The Veteran DATA Act amends title 38 to stop the Department of Veterans Affairs (VA) from entering into contracts that allow contractors to sell or otherwise disclose veterans' sensitive personal information for consideration. It also directs the Secretary to ensure covered contracts contain anti‑monetization clauses, issue employee and contractor guidance to identify misuse, and deliver a report to congressional veterans' committees within one year.
This is a procurement-level approach to privacy: rather than creating a new civil penalty or criminal sanction, the bill uses contract terms and agency policy to change how VA shares data with third parties. That shifts compliance work onto contracting officers, prime contractors, subcontractors, and VA privacy staff, while explicitly treating anonymized data and commonly protected categories (HIPAA, Privacy Act, VA-specific protections) as covered information.
At a Glance
What It Does
The bill amends 38 U.S.C. §5725 to add a prohibition on entering contracts that permit contractors to sell sensitive personal information maintained by the Secretary. It requires the Secretary to add or modify covered contracts to include a clause banning monetization, issue guidance to detect misuse, and submit a report to the House and Senate Veterans' Affairs Committees within one year.
Who It Affects
The rule applies to VA contracting officers, prime contractors, subcontractors, affiliates, VA privacy and compliance staff, and vendors handling protected health information (PHI) or personally identifiable information (PII), including datasets that have been anonymized. It also affects veterans whose data is covered under VA and federal privacy laws.
Why It Matters
The bill closes a procurement pathway that could allow third parties to monetize veteran data and clarifies that anonymized data is not necessarily excluded. For procurement and compliance teams, it imposes drafting and oversight obligations and may alter data‑sharing arrangements with analytics vendors, research partners, and third‑party service providers.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The text adds a new subsection to 38 U.S.C. §5725 that flatly bars the Secretary of Veterans Affairs from entering into any contract that permits a contractor to sell or otherwise disclose sensitive personal information for consideration. That primary prohibition is categorical: if a contract permits a sale (or equivalent exchange for value), the VA may not enter into it.
Separately, the bill creates an operational requirement on the Secretary with a one‑year compliance deadline. The VA must ensure that every "covered contract"—defined to capture contracts that handle covered information and that are active on enactment or entered afterward—includes a clause prohibiting the monetization, sale, or misuse of covered information, or must modify existing agreements to insert that clause.
The Secretary must also issue a directive or policy that tells employees and contractors how to spot monetization, sale, or misuse, giving agency staff a basis for monitoring contractor behavior.The statute defines "covered information" broadly: it includes protected health information and personally identifiable information, explicitly encompassing information that has been anonymized, and cross‑references the Privacy Act (5 U.S.C. §552a), VA statutes (38 U.S.C. §§5701, 7332), and HIPAA regulations (45 C.F.R. parts 160–164). Within one year the VA must report to the House and Senate Veterans' Affairs Committees a copy of the contract clause it adopts, the guidance it issues, and a summary of other steps taken to comply.Notably, the bill relies on procurement controls and agency policy rather than creating a standalone enforcement regime or statutory damages.
The practical effect will depend on how the VA drafts contract language, enforces compliance through contract remedies or oversight, and interprets terms such as "sell," "otherwise disclose for consideration," and "anonymized."
The Five Things You Need to Know
The bill amends 38 U.S.C. §5725 by adding a new subsection forbidding the Secretary from entering contracts that permit contractors to sell sensitive personal information.
The Secretary has one year from enactment to ensure each "covered contract" includes, or is modified to include, a clause banning monetization, sale, or misuse of covered information and to issue employee/contractor guidance.
Covered information is defined to include protected health information and personally identifiable information—explicitly including data that has been anonymized—and references the Privacy Act, VA confidentiality statutes (38 U.S.C. §§5701 and 7332), and HIPAA regulations.
A "covered contract" covers contracts entered after enactment and contracts entered before enactment that remain in effect on the date of enactment, so active legacy contracts are within scope for modification.
Within one year the VA must report to the House and Senate Veterans' Affairs Committees providing the contract clause, the guidance, and a summary of other compliance actions; the bill does not create specific statutory penalties for violations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Declares the Act's short names: the "Veteran Data Accountability for Third‑party Actors Act" and the "Veteran DATA Act." This is administrative, but important because subsequent references in agency guidance and internal communications will use the short title as the policy label.
