House bill sets up new clash over federal privacy rules

U.S. Rep. Zoe Lofgren has introduced a comprehensive 151-page federal privacy bill, the Online Privacy Act, as Congress remains deadlocked over whether the United States should finally adopt a national baseline for data privacy and, if so, how far that law should go in constraining corporate surveillance.

Lofgren announced the bill last Thursday, saying it is intended to set nationwide rules for how personal data is collected, used, and shared, while shifting control back to individuals through enforceable privacy rights and a new federal enforcement body.

The bill text shows a sweeping framework that covers individual rights, corporate data duties, data security, breach notification, enforcement, and the creation of a standalone Digital Privacy Agency.

The structure alone makes clear that Lofgren is not offering a narrow data broker or children’s privacy bill, but another attempt at an all-in federal privacy regime.

“Privacy is a fundamental right, but for too long, Congress has failed to set clear nationwide rules to protect Americans’ personal data,” Lofgren said in a statement. “The Online Privacy Act gives Americans the power to view, correct, and delete their information. This legislation shifts power back to the people and ensures federal law finally catches up to the realities of the 21st century.”

Amanda Beckham, government relations director at Free Press Action, said “it’s unbelievable that in 2026, after years of understanding the harms that come from rampant data collection, we still don’t have a comprehensive federal data privacy standard.”

“Private companies collect an enormous amount of our personal data. Websites, apps, and devices we wear or carry collect information about where we work, the places we visit, our browsing history, political opinions, medical and biometric data, and more,” Beckham added. “When aggregated, all of this data represents the power to influence, manipulate, and discriminate.”

At the center of the bill is a set of consumer rights broader than those found in many state laws. The measure includes rights of access, correction, deletion, portability, human review of certain automated decisions, the right to be informed, and what the bill calls a right to “impermanence.”

That provision would bar a covered entity from maintaining personal information longer than the individual expressly consented to, an unusually aggressive retention-limit concept in a federal privacy proposal.

The deletion section is also notable because it expressly reaches data a company obtained from third parties, not just information collected directly from the person seeking deletion.

Lofgren’s office is pitching the bill in similarly expansive terms. The legislation would give users the right to access, correct, delete and transfer data about themselves, choose how long their data may be kept, and request human review of impactful automated decisions.

It also emphasizes restrictions on invasive uses of private communications, a criminal prohibition on doxxing, and the creation of a Digital Privacy Agency empowered to issue regulations and impose fines.

The bill’s substantive obligations on companies are built around data minimization rather than the more familiar notice-and-choice model that has long dominated U.S. privacy compliance.

The bill would prohibit a covered entity from collecting more personal information than is reasonably needed to provide a product or service requested by a user and may not process that information for a different purpose, absent specified conditions.

The legislation would also require companies to restrict employee and contractor access to personal information and communication contents, provisions that align with Lofgren’s stated effort to force companies to justify what they collect and hold, rather than simply bury broad permissions in privacy policies.

The measure also takes aim at the monetization and secondary use of communications data. A covered entity would be barred from collecting, processing, maintaining or disclosing the contents of communications except for limited purposes such as transmitting or displaying the communication to an intended recipient or original sender.

Lofgren’s office framed that provision as a ban on using private communications like emails or web traffic for advertising or other invasive purposes.

Another significant feature of the bill is its treatment of automated decision-making. It would require a covered entity to inform an individual what personal information is being or may be used in a decision made solely through automated processing when that processing materially increases reasonably foreseeable significant privacy harms.

It would also require a reasonable mechanism for the person to request human review and reflects growing concern that AI and algorithmic systems are being used not merely to recommend content or target ads, but to make decisions with meaningful consequences for people’s opportunities and treatment.

The bill also tries to address manipulation in consent design. It includes a section prohibiting “dark patterns” in notice and consent processes and privacy policies, barring companies from intentionally impairing, obscuring or subverting an individual’s ability to understand the notice, understand the consent process, decide whether to grant or withdraw consent, or act on that decision.

It further requires notice to be concise and clear, and in many cases requires express consent. That combination suggests Lofgren is trying to move beyond the longstanding criticism that privacy law too often assumes consumers can meaningfully protect themselves by clicking through opaque disclosures.

On enforcement, the Online Privacy Act would go much further than industry-backed frameworks that rely mainly on agency oversight. The bill establishes a Digital Privacy Agency and gives individuals a private right of action.

Under the bill, an aggrieved person would be able to bring a civil action for declaratory or injunctive relief, and may sue for damages, with additional provisions allowing nonprofit collective representation.

State attorneys general and state privacy regulators would also retain enforcement authority, subject to limits where the new federal agency has already filed the same case.

That enforcement design is important because it cuts against one of the most contentious fault lines in current federal privacy debates.

Rather than broadly sweeping aside state laws, the bill’s state-law section says the act does not annul, alter, affect or exempt compliance with state privacy or consumer protection laws except to the extent they are inconsistent, and even then only to the extent of the inconsistency.

The bill adds that a state law is not inconsistent if it affords consumers greater protection. In other words, Lofgren’s bill appears to set a federal floor, not a ceiling.

At a moment when some lawmakers are openly pushing national AI and privacy frameworks that would displace state experimentation, that is a major policy choice.

The proposal would take effect one year after enactment, though the bill allows the new agency to begin taking steps required before that effective date.

This timeline underscores the practical reality that this is as much an institutional redesign bill as a consumer rights bill. It would not simply add another layer to Federal Trade Commission oversight. It would create a dedicated federal privacy regulator and transfer significant authority into that structure.

Whether the measure has a realistic path in this Congress is a separate question, and is a reminder that the unresolved question is not whether there should be a federal rulebook, but whose interests that rulebook is meant to protect.

Article Topics

data privacy  |  legislation  |  U.S. Government  |  United States