Congress·In Committee·S. 3570

Senate Bill Would Require Online Companies to Protect, Not Exploit, Your Personal Data

Data Care Act of 2025

3 months ago·View on Congress.gov

Legislative Progress

Senate

House

President

Law

Key Points

Would require online companies that collect data about you to follow three basic rules: protect it, don’t use it against you, and don’t share it carelessly.
Sets a “duty of care” to reasonably secure your identifying data and to quickly tell you if your sensitive data is exposed in a breach.
Sets a “duty of loyalty” so a company can’t use your data in ways that benefit the company but harm you, including uses that could cause real physical or financial harm or feel shocking and offensive to most people.
Sets a “duty of confidentiality” limiting selling or sharing your identifying data, and requires contracts and regular checks when data is shared with other companies.
Gives the Federal Trade Commission and state attorneys general power to enforce the rules; companies can’t take away these rights in fine-print contracts, and most duties would start 180 days after the bill becomes law.

Data PrivacyConsumer ProtectionCybersecurityTechnology

Impact Analysis

Personal Impact

How this policy affects specific groups of people

Mixed Impacts(1)

Small Business Owner

Neutral

Positive Impacts(4)

Chronic Illness

Helps

Pregnant

Helps

Disability Benefits

Helps

Child Tax Credit

Helps

Milestones

2 milestones2 actions

Dec 18, 2025Senate

Read twice and referred to the Committee on Commerce, Science, and Transportation.

Dec 18, 2025

Introduced in Senate

What Happens Next

Projected impacts based on AI analysis

Soon after the bill becomes law

Online providers begin preparing for the new duties (security upgrades, vendor contract changes, audit plans).

You may see updated privacy terms, new security steps, and more notices about how your data is shared as companies get ready to comply.

After enactment, likely over months

FTC starts rulemaking and guidance, including possible expansion of breach notices beyond “sensitive data.”

Over time, you could get breach alerts for more types of data, not just the “sensitive” list in the bill, depending on what the FTC decides.

Within the first year after Section 3 starts applying

FTC and state attorneys general bring early enforcement cases to set expectations.

Early cases usually push companies to change practices faster; you may notice fewer “surprise” data uses and more careful handling of logins, location, and health-related data.

Related News

2 articles

The Hill·almost 3 years ago

Schatz, 15 senators reintroduce Data Care Act

Senator Brian Schatz led a group of senators in reintroducing legislation that would require websites and apps to protect user data. The bill establishes a 'duty of care' to secure data and a 'duty of loyalty' to prevent companies from using data in ways that cause financial or physical harm.

Politico·3 months ago

Senate Democrats push for 'duty of loyalty' in new privacy bill

The Data Care Act of 2025, reintroduced by Sen. Brian Schatz, centers on the concept of a 'duty of loyalty,' prohibiting companies from using personal data in ways that are 'unexpected and highly offensive' or cause material harm to the user.

CL=