YODA
Sponsored By: Representative Cloud, Michael [R-TX-27]
Introduced
Summary
User data ownership and consent are the core aim of this bill, which would give people stronger rights over their personal information and prevent companies from sharing or monetizing it without permission. It would also require clearer notices and create enforcement and private remedies.
Show full summary
- People would get the right to access, correct, delete, and port their covered data, and covered entities would have to respond to verified requests within 90 days. These rights must be provided free at least twice per 12-month period.
- Browsing history and biometric data must be deleted within 60 days of collection. For users under 18, companies could not collect, retain, or transfer such data to third parties without affirmative parental or guardian consent.
- Firms face limits on monetizing and sharing personal information, must offer prominent opt-out controls and stop tracking cookies without authorization. The Federal Trade Commission would enforce the rules and individuals could sue large companies with at least $50 million in global annual revenue, with damages of $100 to $750 per violation.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
7 provisions identified: 7 benefits, 0 costs, 0 mixed.
More control over your data
If enacted, you would be able to request access to, correction of, deletion of, or portable copies of your covered data. Covered companies would have to respond within 90 days. You could use these rights at least twice in any 12-month period and for free. Browsing history and biometric data would have to be deleted within 60 days. Companies would have two years to give users direct-delete tools. Companies could not charge you more or give you worse service because you used these rights.
Faster breach notices and fixes
If enacted, covered companies would have to notify each affected user quickly when a data breach affects their information. Companies would have to offer remedies like credit protection services, a fraud alert, and credit monitoring through credit bureaus.
Limits on tracking and sales
If enacted, commercial data operators would be barred from using tracking cookies unless you authorize them, and sites and apps would show a clear opt-out icon. Companies would have to provide equivalent services to users who opt out. Companies would only collect, share, or keep data when it is reasonably necessary to provide a service or prevent fraud, and they could not justify monetizing personal data as 'reasonably necessary.' Covered companies would also have to post short privacy notices of 1,000 words or less. If you allow your data to be sold, the company would give you an annual report listing who got your data and why.
Right to sue big data firms
If enacted, you could sue a covered company with $50 million or more in global annual revenue for violating the bill. If you prevail, a court could award $100 to $750 per violation, plus reasonable attorney fees and other relief.
FTC and state enforcement powers
If enacted, the FTC could enforce violations of this bill as unfair or deceptive acts and use its normal powers and penalties. State attorneys general could also sue to stop violations, but they generally must notify the FTC and may be limited while the FTC's case is pending.
Which companies and data are covered
If enacted, the bill would define which companies and kinds of data it covers. A "commercial data operator" would be one that earns material revenue from user data and has over 100,000,000 unique monthly U.S. users. A "large online operator" would have over 100,000,000 authenticated users in any 30-day period. The bill would list covered data types such as location, phone and email, Social Security and other government IDs, browsing and app histories, call detail records, and biometric data.
Protections for kids and contacts
If enacted, companies generally could not collect, retain, or transfer covered data about users under 18 without affirmative parental or guardian consent, where technically feasible. Companies also could not ask you to share your contacts or information about them unless both you and each contact give written consent.
Sponsors & CoSponsors
Sponsor
Cloud, Michael [R-TX-27]
TX • R
Cosponsors
There are no cosponsors for this bill.
Roll Call Votes
No roll call votes available for this bill.
View on Congress.gov