This bill rewrites how intelligence and law enforcement access commercially collected records and Section 702 acquisitions. It creates a statutory prohibition on warrantless queries that target the communications or information of U.S. persons in materials acquired under Section 702, tightens when agencies can compel assistance from certain communications providers, and institutes a suite of procedural and transparency reforms for the Foreign Intelligence Surveillance Court (FISC).
The bill also creates criminal‑procedure‑style protections for commercially aggregated records: it bars federal agencies from obtaining certain customer, subscriber, location, and device records from third‑party data holders “in exchange for anything of value,” requires court orders to compel disclosures from data brokers, and makes improperly obtained records and any evidence derived from them inadmissible. Those changes reframe how government actors acquire non‑governmental data and add reporting, minimization, and judicial review requirements that will affect agencies, providers, and data‑commerce firms.
At a Glance
What It Does
Adds a statutory ban on queries of Section 702 collections that seek communications or information of U.S. persons except in limited, enumerated circumstances; inserts metadata and federated‑dataset limits; restricts directives to certain provider types and requires declassification review and court/committee notifications; and forbids federal agencies from buying covered customer/subscriber records or illegitimately obtained data from third parties without a court order.
Who It Affects
Federal intelligence and law enforcement agencies that use Section 702 collections or buy commercial data; providers that host, transmit, or interconnect communications (including intermediary service providers and online service providers); companies that aggregate or sell consumer records; and the FISC and DOJ officials responsible for review, reporting, and minimization.
Why It Matters
It shifts several access pathways from administrative or commercial routes into the FISA or warrant processes, raises operational and compliance costs for agencies and private vendors, and increases transparency and judicial oversight of certain surveillance activities—potentially changing investigative tradecraft and evidence‑admissibility rules.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill defines the term 'query' and then draws a bright line: agencies may not run automated or manual techniques aimed at finding the contents of communications or other protected information of U.S. persons in collections acquired under Section 702 unless a tightly framed exception applies. Those exceptions are concurrent legal authorization (a warrant, FISA order, or an emergency authorization), consent, narrowly defined emergency circumstances, or narrowly tailored cybersecurity queries that use a known threat signature and do not permit reviewing additional retrieved contents.
The text treats metadata and federated datasets as controls: a metadata hit alone cannot be used to justify subsequent access to content, and mixed datasets that include Section 702 material are subject to the same prohibitions unless a mechanism isolates non‑Section 702 data.
To limit opaque operational directives, the bill restricts which types of communications providers may receive Section 702 directives and requires the Attorney General and DNI to perform a declassification review (deadline: 180 days) to publicly clarify what provider types and services were involved in prior, sensitive FISC opinions. It also demands advance notice and summary information to the FISC (and to congressional committees) within short timeframes (generally seven days), requires courts to be given summaries of technical access and equipment, and gives the FISC express authority to review and set aside directives.
The bill builds in quarterly reporting and a requirement to submit opinions arising from such directives to Congress.The bill strengthens the role of amici curiae before the FISC: courts must appoint designated amici in a broader set of cases touching civil liberties, national security, or domestic sensitivities; amici will have access to unredacted materials (including classified opinions where eligible) and may actively seek leave to raise novel legal issues and to petition for certification of questions to the FISC Court of Review and, ultimately, the Supreme Court. The statute spells out duties, timelines, and access rules for amici, and requires written reasons if a court declines an amicus petition for review.On the commercial‑records side, the bill creates a new statutory bar: federal law‑enforcement agencies and intelligence elements may not obtain ‘‘covered customer or subscriber records’’ or ‘‘illegitimately obtained information’’ from third parties in exchange for anything of value.
The definitions sweep in customer/subscriber records, contents, and location data tied to U.S. persons and expressly include records that were obtained from providers in ways that violate contracts or privacy policies, obtained by deception, or acquired through unauthorized access. If agencies want such records from a third party, they must get a court order applying the same or the most stringent legal standard that would be required to compel a provider.
