The bill defines a broad category of "covered information" (home addresses, personal phones and emails, precise geolocation, children’s school details, financial identifiers, vehicle identifiers, and similar data) tied to a class of "at‑risk individuals": Members of Congress, designated congressional staff, immediate family members, and former Members. It requires Government agencies and internet publishers to treat that information as private on request and to remove it from public displays.
The measure also targets the market for such information: it makes it unlawful for entities that meet the statutory definition of a “data broker” to sell, license, trade for consideration, or purchase covered information about affected individuals. The bill includes carve-outs for news reporting, voluntary disclosures by the subject, and certain government or GLB‑protected transfers, and creates avenues for enforcement by state or federal attorneys general and for private injunctive relief by affected individuals.
At a Glance
What It Does
The bill lists specific data elements that qualify as covered information and requires agencies and private actors to stop publicly posting that information and to remove it upon written request. It imposes a 72‑hour takedown clock for recipients of such requests and bars data brokers from monetizing covered information about the protected class.
Who It Affects
Directly affects Members of Congress, designated House and Senate employees, immediate family members and certain former Members; federal, state and local government agencies that publish records; commercial data brokers; and websites or businesses that post personal information online.
Why It Matters
This is a targeted privacy statute aimed at reducing doxing and politically motivated violence against public officials and their households. It creates new compliance duties for both the public sector and private information vendors and tightens how high‑risk personal data can be transferred or monetized.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill starts by spelling out who the protection covers and what counts as protected data. It uses the term "at‑risk individual" to reach current Members of Congress, designated staff, immediate household members and certain former Members. "Covered information" is enumerated and intentionally broad: along with typical identifiers such as Social Security numbers and home addresses, the bill explicitly includes personal mobile numbers, non‑anonymized precise geolocation, school or daycare schedules and identifiers for children under 18, vehicle license plates, and routes to work or school.
On the government side, the statute lets an at‑risk individual file written notice with any government agency to mark covered information private and requests removal from public displays. The bill authorizes congressional administrative officers (the Sergeant at Arms and the Secretary/CAO acting jointly) to coordinate and to submit requests on behalf of Members and designated employees; they may also supply agencies and other recipients with a master list of protected persons and the information needed to comply, rather than sending dozens of individual notices.For the private sector, the bill draws a bright line between 'data brokers'—commercial entities that collect and sell information about noncustomers—and other publishers.
It makes it unlawful for data brokers to knowingly sell, license, trade for consideration, or buy covered information about a covered person. Separately, any person, business, or association that publicly posts covered information must remove it within the statutory timeframe after receiving a written request from the subject and must not transfer that information further, subject to narrow exceptions for newsworthy reporting, voluntary post‑subject disclosures, and certain lawful government or GLB‑regulated sharing.Enforcement is two‑track: state attorneys general and the U.S. Attorney General may sue to enjoin or obtain declaratory relief against data brokers that violate the prohibition, while any at‑risk individual may bring a civil action seeking injunctive or declaratory relief when their covered information is disclosed in violation of the statute.
The bill also contains construction language favoring protection of covered information but expressly preserves reporting on matters of public concern, disclosures required by law, and consensual sharing by the subject.
The Five Things You Need to Know
The statute enumerates covered information to include precise, non‑anonymized geolocation data, children's school or daycare attendance and routes, vehicle license plate numbers, and routes to and from work or school.
Government agencies and private websites that publicly display covered information must remove it and block further public availability after a written request; recipients have 72 hours to comply with takedown requests.
The bill makes it unlawful for a data broker to knowingly sell, license, trade for consideration, or purchase covered information about a covered person; enforcement may be brought by the U.S. Attorney General or any State attorney general.
Applicable legislative officers (Sergeants at Arms, Secretary of the Senate, Chief Administrative Officer of the House) can submit master lists and make removal requests on behalf of Members, designated employees, and their immediate family members; a list counts as complying with individual notice requirements.
Exceptions preserve newsworthy reporting, voluntary post‑subject disclosures made by the at‑risk individual after enactment, transfers to GLB‑covered financial entities, and disclosures required by federal or state law.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the bill the "Protecting Americans from Doxing and Political Violence Act." This is purely nominal but signals the legislative focus on doxing and politically motivated threats rather than a general privacy overhaul.
Who is protected and what counts as covered information
This subsection creates the core definitional architecture: it defines 'at‑risk individual' (Members, specified staff, immediate family, former Members), 'covered information' (a detailed list of identifiers and location/schedule data), and 'data broker' (a commercial entity that collects and sells info about non‑customers). Notable mechanics: the covered information list reaches nontraditional categories like school schedules and non‑anonymized geolocation; the data broker definition includes several carve‑outs such as news organizations, consumer reporting agencies under FCRA, GLB‑regulated financial institutions, and certain directory services.
