This bill rewrites large portions of the Privacy Act (5 U.S.C. §552a) to bring the statute’s baseline definitions and obligations closer to how agencies actually handle digital data today. It replaces the old, citizenship‑based scope with a definition tied to a ‘‘U.S. person’’ or presence in the United States, defines ‘‘record’’ as any personally identifiable information an agency processes, and adds statutory definitions for ‘‘personally identifiable information’’ and ‘‘process.’nThe bill also tightens limits on collection, use, and disclosure: agencies must tie disclosures to listed purposes, publish the legal authority for each purpose, use only the minimum information necessary, and confine certain data‑matching uses.
At the same time it raises enforcement stakes—expanding who can sue and increasing damages, fees, and the availability of punitive damages—and escalates criminal penalties for misuse of agency records. A two‑year general implementation window is provided, but the text creates immediate exceptions for a set of named entities and programs.
At a Glance
What It Does
The bill replaces several Privacy Act definitions so the Act covers any personally identifiable information processed by an agency, including device identifiers, and declares ‘‘process’’ to include analytics and structuring. It requires agencies to publish each purpose and the legal authority for uses of system‑of‑records data, to apply minimum‑necessary disclosure, and to limit certain automated matching uses for research. It expands civil remedies (including minimum and punitive awards) and creates new felony penalties for commercial exploitation of records.
Who It Affects
All federal agencies and any entity operating or processing a system of records for an agency (including contractors and interagency agreements), people physically in the U.S. and U.S. persons under FISA definitions, researchers using agency matches, and vendors that handle agency personally identifiable information.
Why It Matters
The statute’s scope, previously focused on citizens and permanent residents and on ‘‘records about individuals,’’ shifts to substance‑based coverage tied to PII processing. That change, paired with detailed transparency, minimum‑necessary rules, and much higher liability, will materially increase compliance obligations, change how agencies write contracts and interagency agreements, and raise litigation and criminal risk for mishandling federal data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill modernizes the Privacy Act by moving its center from a citizenship‑based ‘‘about an individual’’ framing to a functionally oriented, data‑centric one. Instead of protecting only records about citizens or lawful permanent residents, the statute would protect ‘‘personally identifiable information’’ processed by agencies—explicitly including device identifiers and any data that is linked or reasonably linkable to a person.
The statute also codifies ‘‘process’’ to capture activities such as analyzing and structuring data, making clear that modern data handling falls within the Act’s reach.
On agency obligations, the bill requires greater transparency and narrower uses. Agencies must publish the intended uses of system‑of‑records data (including routine uses) and must cite the legal authority for each such use.
They must limit collection and disclosure to what is appropriate and ‘‘reasonably necessary’’ for efficient government operations and take reasonable steps to ensure any disclosure includes only the minimum information necessary to accomplish its purpose.The bill narrows how agencies can use automated matching when matches support research or statistical projects: matches may not be used to make individualized decisions about rights, benefits, privileges, or to take adverse personnel or disciplinary actions. It also broadens who is treated as performing agency record operations—explicitly bringing work performed under interagency agreements and other non‑traditional contracts under the Act’s coverage.Enforcement gets a substantial upgrade.
The bill expands the kinds of plaintiffs who can bring claims (including certain non‑individual entities) and authorizes courts to award equitable relief, actual and nonpecuniary damages, reasonable fees and costs, and punitive damages where the agency acted intentionally or willfully; it also sets a statutory minimum recovery in those cases. Criminal penalties increase, and the bill creates a new felony for those who exploit agency records for commercial gain, personal advantage, or malicious harm.
Finally, the statute generally becomes effective two years after enactment, but the text lists a set of agencies and programs to which the amendments apply immediately, creating an uneven rollout that agencies will need to navigate.
The Five Things You Need to Know
The bill defines ‘‘record’’ to mean any personally identifiable information processed by an agency, not just information ‘‘about’’ a person.
