SB2850 defines a broad category of “covered information” (home addresses, personal phone/email, precise geolocation, child identifiers, bank and license numbers, routes and school information, etc.) and gives Members of Congress, their immediate family, designated staff, former Members, and people who certify they are survivors the ability to mark those elements as private across Federal records and many online sources.
The bill requires government agencies and covered private actors to remove or stop displaying covered information within 72 hours of a written request, authorizes legislative offices to submit lists on behalf of multiple people, bars data brokers from knowingly selling covered information about covered persons, and provides limited enforcement routes (state or federal attorneys general for data-broker violations and individual injunctive/declaratory relief for victims).
At a Glance
What It Does
The bill requires government agencies and many private websites to remove or stop publicly displaying a long list of “covered information” about at-risk individuals within 72 hours of a written request, allows legislative officers to submit bulk lists, and makes it unlawful for data brokers to sell covered information about covered persons (including survivors and certain elected officials). It also preserves a set of narrow exceptions for news reporting, voluntary posting, and legally required disclosures.
Who It Affects
Members of Congress, their immediate family, designated staff, former Members, people who self-identify as survivors of domestic violence or sexual assault, federal/state/local data brokers, online publishers, and the offices that administratively support Congress (Sergeants at Arms, Secretaries, CAO).
Why It Matters
The bill codifies operational obligations (72-hour removals, prohibition on transfers by covered sites, lists from legislative offices) that compliance teams, platform operators, and data brokers will need to implement, while creating a novel statutory category of protected persons that spans public officials and survivors.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB2850 draws a sharp line around a specific set of personal data it calls “covered information” — everything from home and personal device contact details to precise geolocation and school or daycare schedules for children. The definition is intentionally broad: it covers identifiers (SSNs, driver’s licenses, bank and card numbers), vehicle identifiers, and location-sensitive items such as routes to work or school.
The bill excludes information already required by federal or state candidate-filing rules, so many candidate disclosures remain publicly available.
For federal government records, the bill lets any ‘at-risk individual’ file a written notice to mark that person’s covered information as private; agencies then must remove the covered information from publicly available postings within 72 hours. The statute authorizes the applicable legislative officers (Senate and House Sergeants at Arms together with the Secretaries/CAO) to act on behalf of members and staff, and to submit consolidated lists to agencies and commercial entities instead of serial individual requests.SB2850 treats commercial actors differently depending on their role.
It makes it unlawful for data brokers to knowingly sell, license, or purchase covered information about a “covered person” (a category that extends beyond Congress to include state/local elected officials and people who certify they are survivors). For other online publishers and businesses, the bill requires removal of covered information and bars transfers after a written request, with limited carve-outs for material used in news reporting, voluntarily posted by the subject after enactment, or received from lawful government sources.Enforcement is split.
Attorneys general — federal and state — can bring actions against data brokers; individual at-risk people may sue for injunctive or declaratory relief if their covered information is publicized in violation of the law. The bill contains rules of construction preserving traditional press activity and other narrow exceptions and directs courts to construe the law broadly in favor of protecting covered information.
It ends with a severability clause so surviving provisions stand if any part is struck down.
The Five Things You Need to Know
Government agencies and covered private entities must remove publicly posted covered information within 72 hours of a written request from an at‑risk individual or their agent.
The bill outlaws data brokers from knowingly selling, licensing, trading for consideration, or purchasing covered information about a covered person (which explicitly includes survivors and state/local elected officials).
Legislative officers may submit a single list of Members, designated employees, and their immediate family members to agencies and businesses; that list counts as individual notice under the statute.
Private websites and businesses must both remove and cease transferring covered information after a written request, subject to narrow exceptions for news reporting, voluntary post-enactment disclosures, and lawful government sources.
Enforcement is limited to injunctive or declaratory relief for individuals and to actions brought by federal or state attorneys general against data brokers; the statute does not create a private damages remedy.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that set the statute’s scope
This subsection creates the operative categories: who is protected (at‑risk individuals and covered persons), what counts as covered information (a detailed list of identifiers, location/schedule data, and child-related details), and who qualifies as a data broker. Those definitions determine which records and commercial actors the obligations reach. Practically, the breadth of the covered‑information list — including precise geolocation and school routes — imports many kinds of online content and third‑party aggregations into the statute’s ambit, while the data‑broker definition carves out common financial and healthcare actors and traditional journalism activities.
Obligations for Government agencies and the 72‑hour removal rule
Agencies must accept written notices from at‑risk individuals (or their agents) and mark covered information private, removing it from publicly posted content no later than 72 hours after receipt. Agencies may still disclose covered information when a third party presents a signed release, a court order, or is covered by Gramm‑Leach‑Bliley confidentiality rules; the provision also allows agencies to continue required disclosures under existing law. For agency implementers, the clock and the exceptions are the operational drivers: records teams will need intake workflows, verification procedures, and removal processes that can meet the 72‑hour deadline while tracking lawfully required disclosures.
