The TELL Act requires any person who maintains an internet website or sells or distributes a mobile application that stores or maintains information collected from that website or app in the People’s Republic of China to disclose that fact to any individual who downloads or uses the site or app. The disclosure must be clear and conspicuous and must also state whether the Chinese Communist Party or a Chinese state-owned entity has access to the stored information.
The bill makes knowingly false disclosures unlawful.
Enforcement is assigned to the Federal Trade Commission: violations are treated as unfair or deceptive acts or practices under the FTC Act and the FTC gains the same investigatory and remedial powers (including penalties) it already has. Practically, the bill forces operators, app distributors, and platforms to audit data flows, decide how to present binary access information about Chinese state actors, and manage new compliance risk across international supply chains.
At a Glance
What It Does
The bill requires clear, conspicuous user-facing disclosure when website- or app-collected information is stored or maintained in the People’s Republic of China and requires disclosure of whether the Chinese Communist Party or a Chinese state-owned entity has access to that information. It makes knowingly false disclosure unlawful.
Who It Affects
Any person that maintains an internet website or sells or distributes a mobile application that stores user information in the PRC—this includes app publishers, platform operators, app stores, web hosts, and third-party service providers who control or arrange for storage. It reaches both domestic and foreign entities offering services to users.
Why It Matters
The bill creates a targeted transparency obligation tied to a specific geopolitical jurisdiction (China) and links compliance to FTC enforcement tools, not private lawsuits. That combination elevates disclosure as a compliance priority for privacy teams, product managers, and platform operators handling cross-border data flows.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
At its core the TELL Act is simple: if your website or mobile app collects information from users and that information is stored or maintained in the People’s Republic of China, you must tell those users in a clear and conspicuous way. The notice must do two things: identify that the data is stored or maintained in China, and state whether the Chinese Communist Party or a Chinese state-owned entity has access to it.
The duty to disclose attaches to “any person” who maintains the site or sells/distributes the app, and it applies to “any individual who downloads or otherwise uses” the service.
The bill does not provide a private right of action; enforcement is delegated to the Federal Trade Commission by treating violations as unfair or deceptive acts or practices under the FTC Act. That means the FTC will investigate, seek injunctions, and pursue civil penalties and other remedies available under existing FTCA authority rather than leaving enforcement to individual users or state attorneys general (unless they act under existing statutes).
The bill also criminalizes knowingly false disclosures as an unlawful act under the same framework, which raises evidentiary and proof-of-knowledge issues for enforcement.Operationally, compliance teams must map where data is stored and who can access it. The text’s definitions are minimal: it uses the phrase “stores and maintains” and requires disclosure about whether the CCP or a state-owned entity “has access.” The bill leaves unresolved how to treat transient storage, caching, mirrored backups, third-party processors, and access through contractual or legal mechanisms in China.
Platforms will need to decide whether to present a binary yes/no on CCP or state-owned access or to adopt more nuanced language while staying within the statute’s limited formulation.Finally, because the statute sweeps broadly to “any person” maintaining a website or selling or distributing an app, app stores, content distribution networks, hosting providers, and developers all need to review contracts and technical configurations. The regulatory consequence is practical: companies will either add disclosures, change where they store U.S. user data, or create internal processes to determine and document whether Chinese state actors have access to particular data sets, knowing the FTC can enforce compliance under the FTCA.
The Five Things You Need to Know
Scope: The bill applies to any person that maintains an internet website or sells or distributes a mobile application that stores or maintains information collected from that site or app in the People’s Republic of China.
Required content: Notices must inform users that their information is stored or maintained in China and must state whether the Chinese Communist Party or a Chinese state-owned entity has access to that information.
Delivery and form: The disclosure must be provided to any individual who downloads or otherwise uses the website or application and must be made in a clear and conspicuous manner.
False statements: The bill makes it unlawful to knowingly disclose false information under the disclosure requirement.
