The Data Care Act of 2025 imposes affirmative legal duties on entities the bill calls "online service providers" that collect individual-identifying data. It defines "sensitive data" broadly, requires reasonable security and breach notice for that sensitive data, forbids uses of user-linked data that benefit the provider to the user's detriment, and bars disclosures or sales to third parties unless the recipient accepts equivalent duties and is regularly audited.
Enforcement rests with the Federal Trade Commission — which can write implementing regulations and carve out exemptions — and with state attorneys general acting parens patriae (including a civil-penalty formula tied to days out of compliance or number of harmed users). The bill shifts the legal frame from primarily notice-and-consent rules to an affirmative, enforceable duty model with implications for product design, vendor contracts, and security programs across platforms, ad tech, cloud services, and data brokers.
At a Glance
What It Does
The bill requires online service providers to satisfy three duties — care (secure data and notify breaches of sensitive data), loyalty (no uses that harm users to benefit the provider), and confidentiality (no disclosures or sales unless recipients assume the same duties and are audited). The FTC can expand breach-notice categories, exempt providers by regulation, and write implementing rules.
Who It Affects
Anyone operating in interstate commerce that collects data linked or reasonably linkable to individuals or devices: social networks, ad exchanges, identity brokers, cloud and analytics providers, mobile apps, ISPs, and third-party processors who receive that data under contract.
Why It Matters
It replaces a permissive consent-focused posture with affirmative responsibilities enforceable by the FTC and state AGs, creates higher expectations for vendor contracts and vendor audits, and introduces a civil-penalty regime that can scale to the scope and duration of noncompliance.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill starts by framing covered entities as "online service providers" — any interstate actor that collects data linked or reasonably linkable to an identifiable person or a device they use. It draws a large sensitive-data category that goes beyond traditional identifiers: government ID numbers, financial credentials, biometric data, account access credentials, health information, nonpublic communications, and combinations of name with birthdate or precise geolocation.
That definition matters because many downstream duties and the initial breach-notification trigger are keyed to the "sensitive data" label.
The core of the statute imposes three affirmative obligations. The duty of care requires providers to "reasonably secure" individual-identifying data and to notify end users promptly of breaches affecting sensitive data; the FTC can later expand the notification requirement to additional data categories.
The duty of loyalty bars uses of individual-identifying data that produce foreseeable, material physical or financial harm to users or that would be "unexpected and highly offensive" to a reasonable user — language designed to capture stealthy or exploitative business practices. The duty of confidentiality prohibits disclosure or sale of such data except to parties that contractually accept the same duties; providers must also take reasonable steps, including regular audits, to ensure those recipients actually comply.Those duties flow downstream: any person who receives the data is subject to the same obligations.
The statute contemplates contractual chains and affirmative oversight rather than mere contractual boilerplate — it requires auditing and lets the FTC set standards and carve out exemptions. The FTC enforces violations as unfair or deceptive acts under its existing statutory toolbox and must follow notice-and-comment rulemaking for regulations.
States can sue in federal court on behalf of their residents, seeking relief and civil penalties calculated by multiplying days out of compliance or number of harmed users by an amount up to the FTC’s maximum per-violation penalty (as adjusted for inflation). The bill also blocks contractual waivers of its rights and says it should not be read to limit other federal or state privacy or security laws.Operationally, the Act will force product, legal, and security teams to re-evaluate data flows: what counts as individual-identifying or sensitive, when breach notice is required, whether a data-sharing partner’s practices satisfy audit standards, and whether certain business uses of derived data could be judged as harmful or offensive.
It leaves substantial discretion to the FTC to define thresholds and exemptions, which means much of the compliance burden will be determined in agency rulemaking and guidance rather than strictly in the statutory text.
The Five Things You Need to Know
The bill defines "sensitive data" to include not only SSNs and financial credentials but also nonpublic user communications and precise geolocation tied to a name or birthdate.
It creates three statutory duties for covered providers: care (reasonable security and breach notice for sensitive data), loyalty (no uses that benefit the provider to a user’s material physical/financial harm or are highly offensive), and confidentiality (no sale/disclosure unless the recipient assumes identical duties).
Recipients of disclosed data must enter contracts imposing the same duties and are subject to regular audits by the disclosing provider to verify compliance.
The FTC enforces the statute as violations of unfair or deceptive acts, may promulgate implementing regulations and exemptions, and can expand breach-notice obligations beyond sensitive data categories.
State attorneys general can sue parens patriae and recover civil penalties calculated by multiplying either days out of compliance or number of harmed users by up to the FTC Act’s maximum per-violation penalty (adjusted for inflation).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Key definitions — who and what the law covers
This section sets the covered population: "online service providers" engaged in interstate commerce that collect data linked or reasonably linkable to individuals or devices. The statutory definitions are broad: "individual identifying data" captures linkable device data as well as user identifiers, and "sensitive data" enumerates categories (SSN, government ID numbers, financial credentials, biometric data, account access, health information, nonpublic communications, and certain name-plus-data combinations). Compliance starts with these labels because duties and notice triggers reference them directly.