Information obtained in violation of the rule, and evidence derived from it, is inadmissible, and DOJ must adopt minimization procedures to purge or limit dissemination of improperly acquired records.The bill also clarifies statutory definitions for intermediary and online service providers, expands the set of entities covered by the §2700s rules, limits voluntary disclosures by intermediaries, and declares FISA processes to be the exclusive means for acquiring certain types of communications records, location information, and other Fourth Amendment‑sensitive information for foreign‑intelligence purposes where U.S. persons or U.S.‑based providers are implicated. Finally, the bill narrows immunity for private parties who assist the government absent a court order: certain emergency assistance that continues past the earliest of a denial, retrieval, or 48 hours after interception may lose the broad liability shield.
The Five Things You Need to Know
The bill forbids agency queries of Section 702‑acquired collections when the query aims to find communications or information of U.S. persons, defining a 'covered query' to include queries using identifiers or personally identifiable terms tied to covered persons.
Exceptions to that prohibition are tightly drawn: concurrent legal authorization (warrant, FISA order, or approval), consent, narrowly defined emergencies, and narrowly tailored defensive cybersecurity queries using known threat signatures; Congress and FISC must receive descriptions of such queries within 90 days.
Agencies may not obtain from third‑party data brokers or similar vendors, in exchange for anything of value, covered customer/subscriber records or 'illegitimately obtained' information; improperly obtained records and any derivative evidence are inadmissible, and DOJ must adopt minimization procedures.
The bill expands FISC amicus authority—courts must appoint amici in more cases, amici get access to unredacted materials when eligible and can petition courts for review and certification of questions; courts must provide written reasons when denying petitions, and timelines for notification and review (7‑day notice, 30‑day completion for certain reviews) are specified.
Several timing and sunset rules are explicit: the DNI/AG must finish a declassification review within 180 days; Congress receives quarterly reports (first due within 90 days after enactment); a December 31, 2026 sunset applies to certain provider‑definition changes; and Title VII authorities are extended so repeal is effective April 20, 2028.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Ban on warrantless queries of U.S. person communications
Creates a new prohibition within Section 702 against conducting 'covered queries' aimed at retrieving contents or other information of U.S. persons from collections obtained under Section 702. The bill supplies detailed definitions: 'query' covers manual and automated techniques to detect or retrieve information inside a collection, 'covered query' reaches queries using terms tied to a covered person or run with specific reason to retrieve that person's information, and 'covered person' means a U.S. person. The provision also provides narrow carve‑outs (concurrent authorizations, emergency use, consent, targeted cybersecurity signatures) and builds in reporting and evidentiary limits tied to those exceptions.
Limits on using metadata and mixed datasets
Adds a rule that a metadata query hit cannot be used as a basis to justify subsequent access to communications otherwise barred by the new prohibition. It also says the statutory protections must apply across federated or mixed datasets containing Section 702 material unless there is a technical mechanism to confine queries to non‑Section 702 data—an operational constraint that will require changes to how agencies and contractors index, tag, and query combined datasets.
Temporary provider‑definition changes and limits on directives
Establishes a temporary change to the statutory definition of certain electronic‑communication service providers that sunsets December 31, 2026, and forbids issuing Section 702 directives to 'covered electronic communication service providers' unless the provider matches the type of service at issue in previously released FISC opinions. The Attorney General and DNI must perform a 180‑day declassification review to clarify provider types and services at issue, and directives sent to covered providers must include summary descriptions of the services being targeted. The FISC and congressional oversight committees receive expedited notice (generally within seven days) and may review directives; courts can affirm, modify, or set directives aside.
Expanded amici curiae structure before FISC
Broadens when courts must appoint amici and requires at least one appointee with privacy/civil‑liberties expertise unless inappropriate. Amici receive access to applications, unredacted decisions, and other material (if eligible for classified access), may raise novel legal issues, and may petition the FISC and the Court of Review to certify questions for further review. Courts must explain denials in writing, and amici can request access to additional materials as needed—creating a more adversarial and transparent appellate pathway inside the FISC system.
Extension of Title VII authorities
Adjusts the statutory repeal/transition timing for the FISA Amendments Act Title VII authorities, moving the effective repeal so that Title VII is repealed effective April 20, 2028. The provision modifies transition language so agencies and stakeholders face an extended window before those Title VII authorities lapse.
