The ACCESS Act of 2025 would require large communications platforms to maintain transparent interoperability interfaces that let users transfer data to themselves or to a competing provider on request. It also creates a framework for competing providers to access those interfaces on nondiscriminatory terms, with safeguards around privacy, security, and pricing.
The bill defines key terms, assigns enforcement and rulemaking duties to the FTC, and introduces a custodial third‑party‑agent model to manage delegated access. It is written to set a regulatory floor for interoperability in online communications services, while outlining implementation steps and a clear enforcement path.
At a Glance
What It Does
For each large communications platform, the bill requires an interoperable set of third‑party‑accessible interfaces to securely transfer user data to a user or to a competing provider in a structured, machine‑readable format.
Who It Affects
Targets large platforms that monetize user data and have 100,000,000+ monthly active users; enables competing providers to access data; creates custodial third‑party agents and FTC oversight.
Why It Matters
Establishes a legal baseline for data portability and interoperability, aiming to lower switching costs, unlock competition, and give users more choice.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The ACCESS Act redefines how large online platforms handle user data by mandating interoperable data interfaces. Those interfaces allow users to move their data to themselves or to a competing provider in a standardized, machine‑readable form.
The act also expands into a formal interoperability regime that requires nondiscriminatory access, sets thresholds and fees to govern access, and obligates platforms to publish interface documentation and changes in advance. A new custodial third‑party agent framework creates a pathway for trusted intermediaries to help users delegate data access, with registration, authentication, duties to safeguard privacy, and rules on fee‑taking.
The bill also tasks the FTC with writing regulations, relying on open standards promoted by NIST, and providing a mechanism for complaints and enforcement. Taken together, these provisions are meant to reduce switching costs and foster competition without sacrificing data privacy or security.
The Five Things You Need to Know
The bill requires large platforms to maintain transparent, third‑party‑accessible interfaces for transferring user data to users or competing providers.
Non‑discrimination and reasonable fee structures govern access to interoperability interfaces, with public notice of changes.
Documentation describing how to access and use the interfaces must be disclosed within 120 days of enactment.
A custodial third‑party agent regime allows users to delegate access through registered agents who must protect privacy and may charge fees.
FTC regulations, open‑standards standards from NIST, and a clear enforcement framework anchor implementation and compliance.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions
Section 2 lays out the terms used in the bill. It defines the Commission as the FTC, clarifies what counts as a communications provider and a large communications platform, and specifies what constitutes user data (data collected by the platform linked to a person, excluding de‑identified data). It also introduces key constructs such as interoperability interfaces, custodial third‑party agents, and competing communications services to frame the scope of the obligations.
Portability Obligations
Section 3 imposes a general duty on large platforms to maintain third‑party‑accessible interfaces that can securely transfer user data to a user or to a competing provider, in a structured, machine‑readable format. It also requires competing providers that receive data to secure it. An exemption exists for services that generate no income from user data.
Interoperability Obligations
Section 4 requires large platforms to fulfill duties to enable interoperability, including non‑discrimination, reasonable access thresholds, usage expectations, and proportional fees. It also mandates public notice of changes, mandates privacy and security standards, and prohibits changes intended to undermine interoperability. Functionally equivalent interfaces must be offered for affiliated services, and documentation of access must be disclosed within 120 days.
Custodial Third‑Party Agent Framework
Section 5 creates a framework for custodial third‑party agents who interact with user data on behalf of the user. It requires authentication procedures, mandatory registration with the Commission, and a mechanism for deregistration. Agents must safeguard privacy, avoid actions that harm users, and may charge fees, but cannot monetize user data for commercial gain.
Implementation and Enforcement
Section 6 directs the FTC to issue implementing regulations within a year, including rules around authentication and access requests. It tasks the National Institute of Standards and Technology with producing model technical standards for interoperable classes of services. The FTC will regularly assess compliance, establish complaints procedures, and enforce the act under the FTC Act, with a presumption of access on fair, reasonable, and nondiscriminatory terms when open standards are used. The act preempts conflicting state laws to the extent of inconsistency and takes effect when regulations are promulgated.
Relation to Other Laws
Section 7 confirms that the act does not modify existing privacy or security provisions in several federal statutes, ensuring compatibility with privacy regimes like the Privacy Act, GLBA, FERPA, HIPAA, and other related laws.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers seeking easier data portability and platform choice, enabling them to switch services with less friction.
- Competing communications providers, including smaller entrants, that gain easier access to user data for offering competitive services.
- Custodial third‑party agents who provide data‑porting and account‑management services on standardized terms.
- Compliance and security professionals within organizations who can rely on common interfaces and procedures to govern data transfers.
- Federal regulators (FTC) with a clearer enforcement framework and rulemaking path.
Who Bears the Cost
- Large platform providers must build, maintain, and document interoperable interfaces, which entails significant development and compliance costs.
- Competing providers may incur access fees and integration costs to utilize the interfaces, and must adapt to usage thresholds and standards.
- Custodial third‑party agents face registration, authentication, security, and ongoing compliance costs, including potential audits and monitoring.
- Smaller platforms or users could experience price pressures or service adjustments tied to new governance of data access.
- Regulators will need resources to implement, enforce, and update regulations and oversee open‑standards adoption.
Key Issues
The Core Tension
The central dilemma is balancing open, nondiscriminatory data access to spur competition against the need to protect privacy, security, and incentives for platform investment and innovation.
The ACCESS Act presents genuine policy tensions. On one hand, it aims to curb vendor lock‑in and unleash competition by standardizing data portability and interoperability.
On the other hand, it introduces new compliance burdens for large platforms, potential cost increases for access to data, and new privacy and security obligations for custodial agents. The phased implementation—documentation within 120 days, model standards by NIST, and FTC rulemaking within a year—creates a multi‑year path for full rollout and ongoing enforcement.
Real‑world risks include how thresholds and fees are set, how non‑discrimination is measured in practice, and how custodial agents balance user privacy with data access needs. These tensions require careful calibration to avoid chilling innovation or, conversely, enabling data misuse through loopholes.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.