It expands covered persons to ‘‘a natural person who is (A) a United States person as defined in FISA §101, or (B) in the United States,’’ thereby extending protections to non‑citizens physically in the U.S. and bringing FISA’s ‘‘U.S. person’’ concept into the Privacy Act.
Agencies must publish each intended use (including routine uses) and explicitly cite the legal authority—statute, executive order, or other source—for every purpose they list.
If a court finds an agency acted intentionally or willfully, the United States may be liable for actual damages (including nonpecuniary), reasonable fees and costs, punitive damages as the court deems appropriate, and at minimum $1,000 to the prevailing claimant.
The bill creates a new felony for anyone who intentionally sells, transfers, uses, or discloses an agency record for commercial advantage, personal gain, or malicious harm—punishable by up to $250,000 in fines and up to 10 years’ imprisonment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Modernizes core definitions (record, personally identifiable information, process)
This subsection replaces older, citizenship‑based language with definitions that capture modern data practices. ‘‘Record’’ becomes any personally identifiable information an agency processes; ‘‘personally identifiable information’’ explicitly includes information linked or reasonably linkable to an individual or a device tied to an individual; and ‘‘process’’ is defined to include storing, analyzing, structuring, and other handling. Practically, this pulls many data elements and processing activities that agencies once considered peripheral into the Act’s scope, so agencies must treat a wider range of operational data as Privacy Act data.
Alters matching‑program language to cover matches using data from one or more systems
The bill changes the statute governing ‘‘matching programs’’ so that matches involving any data from one or more systems of records fall under the matching rules. That shifts the focus from multiple automated systems to whether data from agency systems is being combined, tightening oversight of modern cross‑system analytics and data linkages. Agencies running matches will need to reassess notification, recordkeeping, and approval procedures for matches that previously might have escaped the technical old definition.
Extends coverage to interagency agreements and similar arrangements
By expanding the contractor provision to include ‘‘other agreements, including with another agency,’’ the bill brings work performed under interagency service agreements, memoranda of understanding, and other non‑traditional contracting arrangements squarely within the Privacy Act’s reach. Agencies must ensure that any party operating or handling a system of records under such agreements complies with Privacy Act obligations, which affects how agencies draft statements of work, flow down privacy requirements, and monitor third‑party performance.
New limits on collection, purpose disclosure, and minimum‑necessary use
This section amends the Act’s core operational rules: collection, use, and disclosure must be appropriate and reasonably necessary for efficient government functions; disclosures must be consistent with purposes listed in system notices; agencies must publish each routine use and the legal authority for every listed purpose; and agencies must take reasonable steps to ensure disclosures contain the minimum information necessary. Those changes impose new documentation requirements and create a legal standard—‘‘reasonably necessary’’ and ‘‘minimum necessary’’—that agencies will have to operationalize in policy, training, and systems design.
Constrains research matching and clarifies permissible results uses
The bill preserves a research/statistics exception for matches but narrows it: results of such matches cannot be used to make individualized decisions about rights, benefits, privileges, or to take adverse personnel or disciplinary actions. That draws a bright line between aggregate research uses and operational decision‑making based on matched data, which could require additional technical safeguards or data‑use agreements for agency researchers and outside contractors.
Expands civil remedies and court powers
This provision broadens who can bring suit and what courts can order. It allows courts to grant preliminary and equitable relief, and, when conduct is intentional or willful, to award actual and nonpecuniary damages, reasonable costs and attorney fees, and punitive damages, with a floor recovery of $1,000. Agencies should expect greater litigation exposure and potential budgetary impacts from expanded damage awards and increased attorney fee awards.
Raises criminal penalties for misuse of records
The criminal provisions upgrade several offenses. Unauthorized disclosure with certain malicious or profit motives becomes a felony punishable by up to $250,000 in fines and 10 years’ imprisonment. Other unauthorized disclosures that were misdemeanors are elevated to felonies with higher monetary penalties. The change creates stronger deterrence but also raises the stakes for employees, contractors, and vendors who handle agency records.
