Bill Summary
The **AI Accountability and Personal Data Protection Act** aims to establish a federal tort for the unauthorized appropriation and exploitation of individuals' data. This legislation requires that individuals must provide **express, prior consent** before their data can be used, collected, processed, or sold. It defines various terms related to data and artificial intelligence, such as "covered data," which includes personal information and data that can be linked to individuals.
Key provisions include:
1. **Liability**: Individuals can bring civil actions against entities that misuse their data without consent, with potential remedies including compensatory and punitive damages.
2. **Inapplicability of Arbitration Agreements**: The act invalidates predispute arbitration agreements related to claims under this law, ensuring individuals retain the right to pursue legal action in court.
3. **Disclosure Requirements**: Entities must provide clear and specific disclosures about any third parties that will access an individual’s data, and consent obtained through vague or general means is deemed invalid.
4. **State Law Relationship**: The act does not preempt existing state laws and serves as a minimum standard for data protection, allowing states to enforce stricter regulations.
Overall, the act emphasizes the importance of individual consent and transparency in data handling, particularly concerning emerging technologies like artificial intelligence.
Possible Impacts
The "AI Accountability and Personal Data Protection Act" has several implications for individuals regarding their personal data. Here are three examples of how this legislation could affect people:
1. **Enhanced Control Over Personal Data**: Individuals will have greater control over their personal data due to the requirement for express, prior consent before any appropriation, use, collection, processing, or sale of their data can occur. This means that companies and organizations must obtain clear and affirmative permission from individuals before using their data, giving individuals the power to choose what happens to their personal information.
2. **Legal Recourse for Data Misuse**: The legislation provides individuals with a private right of action, allowing them to sue for damages if their data is exploited without consent. This means that individuals can seek compensatory damages, punitive damages, and attorney's fees if their covered data is misused. This legal recourse empowers individuals to hold companies accountable and could deter businesses from engaging in unauthorized data practices.
3. **Transparency in Data Sharing**: The Act mandates that companies must disclose to individuals any third parties that will have access to their data when seeking consent. This requirement promotes transparency and ensures that individuals are fully aware of who is using their data, how it will be used, and for what purposes. As a result, individuals can make more informed decisions about whether to consent to data sharing and can better protect their privacy.
These aspects of the legislation aim to strengthen data privacy rights and enhance individuals' control over their personal information in the context of artificial intelligence and data exploitation.
[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 2367 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 2367
To establish a Federal tort relating to the appropriation, use,
collection, processing, sale, or other exploitation of individuals'
data without express, prior consent.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 21, 2025
Mr. Hawley (for himself and Mr. Blumenthal) introduced the following
bill; which was read twice and referred to the Committee on the
Judiciary
_______________________________________________________________________
A BILL
To establish a Federal tort relating to the appropriation, use,
collection, processing, sale, or other exploitation of individuals'
data without express, prior consent.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``AI Accountability and Personal Data
Protection Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Appropriate, use, collect, process, sell, or otherwise
exploit.--The term ``appropriate, use, collect, process, sell,
or otherwise exploit'' includes--
(A) the training of a generative artificial
intelligence system that is sold, rented, licensed, or
otherwise used by the provider of the generative
artificial intelligence system; and
(B) the generation, by a generative artificial
intelligence system, of any covered data that pertains
to an individual, including content that imitates,
replicates, or is substantially derived from the
covered data of the individual.
(2) Artificial intelligence.--The term ``artificial
intelligence'' has the meaning given that term in section 5002
of the National Artificial Intelligence Initiative Act of 2020
(15 U.S.C. 9401).
(3) Artificial intelligence system.--The term ``artificial
intelligence system'' means any data system, software,
hardware, application, tool, or utility that operates, in whole
or in part, using artificial intelligence.
(4) Covered data.--The term ``covered data''--
(A) means any information, data, or material,
regardless of form or format, that--
(i) identifies, relates to, describes, is
capable of being associated with, or can
reasonably be linked, directly or indirectly,
with a specific individual;
(ii) is derived, inferred, or generated
from information described in clause (i), or is
used to derive, infer, or generate information
described in clause (i); or
(iii) is generated by an individual and is
protected by copyright, regardless of whether
the copyright has been registered with the
United States Copyright Office or any other
registration authority; and
(B) includes--
(i) personally identifiable information;
(ii) unique identifiers, such as device
IDs, advertising IDs, or IP addresses;
(iii) geolocation data;
(iv) biometric information;
(v) behavioral data, such as browsing
history or purchasing patterns; or
(vi) inferred, derived, or predicted data
used to create a profile about an individual or
group of individuals.
(5) Express, prior consent.--The term ``express, prior
consent'' means a clear, affirmative act by an individual, made
in advance of any appropriation, use, collection, processing,
sale, or other exploitation of covered data, indicating a
freely given, informed, and unambiguous consent to the specific
appropriation, use, collection, processing, sale, or other
exploitation of covered data of the individual.
(6) Generative artificial intelligence system.--The term
``generative artificial intelligence system'' means an
artificial intelligence system that is capable of generating
novel text, video, images, audio, and other media based on
prompts or other forms of data provided by an individual.
(7) Personally identifiable information.--The term
``personally identifiable information'' means information that
can be used to distinguish or trace the identity of an
individual, either alone or when combined with other personal
or identifying information that is linked or linkable to a
specific individual.
(8) Predispute arbitration agreement.--The term
``predispute arbitration agreement'' means an agreement to
arbitrate a dispute that has not yet arisen at the time of the
making of the agreement.