Process for government removal requests and privacy marking
An at‑risk individual may submit written notice to government agencies asking that their covered information be marked private and removed from public displays. Agencies must not publicly post covered information and must remove it within the bill's compliance window upon receiving a request. The text also allows agencies to provide covered-file access to third parties if they possess a signed release, court order, GLB protections, or a confidentiality agreement—this narrows but does not eliminate legitimate administrative uses.
Delegation to legislative officers and use of master compliance lists
The bill authorizes Members and designated employees to act through agents and authorizes the applicable legislative officers to make requests on their behalf. Importantly, those officers may give agencies, data brokers, businesses or associations a single list of protected individuals and required compliance information; the statute deems such lists to satisfy the individual notice requirement. That mechanism centralizes operational responsibility inside congressional administrative offices and reduces redundant individual submissions.
Prohibitions on transfer and obligations to remove posted content
Subsection (d) separates data brokers—who are barred from knowingly monetizing covered information—from other online publishers and businesses, which face takedown and nontransfer obligations after receiving a written request. Private actors must remove covered information from their sites (and subsidiaries) within the statutory clock and must not transfer the data further, with limited exceptions for newsworthy content, voluntary subject postings, or lawful government sources.
Enforcement routes, legal limits, and statutory scope
Enforcement is split: state and federal attorneys general may pursue injunctive and declaratory relief against data broker violations, while affected individuals can bring civil actions for injunctive and declaratory relief against parties who make their covered information public in violation of the statute. The rules of construction explicitly preserve reporting on matters of public concern and disclosures required by law, while directing courts to construe protections broadly; a severability clause preserves the remainder of the statute if any provision is struck down.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Members of Congress, designated Senate and House employees, and their immediate family members — the primary beneficiaries; the statute reduces publicly available personal identifiers and location data that attackers or harassers could use.
- Former Members of Congress included in the 'at‑risk' definition — they gain the same removal and nontransfer protections for covered information as current officials.
- Congressional administrative offices (Sergeant at Arms, Secretary of the Senate, Chief Administrative Officer) — benefit operationally by being able to centralize requests and provide master lists, simplifying protective measures across agencies and vendors.
- Parents and guardians of congressional staff and Members' children — they gain explicit statutory protection for children's identities, school attendance, and travel routes, addressing a frequent vector in targeted harassment.
Who Bears the Cost
- Commercial data brokers — the prohibition on selling, licensing, trading, or purchasing covered information curtails revenue streams and will force business model changes or legal compliance programs to segregate protected data.
- Internet publishers, directories, and small websites — must implement intake, verification, and takedown processes and monitor subsidiary sites; compliance costs and operational burdens could be significant, especially for small operators without automated workflows.
- Federal, state and local government agencies — must build processes to accept notices, mark records private, remove public postings within the compliance window, and respond to inquiries, all of which require administrative time and possible system changes.
- News organizations and investigative reporters — while the bill preserves news exceptions, ambiguous boundaries between 'newsworthy' content and targeted personal information could invite defensive litigation or over‑removal requests, raising legal and editorial costs.
- State attorneys general and the DOJ — enforcement authority over data broker prohibitions could require new investigative capacity and resource allocation to pursue civil enforcement actions.
Key Issues
The Core Tension
The central dilemma is a classic trade‑off between protecting individual safety and preserving public access and press freedom: the bill aims to reduce real‑world risks from doxing by removing specific personal data from public displays, but any statutory removal regime risks overblocking information that is legitimately newsworthy or required by law, shifting contested line‑drawing to courts and imposing compliance burdens across government and industry.
The bill packs a lot into a targeted protection regime, but it leaves open difficult implementation questions. Verifying written requests and preventing fraudulent or abusive requests will be hard: the statute allows delegation and master lists from congressional officers, but recipients still must authenticate requests before delisting or blocking public records.
The line between public‑interest reporting and protected publication is preserved as a principle, yet the statute gives limited guidance on how to resolve close calls — that will push decisions into litigation and may encourage defensive takedowns.
Cross‑jurisdictional and technological realities create practical gaps. The data broker prohibition attaches to entities that collect and sell information about noncustomers and excludes several categories (newsrooms, GLB‑regulated institutions, FCRA actors), but modern supply chains blur those lines: many platforms both publish content and aggregate third‑party data.
The bill's reach against foreign data brokers or servers is unclear; content hosted outside U.S. jurisdiction or cached by global search engines may remain accessible even after domestic takedowns. Finally, the nontransfer rule and prohibition on monetization risk unintended overbreadth: platforms that index or cache removed items, or services that syndicate content, will need precise compliance playbooks to avoid liability while preserving lawful speech and historical records.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.