Online Privacy Act of 2026
Sponsored By: Representative Lofgren
Introduced
Summary
Creates the Digital Privacy Agency and a broad federal privacy law that gives people clear rights over their personal data and limits how companies collect, process, and share information.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
10 provisions identified: 4 benefits, 0 costs, 6 mixed.
Stronger limits on data sharing for consumers
If enacted, companies would generally need your clear consent before sharing or selling your personal data to third parties. The bill would require express, specific consent for behavioral personalization and would force companies to renew that consent at least once every calendar year. If you refuse personalization, companies must offer a non-personalized option unless it is infeasible or needed for a product's core function. The bill would also make contract clauses that waive these rights void and bar predispute arbitration for claims under the law. Government agencies would also have to require buyers of public records to agree not to sell that data without the individual's express consent.
Limits on data use and targeting
If enacted, the bill would require companies to collect only the minimum personal data needed, substitute de‑identified or artificial data where feasible, and keep tighter logs and access controls. It would ban deceptive consent designs that hide choices and would bar re‑identifying de‑identified datasets except for approved non‑commercial research. The bill would also prohibit data‑driven discrimination in hiring, housing, credit, health care, education, and public accommodations and require the agency to issue disparate‑impact rules within set deadlines. The law would also set rules for retention durations and limits on use of message contents.
Stronger encryption and anti-doxxing rules
If enacted, the bill would stop companies from forcing you to decrypt your messages or otherwise give them the means to read encrypted content. It would create a federal crime for knowingly sharing someone's personal information to threaten, harass, or facilitate violence, punishable by fines or up to 5 years in prison. The privacy agency would be able to refer credible doxxing complaints to the Justice Department and help law enforcement. The bill would also protect service providers from liability for contents-of-communications rules when they act at the direction of and reasonably rely on a covered entity's lawful directions.
Stronger privacy rights and notices
If enacted, the bill would give people new rights to access summaries of their data, correct inaccurate data, delete personal information and private communications, and revoke consent. The Director would require large platforms in listed categories to offer a portability API so you can move your data to another covered service. Covered companies would have to publish clear privacy policies and generally answer privacy requests within 30 days without a fee; they must also notify you within 30 days if they collect your contact information and you had no prior relationship. The law would allow private damages suits and let qualified nonprofits represent individuals, but some statutory exemptions and procedural limits could narrow rights in certain cases.
Enforcement, penalties, and state suits
If enacted, the bill would let the agency or courts order refunds, restitution, disgorgement, and civil money penalties for violations. Penalties for each violation would be capped at the inflation‑adjusted FTC maximum multiplied by the number of people affected, and each day of ongoing noncompliance would count as a separate violation. States could sue on behalf of residents but must notify the DPA first, and most private suits must be filed within three years of discovering the violation. These changes raise potential liability for companies and expand remedies for harmed consumers.
New Digital Privacy Agency and Powers
If enacted, the bill would create a new independent Digital Privacy Agency (DPA) led by a Senate‑confirmed Director with a six‑year term. The DPA would get rulemaking, adjudication, investigative and subpoena powers, and a centralized complaints portal. The bill would authorize about $550 million a year for each fiscal year 2026–2030 to run the agency and would move relevant FTC privacy staff and authorities into the DPA. The DPA would also have temporary cease‑and‑desist tools, must refer possible crimes to the Attorney General, and could share penalty proceeds with whistleblowers.
New rules for international data transfers
If enacted, companies would generally be barred from sending personal data to entities not subject to U.S. law unless the recipient follows the Act or the agency approves a safe-harbor agreement. The Digital Privacy Agency would be required to make transfer agreements with foreign covered entities that accept U.S. venue, comply with DPA investigations and court orders, and provide contractual and solvency protections; the DPA could end those agreements on default. The bill also says it would not require companies to keep data only in the U.S. and would allow internal affiliate sharing across countries. In addition, the bill would bar using interstate commerce to process or share personal data unless the entity complies with the Act, and failure to report known violations can be treated as separate daily violations.
Security rules and cross-border transfers
If enacted, the bill would require covered entities to run a written information security program with training, vulnerability monitoring, secure disposal, and a breach response plan. Companies would generally have to notify the agency within 72 hours of a breach and notify affected people within 14 days if harms are likely. Cross‑border personal data transfers would be limited unless strict safe‑harbor agreements or contracts and audits are in place. The bill directs NIST to publish a voluntary privacy risk framework and authorizes about $3 million a year for NIST privacy education from 2026–2030.
Small business definition and transition
If enacted, the bill would define a "small business" test for privacy rules. To qualify you must not sell personal data, get less than half your revenue from targeted ads, have under 200 employees, hold data on fewer than 250,000 people for most of the past year, and make under $25 million in the prior 12 months. A business that loses small‑business status would get nine months to follow rules it was exempt from. The Director would publish approved notice/consent processes that give small businesses a presumption of compliance if they adopt similar processes.
Grants for privacy research
If enacted, the National Science Foundation would make competitive grants to colleges, non-profits, and consortia for multidisciplinary privacy research. Funded topics would include privacy governance, privacy-by-design, privacy in automated decision-making, and public understanding of privacy. The program would be set up in consultation with the Digital Privacy Agency and would begin upon enactment.
Sponsors & CoSponsors
Sponsor
Lofgren
CA • D
Cosponsors
There are no cosponsors for this bill.
Roll Call Votes
No roll call votes available for this bill.
View on Congress.gov