Skip to content
Govbase
Govbase
Congress·In Committee·S. 2367

Hawley and Blumenthal Push Bill to Let Americans Sue AI Companies for Using Data Without Consent

AI Accountability and Personal Data Protection Act

8 months ago·View on Congress.gov

Legislative Progress

Senate
House
President
Law

Key Points

  • This bill creates a new federal legal right for individuals to sue any company that collects, uses, sells, or otherwise exploits their personal data without getting clear, upfront permission first. It covers a very broad range of data, from names and locations to browsing history and biometric information.

    From policy text

    Any person who, in or affecting interstate or foreign commerce, appropriates, uses, collects, processes, sells, or otherwise exploits the covered data of an individual, without the express, prior consent of the individual, shall be liable to the individual in accordance with this section.
    View in full text
  • AI companies are specifically targeted: training a generative AI model on someone's data or generating content that imitates a person's identity would count as exploitation requiring consent. This is one of the first federal proposals to directly regulate how AI companies use personal data for training.

    From policy text

    the training of a generative artificial intelligence system that is sold, rented, licensed, or otherwise used by the provider of the generative artificial intelligence system; and (B) the generation, by a generative artificial intelligence system, of any covered data that pertains to an individual, including content that imitates, replicates, or is substantially derived from the covered data of the individual.
    View in full text
  • If you win a lawsuit under this bill, you'd receive at least $1,000 in damages—or up to triple the profits a company earned from misusing your data, whichever is greater. Punitive damages, injunctive relief, and attorney's fees are also available.

    From policy text

    compensatory damages in an amount equal to the greater of-- (i) actual damages; (ii) treble any profits from the appropriation, use, collection, processing, sale, or other exploitation of the covered data of the individual as described in subsection (a); or (iii) $1,000
    View in full text
  • Companies can no longer bury data-sharing permissions in long privacy policies or terms of service. They must separately and clearly disclose every third party that will receive your data and get your direct acknowledgment—a simple hyperlink to a privacy policy won't count.

    From policy text

    shall be presented distinctly and separately from any privacy policy, terms of service, or other general conditions or agreements; and (B) shall not be satisfied by the mere inclusion of a hyperlink or general reference to a privacy policy, user agreement, or other similar document.
    View in full text
  • The bill bans forced arbitration and class-action waivers for any disputes arising under this law. That means companies can't force you into private arbitration when you sue over data misuse—you keep your right to go to court and join a class-action lawsuit.

    From policy text

    a predispute arbitration agreement or predispute joint-action waiver shall not be valid or enforceable with respect to any claim arising under this Act.
    View in full text
  • Existing state privacy laws are fully preserved. The bill sets a nationwide floor for data protection but explicitly allows states to maintain or pass stronger protections of their own.

    From policy text

    Nothing in this Act shall be construed to preempt or limit any law, rule, regulation, or common law doctrine of any State that is in effect as of the date of enactment of this Act.
    View in full text
Technology DigitalCivil RightsCriminal Justice

Impact Analysis

Personal Impact

Scores: 1 = low, 5 = highSentiment: -5 to +5 (net benefit)

Milestones

2 milestones2 actions
Jul 21, 2025Senate

Read twice and referred to the Committee on the Judiciary.

Jul 21, 2025

Introduced in Senate

What Happens Next

Projected impacts based on AI analysis

Upon enactment, if the bill passes

If enacted, the new federal right to sue over data misuse takes effect immediately

Anyone whose personal data is collected, sold, or used without clear consent—including by AI companies—could file a lawsuit in federal or state court the day the law is signed.

Within months of enactment

Companies must overhaul consent and disclosure practices

Every company that collects personal data would need to create new, separate consent forms that clearly name each third party receiving your data. Burying permissions in privacy policies would no longer be legal. Expect websites and apps to start showing explicit data-sharing pop-ups.

Source Information

Document Type

Congressional Bill

Official Title

AI Accountability and Personal Data Protection Act

Bill NumberS 2367
Congress119th Congress
ChamberSenate
Latest ActionRead twice and referred to the Committee on the Judiciary.

Sponsor

Cosponsors

(2)
D: 2

Analysis generated by AI. Always verify with official sources.