Two‑year general effective date with an extensive immediate‑effect exception list
The default rule delays implementation for two years to give agencies time to adapt. However, subsection (c) lists numerous entities and programs that are subject to the amendments immediately (using names and program references in the bill). That creates a bifurcated implementation schedule—most agencies have time to comply, but covered exceptions must act at once—producing operational complexity in multi‑agency collaborations and in contracts that cross the two timelines.
Non‑inference rule about prior Privacy Act interpretation
This short section prevents courts or agencies from reading the bill as changing the legal interpretation of the Privacy Act as it existed before enactment. It attempts to avoid back‑dating or creating new legal presumptions about prior conduct, but does not affect how the new statutory language will be interpreted going forward.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- People physically present in the United States (including non‑citizens) and U.S. persons as defined under FISA — they gain broader statutory privacy protections because the Act now covers any personally identifiable information agencies process that is linked or reasonably linkable to them.
- State, territorial, tribal, and local governments — the bill explicitly contemplates claims by entities beyond individual claimants, increasing their standing to challenge harmful agency data practices that affect governments or their programs.
- Privacy‑minded claimants — individuals and organizations seeking redress will benefit from the expanded remedy toolkit (equitable relief, attorneys’ fees, minimum recoveries, and possible punitive damages), which improves access to effective remedies.
- Oversight offices and compliance teams inside agencies — clearer statutory language on ‘‘purpose,’’ ‘‘minimum necessary,’’ and legal authority for uses gives privacy officers concrete hooks for auditing and revising data inventories and access controls.
Who Bears the Cost
- Federal agencies — they must revise notices, update data inventories, add legal authority citations for routine uses, retrain staff, modify IT systems for minimum‑necessary disclosures, and absorb higher litigation risk and potential damage awards.
- Government contractors and other agreement partners (including interagency service providers) — expanded contractor coverage and higher criminal penalties increase contract compliance obligations, flow‑down requirements, and liability exposure.
- Small vendors and subcontractors that handle agency PII — higher criminal and civil penalties increase compliance costs and insurance needs; a single rogue employee’s conduct could expose a vendor to felony liability.
- Research programs and statistical units that rely on agency matches — new constraints on using match results for individual decisions will require stronger data‑use controls, new approvals, or changes to study designs that rely on operational decisioning.
Key Issues
The Core Tension
The bill tries to solve two legitimate problems at once—update the Privacy Act to cover modern data practices and give individuals meaningful remedies—while preserving the government’s ability to operate and share data. Strengthening protections and increasing penalties advances individual privacy and accountability, but it also raises compliance costs and legal risk that can impede legally authorized, operational data uses; the statute’s immediate carveouts for certain entities further complicate efforts to apply one consistent standard across the federal government.
The bill tightens privacy protections on paper, but several implementation and doctrinal questions will drive outcomes. Key statutory terms—‘‘reasonably necessary,’’ ‘‘minimum amount of information necessary,’’ and ‘‘linked or reasonably linkable’’—are fact‑intensive standards that agencies will have to translate into policies, technical controls, and guidance.
That process will determine how much data sharing and analytical work the statute actually restricts. Courts will play a central role in drawing these lines; until they do, agencies face ambiguity about acceptable practices.
The expanded civil and criminal liability creates real deterrence, but also risks chilling essential government functions. Agencies that routinely integrate datasets for eligibility, fraud detection, or public‑health responses may find those activities more legally perilous unless they build careful legal authority statements, data minimization, and audit trails.
The bill’s bifurcated effective date—two years for most changes but immediate effect for a list of named entities and programs—adds practical complexity to multi‑agency projects and contracts. Agencies, oversight bodies, and Congress will need to reconcile the goal of uniform privacy protection with the operational reality of staggered rollout and special exemptions.
Finally, the bill draws on the FISA ‘‘U.S. person’’ concept and references named programs and organizations in its exception list, creating potential tension between privacy protections and national‑security or executive‑branch reorganization initiatives. How courts harmonize the Privacy Act’s new statutory language with existing national‑security authorities, classified programs, and statutory exemptions will be a critical implementation battleground.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.