Three affirmative duties: care, loyalty, confidentiality
Subsection (a) announces duties; subsection (b) operationalizes them. The duty of care requires reasonable security safeguards for individual-identifying data and prompt user notice for breaches that expose sensitive data (with FTC authority to add categories). The duty of loyalty is a behavioral restraint: providers may not use data in ways that benefit themselves while foreseeably causing material physical or financial harm to users or in ways that would be "unexpected and highly offensive" to a reasonable user. The duty of confidentiality restricts disclosures and sales, conditioning transfers on recipient contracts that impose identical duties and on periodic auditing by the disclosing provider.
Flowdown to third parties and FTC exemption authority
The bill extends the three duties to any person who receives data from a covered provider — so processors, analytics vendors, ad networks, and others pick up the same obligations. The FTC can promulgate regulations to exempt whole categories of providers or recipients based on size, complexity, activities, and data sensitivity; when doing so the agency must consider costs and benefits. This creates a two-stage compliance path: baseline statutory duties plus potential FTC-tailored exceptions or thresholds.
Enforcement: FTC powers and state parens patriae suits
Violations count as unfair or deceptive acts under the FTC Act, giving the Commission its usual investigatory and remedial tools and rulemaking authority. The statute explicitly allows the FTC to reach nonprofits and common carriers. It also empowers state attorneys general to sue on behalf of residents, obtain relief, and recover scaled civil penalties: the penalty multiplies either days of noncompliance or the number of harmed users by up to the FTC Act’s maximum per-violation amount (with inflation adjustments). The FTC may intervene in state actions; if the FTC itself brings an enforcement action against a defendant, states may be limited from bringing parallel suits on the same facts while the FTC action is pending.
Waivers unenforceable
The Act bars contractual or other waivers of the rights and remedies it creates. Practically, providers cannot rely on end-user terms that attempt to waive these statutory protections or shift liability away from duties imposed by Congress.
Relation to other laws
The bill states it does not alter or supersede other federal or state privacy and security laws and does not limit the FTC’s authority elsewhere. That language preserves sectoral regimes (e.g., HIPAA, GLBA, COPPA) but will require crosswalks where obligations overlap or differ in substance or standard.
Effective date and applicability
The Act takes effect on enactment, but section 3’s duties apply 180 days after enactment. That window creates a short implementation period for providers to review data inventories, update contracts, and establish auditing routines — though the FTC’s subsequent rulemaking can change obligations or timelines.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers and end users — gain an affirmative legal baseline for how platforms must treat data, including breach notice for a broad set of "sensitive" categories and a prohibition on exploitative data uses that cause physical or financial harm.
- State attorneys general and consumer protection officials — obtain express parens patriae authority with a calculable civil-penalty mechanism to pursue large-scale privacy harms on behalf of residents.
- Privacy-first vendors and security-service providers — increased demand for auditing, compliance tooling, and secure alternatives as platforms contractually require recipients to meet the statute’s duties.
Who Bears the Cost
- Large online platforms, ad tech firms, and data brokers — face expanded legal duties, likely higher compliance costs, stricter limits on monetization practices, and greater exposure to enforcement and penalties.
- Third-party processors and downstream vendors — must accept statutory duties, submit to contractual obligations and audits, and may need to change practices or bear the costs of additional security controls and certifications.
- The Federal Trade Commission and state AG offices — will need to develop rulemaking, guidance, audit standards, and enforcement resources to implement the law; that work represents administrative costs and requires technical expertise.
Key Issues
The Core Tension
The central dilemma is balancing enforceable consumer protections against creating vague, wide-ranging obligations that could chill legitimate data uses and impose heavy compliance burdens: the bill replaces a consent-centered system with affirmative duties that better protect users, but those duties are deliberately open-ended and will hinge on rulemaking and adjudication, which risks unpredictability and uneven enforcement across jurisdictions.
The statute builds a duty-based framework but leaves key thresholds and standards undefined. Phrases like "reasonably secure," "reasonably foreseeable and material physical or financial harm," and "unexpected and highly offensive" are legal standards that will require agency interpretation, litigation, and industry guidance to yield predictable compliance obligations.
The FTC’s rulemaking authority is central: the Commission can expand breach-notice obligations, exempt provider categories, and adopt implementing regulations — meaning much of the operational detail will arrive after enactment via rulemaking, not in the statute.
The bill’s flowdown and audit requirements create practical chain-of-contract obligations that could significantly increase compliance costs, especially in complex ad-tech and cloud ecosystems where data passes through many intermediaries. At the same time, the statutory assurance that the law does not supersede sectoral protections leaves open questions about conflicts between this duty framework and existing rules (for example, HIPAA’s narrower covered entities model or GLBA’s financial-sector standards).
Finally, the state enforcement regime — with a penalty formula tied to days out of compliance or number of harmed users — could produce aggressive state-level litigation and inconsistent interpretations unless the FTC rapidly issues clear standards.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.