Enforcement: Violations are treated as unfair or deceptive acts or practices under the Federal Trade Commission Act and the FTC enforces the law with its existing investigatory powers and remedies.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title — TELL Act
This one-line section names the statute the “Telling Everyone the Location of data Leaving the U.S. Act” or the “TELL Act.” It has no substantive effect but signals the bill’s focus on disclosure tied to data leaving the United States for the People’s Republic of China.
Country disclosure requirement and required statements
This subsection creates the operative disclosure rule. Any person maintaining a website or selling/distributing an app that stores or maintains information in the PRC must disclose two facts to users: (1) that the information is stored or maintained in the PRC, and (2) whether the Chinese Communist Party or a Chinese state-owned entity has access to it. The statute specifies delivery to any individual who downloads or otherwise uses the site or app and requires the notice to be clear and conspicuous—language that will guide UX, consent flows, and app store listings.
Prohibition on knowingly false disclosures
Subsection (b) makes it unlawful to knowingly provide false information in the required disclosure. The scienter requirement—knowledge of falsity—raises practical questions about evidence and proof in enforcement proceedings and may focus FTC inquiries on a company’s internal knowledge, audits, and documentation of data flows and access.
FTC enforcement and adoption of FTCA remedies
Section 3 treats violations as violations of an FTC rule defining unfair or deceptive acts or practices, and it incorporates the Federal Trade Commission Act’s enforcement regime. Practically, that gives the FTC its full investigative powers, injunctive authority, and civil penalty tools to enforce the TELL Act. The bill does not create a private right of action; enforcement is channeled through the FTC (and any remedies the FTC chooses to pursue under its statutory powers).
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers and app users in the United States — receive affirmative notice about where their data is stored and whether Chinese state actors may access it, improving transparency for security and privacy decisions.
- Privacy and compliance teams — gain a statutory benchmark that clarifies one specific disclosure obligation tied to data residency in China, which can be integrated into risk assessments and vendor audits.
- Civil-society researchers and journalists — obtain a clearer public baseline about which services store U.S. user data in China, simplifying monitoring and public reporting on cross-border data flows.
Who Bears the Cost
- Website operators, app publishers, and distributors — must audit data flows, implement user-facing disclosures, and decide how to ascertain and document whether Chinese state entities have access to stored data.
- Small developers and startups — face compliance costs and potential removal or relisting frictions on app stores if they cannot quickly determine storage locations or access pathways.
- App stores, hosting providers, and third-party processors — may need to alter platform policies, implement new verification workflows, and absorb operational costs policing disclosures and claims.
Key Issues
The Core Tension
The central dilemma is between user-facing transparency about geopolitical data risks and the practical limits of corporate knowledge and technical architectures: the bill pushes companies to provide definitive, binary answers about storage and state access at a time when hybrid cloud arrangements, third-party processors, and legal uncertainty in foreign jurisdictions make those answers hard to determine, creating a trade-off between useful notice and overbroad, potentially misleading warnings.
The bill leaves several operationally important terms undefined, creating immediate implementation challenges. It does not define “stores and maintains,” so obligations could sweep in temporary caching, third-party backups, content delivery network replication, or contractual hosting relationships.
Similarly, the statute requires disclosure about whether the Chinese Communist Party or a Chinese state-owned entity “has access” but provides no standard for what constitutes access: direct legal authority, contractual access, physical access by personnel, or third-party subprocessors could all plausibly qualify. Those gaps will push companies to adopt conservative interpretations or to seek FTC guidance.
Enforcement also creates trade-offs. The ‘knowingly false’ standard focuses FTC investigations on company knowledge and documentation, but proving knowledge can be hard and expensive.
The statute channels remedies through the FTC rather than creating private lawsuits, concentrating risk but also creating single-point regulatory discretion; companies may face uneven enforcement depending on FTC priorities and resources. Finally, the requirement to state whether Chinese state actors have access may produce blunt, binary disclosures that obscure nuanced realities (e.g., limited legal access for particular data categories), or conversely encourage overbroad warnings that lead to user fatigue and reduced informative value.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.