: Introduced in Senate
Bill Versions
- Consumer Data Privacy and Security Act of 2026 — issued 2026-03-25 — PDF (71 pages)