Prohibits contracting that permits sale of sensitive VA data
Adds a new subsection (d) to 38 U.S.C. §5725 that prohibits the Secretary from entering into any contract that permits a contractor to sell or otherwise disclose for consideration sensitive personal information maintained by the Secretary. Practically, procurement officers must screen contract language and award justifications to ensure no clause or permissive data‑sharing arrangement allows monetization.
Contract clauses and agency guidance—one‑year deadline
Requires the Secretary to ensure every "covered contract" includes, or is modified to include, an anti‑monetization clause and to issue a directive or policy instructing employees and contractors how to identify monetization or misuse. This imposes an operational timeline and creates documentable deliverables (contract clause and guidance) that will be the focal point for compliance and oversight.
Reporting to congressional veterans' committees
Directs a report within one year to the House and Senate Veterans' Affairs Committees that must include: the contract clause required under subsection (a)(1), the guidance issued under subsection (a)(2), and a summary of other steps taken to comply. That report provides Congress with concrete artifacts for oversight and establishes a public record of the VA's implementation choices.
Definitions—covered contract and covered information
Defines "covered contract" to include contracts entered after enactment and contracts entered before enactment that do not expire before enactment (i.e., active contracts), and defines "covered information" to include PHI and PII, explicitly including anonymized data, and cross‑references the Privacy Act, specific VA confidentiality statutes, and HIPAA regulations. Those cross‑references narrow interpretive questions but leave key terms (like "anonymized") to agency clarification.
This bill is one of many.
Codify tracks hundreds of bills on Veterans across all five countries.
Explore Veterans in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Veterans — receive clearer contractual protections against third‑party monetization or sale of their sensitive health and personally identifiable information, including data that vendors might otherwise treat as anonymized.
- VA privacy and compliance staff — gain a statutory mandate and a one‑year timeline to standardize clauses and internal guidance, which strengthens their oversight tools and documentation for audits and investigations.
- Responsible contractors and vendors with robust privacy controls — benefit competitively because the law penalizes business models that monetize VA data and raises the bar for bidders, favoring firms that already limit data sharing.
- Congressional oversight bodies and privacy advocates — gain a concrete report and standardized clause to review, which improves transparency into VA data sharing and third‑party arrangements.
Who Bears the Cost
- Prime contractors, subcontractors, and affiliates that handle VA data — must modify contracts, update compliance programs, add monitoring and attestation steps, and potentially forgo revenue streams from data sales or licensing.
- VA contracting offices — absorb administrative and legal costs to revise existing contracts, negotiate amendments with vendors, and implement monitoring processes within the one‑year deadline.
- Data aggregators, analytics firms, and research vendors that relied on purchasing VA datasets — may need to redesign business models, seek alternative data sources, or negotiate new fee structures that do not involve monetization.
- Small subcontractors and service providers — face disproportionate compliance burdens if prime contractors require new certifications, audits, or contractual indemnities to satisfy the anti‑monetization clause.
Key Issues
The Core Tension
The core dilemma is between protecting veterans' privacy by broadly banning monetization (including of anonymized datasets) and preserving legitimate, beneficial uses of VA data—research, analytics, and service delivery—that often depend on data sharing with third parties; the bill solves the privacy risk by using procurement controls but leaves enforcement and definitional boundaries to agency implementation, which can either mitigate or amplify the trade‑offs.
The bill draws a bright line against monetization but leaves several operational questions unresolved. It does not define key terms such as "sell," "otherwise disclose for consideration," or what constitutes sufficient anonymization.
Those ambiguities matter: a vendor that licenses access to aggregated analytics, exchanges data for research services, or receives in‑kind compensation may litigate whether those arrangements count as "sale" under the statute. The cross‑references to the Privacy Act, VA confidentiality statutes, and HIPAA provide starting points for interpretation, but the VA will need to supply precise definitions and safe harbors in its guidance.
Enforcement is another open question. The bill relies on contract clauses and agency policy rather than creating a statutory enforcement mechanism, civil damages, or criminal penalties.
That means remedies will likely flow through procurement law—contract remedies, termination for default, withholding payments—or through agency‑level investigations. Those remedies are meaningful but slower and may not deter bad actors in the same way statutory penalties would.
Finally, the inclusion of anonymized data as "covered information" protects against facile de‑identification claims but also risks chilling legitimate research and analytics partnerships unless the VA crafts narrow, risk‑based standards for de‑identification, permitted uses, and oversight.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.