Prohibitions and rules for data brokers, intermediaries, and online service providers
Creates a new §2702(e) prohibition barring law‑enforcement agencies and intelligence elements from obtaining, from third parties for anything of value, 'covered customer or subscriber records' or 'illegitimately obtained information' pertaining to U.S. persons. The bill defines covered records broadly (customer/subscriber records, contents, location info, device‑derived data) and defines 'illegitimately obtained' to include disclosures that violate a provider's service agreement/privacy policy, deceptive acquisition, or unauthorized access. It also defines 'intermediary service provider' and imposes limits on intermediaries divulging contents or subscriber records. For third parties, §2703 is amended so courts must apply the same or the most stringent legal standard that would be required to compel a provider to disclose comparable records.
Exclusivity for FISA processes and limits on civil immunity
Declares that FISA and related statutory procedures are the exclusive means to acquire certain communications, transaction records, location data, and Fourth Amendment‑sensitive information for foreign‑intelligence purposes when U.S. persons or U.S.‑based providers are implicated. It also narrows the scope of civil immunity for private parties who assist the government absent a court order: the safe harbor for emergency certifications only applies up to the earliest of application denial, retrieval of the communication, or 48 hours after interception, curbing indefinite extra‑judicial assistance.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- U.S. persons and privacy advocates — The statutory query ban, metadata limits, and evidentiary exclusions reduce government pathways to access communications and commercially aggregated records without judicial process.
- Recipients of Section 702 directives that are not covered providers — The bill limits directives to specified types of providers and requires summaries and court review, which can protect some providers from novel compelled‑assistance demands.
- FISC amici and civil‑liberties litigators — Expanded appointments, access to classified materials (where eligible), and express authority to seek appellate review strengthen independent legal representation of privacy interests in secret court proceedings.
- Consumers of data broker services that value privacy — The prohibition on agencies buying certain records reduces the commercial monetization pathway for sensitive consumer records to reach the government.
Who Bears the Cost
- Intelligence and law‑enforcement agencies — The bill reduces administrative access paths (including purchases), imposes additional judicial and reporting requirements, and limits the use and dissemination of information acquired under exceptions, which may slow investigations and increase operational overhead.
- Data brokers and third‑party aggregators — The ban on selling or furnishing covered records to agencies for consideration and the requirement that courts apply stringent standards to compel disclosures will materially constrain revenue models that rely on selling government access to compiled records.
- Intermediary and online service providers — New definitions, disclosure limitations, and obligations to resist third‑party demands and to handle court orders increase compliance, contract, and engineering costs, particularly for entities that interconnect or store communications on behalf of other providers.
- DOJ and federal courts — New minimization rules, annual compliance assessments, quarterly reporting, declassification reviews, and the FISC's enhanced review duties create new administrative burdens and potential litigation exposure for the government.
Key Issues
The Core Tension
The central dilemma: protect Fourth Amendment interests and force judicial process for government access to commercially collected data, or preserve rapid operational access for national security and urgent law‑enforcement purposes. The bill favors legal safeguards and transparency, but those protections can slow or complicate time‑sensitive operations and push agencies to seek technical or contractual workarounds—there is no free lunch that fully secures both privacy and unimpeded operational agility.
The bill trades faster, informal access channels for judicialized and technified controls. That trade brings clarity and stronger Fourth Amendment protections, but implementation raises knotty technical and legal questions.
For example, the requirement that metadata hits not justify content access and the extension of protections across federated datasets will force agencies to re‑engineer indexing, tagging, and query flows—work that may be costly, time consuming, and operationally risky in time‑sensitive investigations. Similarly, the statutory language around 'illegitimately obtained information' hinges on contract and policy terms: providers and brokers will need to rewrite contracts and privacy policies to avoid ambiguous outcomes, and courts will be asked to parse whether a given record was 'illegitimately' obtained when initial collectors and subsequent resellers have complex contractual relationships.
The bill's transparency demands (declassification review within 180 days, seven‑day FISC notifications, quarterly reports) push secrecy toward greater public accountability, but disclosure may be limited by national‑security classifications—so the stated transparency may be incomplete in practice. The evidentiary exclusion for improperly acquired records is a blunt tool: it incentivizes privacy protection but risks excluding probative material obtained in good‑faith but procedurally imperfect ways, and it creates litigation incentives for defendants to mount challenges grounded in how records moved through private markets.
Finally, actors could attempt evasive workarounds—routing collection through foreign affiliates, contractors, or non‑covered provider types—creating new legal and oversight challenges if the statute's definitions cannot keep pace with industry arrangements.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.