Establishes national data privacy standards for covered entities. Requires clear privacy notices. Mandates FTC regulations within one year. Imposes data minimization requirements. Empowers individuals with data rights. Mandates privacy officers for large entities. Grants FTC and state enforcement authority. Allocates FTC resources.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal statute with mandatory obligations, enforcement mechanisms including civil penalties up to $40,000 per affected individual, and enforcement authority granted to both the FTC and state attorneys general.
The document primarily addresses privacy and security risks (2.1, 2.2), with strong coverage of discrimination risks (1.1, 1.3), and governance mechanisms (6.5). It has minimal coverage of misinformation risks (3.1) and human-computer interaction risks (5.1, 5.2). The document does not address AI-specific safety failures, malicious actor risks, or socioeconomic impacts beyond privacy.
This is a cross-sectoral data privacy law that applies to any entity collecting, processing, storing, or disclosing covered data relating to 50,000 or more individuals annually. The law explicitly mentions common carriers (telecommunications), financial services (Gramm-Leach-Bliley Act), and healthcare (HIPAA), but applies broadly across all economic sectors that handle personal data.
The document does not explicitly reference AI lifecycle stages but establishes data governance requirements that would apply across the entire lifecycle of data processing systems. The requirements for data minimization, security practices, and ongoing monitoring suggest implicit coverage of deployment and operational stages.
The document does not explicitly mention AI models, AI systems, or any specific AI categories. It is a general data privacy law that applies to any entity collecting, processing, storing, or disclosing covered data, regardless of whether AI technologies are involved. The scope is defined by data processing activities rather than AI-specific technologies.
United States Congress; Senator Catherine Cortez Masto; Senate Committee on Commerce, Science, and Transportation
The bill was introduced in the United States Senate by Senator Cortez Masto and referred to the Committee on Commerce, Science, and Transportation, indicating Congress as the proposing authority.
Federal Trade Commission (FTC); State Attorneys General; other authorized state officials
The Act grants enforcement authority to the Federal Trade Commission and state attorneys general, with the FTC having primary federal enforcement responsibility and states able to bring parens patriae actions on behalf of residents.
Federal Trade Commission; privacy protection officers (designated by covered entities); National Science Foundation; National Institute of Standards and Technology; Office of Science and Technology Policy
The Act requires covered entities to designate privacy protection officers who conduct audits and maintain compliance records. The FTC has oversight authority, and various federal agencies coordinate on privacy-enhancing technology research and standards development.
covered entities (entities that collect, process, store, or disclose covered data relating to 50,000 or more individuals annually); third party service providers; common carriers subject to the Communications Act of 1934
The Act applies to 'covered entities' defined as any entity that collects, processes, stores, or discloses covered data relating to 50,000 or more individuals during any 12-month period. This includes technology companies, data processors, and service providers handling personal data.
9 subdomains (4 Good, 5 Minimal)