(9) Predispute joint-action waiver.--The term ``predispute
joint-action waiver'' means an agreement, whether or not part
of a predispute arbitration agreement, that would prohibit, or
waive the right of, one of the parties to the agreement to
participate in a joint, class, or collective action in a
judicial, arbitral, administrative, or other forum, concerning
a dispute that has not yet arisen at the time of the making of
the agreement.
SEC. 3. FEDERAL TORT FOR MISUSE OF COVERED DATA.
(a) Liability.--Any person who, in or affecting interstate or
foreign commerce, appropriates, uses, collects, processes, sells, or
otherwise exploits the covered data of an individual, without the
express, prior consent of the individual, shall be liable to the
individual in accordance with this section.
(b) Private Right of Action.--
(1) In general.--Any individual whose covered data is
appropriated, used, collected, processed, sold, or otherwise
exploited without the express, prior consent of the individual
as described in subsection (a) may bring a civil action in an
appropriate district court of the United States or a State
court of competent jurisdiction against any person who--
(A) engaged in the appropriation, use, collection,
processing, sale, or other exploitation of the covered
data; or
(B) aided and abetted another person in the
appropriation, use, collection, processing, sale, or
other exploitation of the covered data.
(2) Remedies.--An individual prevailing in a civil action
brought under paragraph (1) may recover--
(A) compensatory damages in an amount equal to the
greater of--
(i) actual damages;
(ii) treble any profits from the
appropriation, use, collection, processing,
sale, or other exploitation of the covered data
of the individual as described in subsection
(a); or
(iii) $1,000;
(B) punitive damages;
(C) injunctive relief; and
(D) attorney's fees and costs.
(3) Affirmative defense of consent.--
(A) In general.--It shall be an affirmative defense
to a civil action under paragraph (1) brought by or on
behalf of an individual whose covered data was
appropriated, used, collected, processed, sold, or
otherwise exploited if the defendant demonstrates that
the individual provided express, prior consent for such
appropriation, use, collection, processing, sale, or
other exploitation of the covered data of the
individual.
(B) Invalid grounds for consent.--Consent to the
appropriation, use, collection, processing, sale, or
other exploitation of covered data shall not be deemed
valid if such consent was obtained--
(i) through coercion or deception; or
(ii) as a condition of using a product or
service through which the appropriation, use,
collection, processing, sale, or other
exploitation of the covered data exceeds what
is reasonably necessary to provide that product
or service.
(c) Inapplicability of the Federal Arbitration Act.--
(1) In general.--Notwithstanding any other provision of
law, including chapter 1 of title 9, United States Code
(commonly known as the ``Federal Arbitration Act''), a
predispute arbitration agreement or predispute joint-action
waiver shall not be valid or enforceable with respect to any
claim arising under this Act.
(2) Unenforceable agreements.--Any agreement purporting to
waive, limit, or preclude the right of an individual to bring
an action in a court of law or to participate in a joint,
class, collective, or representative action concerning any
claim arising under this Act shall be deemed contrary to public
policy and shall be null, void, and unenforceable.
(3) Determination under federal law by federal court.--An
issue as to whether this Act applies with respect to a dispute
shall be determined under Federal law. The applicability of
this Act to an agreement to arbitrate and the validity and
enforceability of an agreement to which this Act applies shall
be determined by a court, rather than an arbitrator,
irrespective of whether the party resisting arbitration
challenges the arbitration agreement specifically or in
conjunction with other terms of the contract containing such
agreement, and irrespective of whether the agreement purports
to delegate such determinations to an arbitrator.
(4) Collective bargaining agreements.--Nothing in this Act
shall apply to any arbitration provision in a contract between
an employer and a labor organization or between labor
organizations, except that no such arbitration provision shall
have the effect of waiving the right of a worker to seek
judicial enforcement of a right arising under a provision of
the Constitution of the United States, a State constitution, or
a Federal or State statute, or public policy arising therefrom.
(d) Specific Disclosure of Third Parties Required.--
(1) In general.--Consent required under subsection (a)
shall not be valid for the appropriation, use, collection,
processing, sale, or other exploitation of covered data by or
to any third party unless--
(A) each third party is specifically and clearly
disclosed to the individual to whom the covered data
pertains at the time consent is sought; and
(B) the disclosure described in subparagraph (A) is
affirmatively presented to the individual to whom the
covered data pertains in a manner that ensures the
disclosure is seen and acknowledged.
(2) Presentation.--Any disclosure described in paragraph
(1)--
(A) shall be presented distinctly and separately
from any privacy policy, terms of service, or other
general conditions or agreements; and
(B) shall not be satisfied by the mere inclusion of
a hyperlink or general reference to a privacy policy,
user agreement, or other similar document.
(3) Invalid consent.--Any purported consent for the
appropriation, use, collection, processing, sale, or other
exploitation of covered data by or to any third party obtained
solely by inclusion within such general documents described in
paragraph (2) or via non-specific or passive disclosure shall
be invalid and unenforceable.
SEC. 4. RELATIONSHIP TO EXISTING LAW.
(a) No Preemption of Existing State Laws.--Nothing in this Act
shall be construed to preempt or limit any law, rule, regulation, or
common law doctrine of any State that is in effect as of the date of
enactment of this Act.
(b) Minimum Standard.--This Act shall be construed as establishing
a minimum standard for the tort described in section 3(a), and nothing
in this Act shall be deemed to prohibit or restrict the application of
any State law, rule, regulation, or common law doctrine that provides
greater or additional rights, remedies, or protections than the rights,
remedies, and protections provided under this Act.
<all>