Delegation and list submission by legislative officers
This section authorizes notice delegation: at‑risk individuals may designate agents to submit requests, and the legislative officers in each chamber may, on written request, make notices on behalf of members and staff. Critically, the legislative officers can provide a consolidated list of covered people and family members to agencies and private actors; that list is treated as satisfying individual notice requirements. That mechanism reduces repetitive paperwork for staff and centralizes compliance, but it also concentrates responsibility in the hands of the Sergeants at Arms, Secretary, and CAO to define the list’s contents and ensure it stays current.
Prohibitions on data brokers and removal/transfer rules for other businesses
The bill makes it unlawful for data brokers to knowingly sell, license, trade for consideration, or purchase covered information about a covered person. For other persons, businesses, and associations, SB2850 requires removal from the internet and bars further transfers of covered information after a written request, with exceptions for news reporting, voluntary post‑enactment publication, and lawful government sources. The provision imposes a dual duty to remove and to stop transfers, creating compliance tasks for platforms, search engines, and content hosts that must be operationalized quickly and defensibly.
Enforcement, construction, and severability
Enforcement against data brokers may be brought by the U.S. Attorney General or a State attorney general seeking injunctive or declaratory relief; individuals have a private right to sue for injunctive or declaratory relief where their covered information is published in violation of the statute. The rules of construction carve out traditional press activity, public‑interest reporting, legally required disclosures, and voluntary postings by the subject, and instruct courts to favor protecting covered information. A severability clause preserves the remainder of the law if any part is struck down.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Members of Congress, designated staff, and former Members — the statute lets them get a legal, administratively enforceable blanket to remove location, contact, and other sensitive details from many public postings and commercial listings, reducing vectors for doxing and targeted harassment.
- Immediate family members and household residents — family addresses, children’s school details, and household schedules are explicitly included as covered information, giving relatives of Members the same removal tools.
- Survivors of domestic violence and sexual assault who self‑certify — the bill extends protections beyond elected officials so survivors can stop sale and public display of sensitive data that could enable stalking or abuse.
- Legislative administrative offices (Sergeant at Arms, Secretaries, CAO) — centralizing notices through these offices simplifies bulk compliance and provides a single contact point for agencies and businesses, reducing parochial requests across offices.
- Schools and day‑care providers and public safety personnel — by limiting public exposure of schedules and routes, the bill reduces risks tied to published attendance information that can be exploited for targeting.
Who Bears the Cost
- Data brokers — the statutory sale/licensing prohibition on covered-person data curtails revenue streams and requires operational changes to identify covered persons within large data inventories and stop covered transactions.
- Online publishers, platforms, and small websites — the duty to remove content within 72 hours and to halt transfers imposes takedown and monitoring costs, and platforms must build processes to handle verification requests and exceptions (news, voluntary postings, government sources).
- State and federal attorneys general — AGs receive an enforcement role against data brokers that may require investigative and litigation resources, especially given cross‑jurisdictional data flows and proof-of-knowledge standards.
- Sergeants at Arms, Secretaries, and the Chief Administrative Officer — those offices must assemble, maintain, and transmit lists of covered persons and family members and define the 'information necessary' for compliance, creating administrative burdens.
- News organizations and investigative reporters — although carved out, newsrooms face added legal risk and potential ambiguity in defining what is a matter of public concern versus protected personal data, increasing editorial and legal compliance costs.
Key Issues
The Core Tension
The central tension is between the statutory aim to protect the safety and privacy of public officials and survivors by restricting dissemination and commercial exploitation of sensitive personal data, and the competing public‑interest values of transparency, a free press, and the practical limits of verifying and policing third‑party internet content; the bill protects safety but creates hard line‑drawing and enforcement problems with no fully clean solution.
SB2850 creates substantial operational obligations but leaves several implementation questions unresolved. The 72‑hour removal deadline is strict on its face, yet the statute does not specify verification standards for requests or detailed procedures for handling cached or third‑party reposts and search‑engine caches.
That gap forces agencies and private actors to adopt ad hoc verification systems and takedown workflows that may vary significantly, potentially producing uneven protection or overblocking.
The bill’s carve-outs for journalism and public‑interest reporting narrow enforcement, but the line between newsworthy public‑interest material and private, safety‑sensitive data is fact‑intensive and litigable. Similarly, the statute bars data‑broker transfers but carves out many entities (financial institutions, consumer reporting agencies, certain health actors), creating compliance friction at borders of these sectors.
The enforcement design leans heavily on injunctive relief and AG suits rather than statutory damages or administrative penalties, which could limit deterrence—especially against sophisticated data brokers operating across state lines. Finally, the provision allowing legislative officers to submit lists centralizes the administrative burden but raises questions about how often lists are updated, how errors will be corrected, and who bears responsibility if a legitimate public record is inadvertently suppressed.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.