Online Privacy Act of 2026
Sponsored By: Representative Lofgren
Introduced
Summary
This bill would create a new federal privacy regulator and a comprehensive privacy law that gives people new control over their data and limits how companies collect, use, and share personal information. It focuses on individual rights, strict limits on behavioral personalization, data minimization, and a federal enforcement system headed by a Digital Privacy Agency.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
17 provisions identified: 15 benefits, 0 costs, 2 mixed.
New consent, sharing, and ad limits
If enacted, companies would need consent before disclosing personal information to third parties and must name the buyer before any sale of data. Behavioral personalization that aims to change your behavior would be banned unless you give express consent that must be renewed annually. The bill would limit advertising disclosures so data can’t be linked across disclosures, ban dark-pattern designs that hide consent choices, and bar interstate data transfers unless the sender complies with the Act. Some narrow exceptions apply for de‑identified or privacy‑preserving uses and for journalism.
Stronger limits on your private messages
If enacted, the bill would ban companies from collecting, processing, keeping, or sharing the contents of your private communications except for a short list of allowed reasons. Allowed reasons include delivering the message to intended recipients, stopping security threats, helping draft content, processing you asked for (you can stop it), legal disclosures, limited ad filtering, and abuse or terms-of-service enforcement. The bill would protect and prevent interference with encryption. Service providers acting under the direction of a covered entity would get a narrow safe harbor if the covered entity appears to comply.
Small business privacy definition and relief
If enacted, the bill would define which covered entities qualify as small businesses using five tests: no revenue from selling personal data; less than 50% of revenue from targeted ads; kept data for fewer than 250,000 people for most months; under 200 employees; and less than $25,000,000 in annual revenue. Qualifying small businesses would get narrower obligations and a nine-month ramp if they lose status. The Director would create approved notice/consent testing processes that small businesses could freely use.
Ban on discriminatory automated decisions
If enacted, the bill would forbid companies from processing personal data or message contents in ways that discriminate against protected classes for jobs, credit, housing, insurance, education, and related commercial opportunities. The Director would need to issue initial disparate-impact rules within six months and full implementing regulations within one year.
Data security, breach rules, and limits
If enacted, covered entities would need reasonable written security programs, vulnerability assessments, access oversight, and breach response plans. Breaches that may harm people must be reported to the DPA, and typically a covered entity must notify the DPA within 72 hours and affected individuals within 14 days when harms are likely. Employers and contractors (except some small businesses) would have to log access to sensitive personal data. Companies must also post clear privacy policies before collecting data, with some small‑business exceptions.
Easier identity checks and limits on government data sales
If enacted, companies could not deny a Title I privacy request just because you refuse to provide extra identifying information when they can confirm your identity from data they already have or from a prior similar confirmation. Separately, a government entity could not disclose personal information across state lines for sale unless the buyer agrees not to sell it without your express consent. Transfers between government agencies would still be allowed.
New private lawsuit and whistleblower pay
If enacted, individuals harmed by violations could sue for injunctions and damages starting one year after enactment. Qualified nonprofits could bring claims for people and split damages evenly with those they represent; nonprofits may get fees for expenses. People who provide nonpublic evidence to the DPA may get a share of civil penalties: 15% if the Director sues within 90 days, or 25%–50% if the whistleblower brings the suit and wins. Predispute arbitration clauses and private waivers of these rights would be invalid.
Stronger individual data rights and timelines
If enacted, you would be able to access categories of data held about you and who got it, and you could get copies of communication contents. You would be able to ask for deletion and to dispute and correct inaccurate data in cases that may cause serious privacy harms. If a decision about you is made solely by automated processing that can cause serious harm, you would be able to request a human review. Covered entities would generally have 30 days to answer requests and could not charge for standard requests.
You choose how long data is kept
If enacted, companies would need your express consent to keep your personal information and could not keep it longer than the duration you agreed. When asking for consent they must offer options like keeping data only to finish the transaction, keeping it until you revoke consent, or other set durations. Companies could keep data longer only when long-term retention is an obvious, core feature of the product or service.
Bill preserves existing privacy laws
If enacted, the bill would say it does not modify, limit, or supersede a long list of named federal privacy and security laws. It would also allow stronger state or local privacy or consumer-protection laws to continue to apply when they give consumers greater protection. The rule specifying non-preemption would take effect one year after enactment.
Federal crime for malicious doxxing
If enacted, it would be a federal crime to knowingly disclose someone's personal information across state or national lines with the intent to threaten, intimidate, harass, incite or facilitate violence, or to place them in reasonable fear of death or serious injury. A person who knowingly makes such a disclosure knowing it will be used for those purposes could face fines and up to five years in prison.
Ban on re-identifying anonymized data
If enacted, the bill would bar companies from using personal data to re-identify individuals from de-identified datasets. Companies that disclose de-identified data would have to contractually prohibit third parties from re-identifying people. The Director could allow narrow noncommercial research exceptions for approved researchers. The bill also limits some compliance duties when the discloser does not hold the re-identification keys.
New federal privacy agency and funding
If enacted, the bill would create a new Digital Privacy Agency (DPA) led by a Presidential appointee serving a six-year term. Congress would be asked to fund the DPA with $550 million per year for fiscal years 2026 through 2030. The DPA would take over Federal privacy rulemaking previously handled by the FTC, set up advisory boards, and run a national complaint intake unit with a toll-free number and public complaint database. The agency would get flexible hiring and pay rules and must include an Office of Civil Rights to oversee nondiscrimination in data uses.
New privacy research and standards
If enacted, the bill would direct NIST to create a voluntary privacy risk-management framework with standards and best practices. The NSF would get authority to fund competitive multidisciplinary privacy research. The bill would also authorize $3 million per year (2026–2030) for privacy education, awareness, and usability work to help individuals and small organizations.
Tighter rules on sending data abroad
If enacted, the bill would bar companies from intentionally sending personal data to entities not under U.S. jurisdiction or not complying with the Act. A narrow exception would allow simple identifiers used only to route electronic messages. Companies could still transfer data under strict safe harbors if the recipient signs required contracts, allows audits, proves solvency, and files terms with the Digital Privacy Agency. Disclosing entities can be liable for a recipient's violations unless they promptly notify the Agency.
Behavioral personalization requires consent
If enacted, companies would need your clear, affirmative consent before using your personal data to personalize behavior or target you. That consent would have to be renewed at least once every calendar year. If you refuse, companies must provide a non-personalized version of a product or service unless that is infeasible. Small businesses would be excluded from this rule.
Stronger enforcement, penalties, and coordination
If enacted, the DPA would get civil investigative powers, administrative hearings, and authority to seek injunctions and civil penalties. Civil fines could be calculated using the FTC Act maximum (adjusted for inflation) multiplied by the number of people affected, with each continuing day treated as a separate violation. States could sue on behalf of residents after notifying the DPA, and the DPA may issue emergency temporary cease-and-desist orders and refer criminal matters to the Justice Department. The bill also creates cross-border liability rules and lets the DPA make enforceable agreements with foreign entities.
Free Policy Watch
You just read the policy. Now see what it costs you.
Pick a topic. PRIA runs your household against live legislation and sends you a free personalized readout.
Pick a topic to get started
Sponsors & CoSponsors
Sponsor
Lofgren
CA • D
Cosponsors
There are no cosponsors for this bill.
Roll Call Votes
No roll call votes available for this bill.
View on Congress.govTake It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in