The Government Surveillance Reform Act of 2026 imposes substantive limits on intelligence and law-enforcement uses of bulk foreign-intelligence collection and commercial data. It bars warrantless queries that target or retrieve communications or other sensitive information of ‘covered persons’ (United States persons or people known or believed to be in the U.S.), requires detailed query documentation and automated attribution, and establishes five-year destruction rules for non‑foreign‑intelligence content collected under Section 702.
The bill also adds a judicial gate for technical assistance demands on providers, prohibits reverse targeting of known U.S. persons, and narrows which entities may be compelled to assist under Section 702 directives.
Outside FISA, the bill bans federal law enforcement from purchasing covered personal data from data brokers (with narrow exceptions), requires warrant protections for location, web-browsing and search-query records under ECPA, and creates a new federal prohibition on warrantless access to vehicle telematics and onboard data (subject to consent and emergency exceptions). It layers more transparency, IG audits, amici curiae roles for the FISC, and penalties and personnel-accountability requirements for willful or repeated surveillance violations.
For compliance officers and counsel, this is a cross-cutting operational and reporting shift for intelligence agencies, DOJ, service providers, and data brokers.
At a Glance
What It Does
The bill prohibits warrantless queries and uses of communications and other covered information about U.S. persons or people located in the United States unless a narrowly defined exception applies; it requires electronic records for every query and access and forces destruction of non‑foreign‑intelligence content within five years. It also bans federal purchases of covered personal data from data brokers (subject to specific statutory exceptions), adds stronger ECPA protections for location, browsing and search history, and imposes a warrant requirement or express consent regime for access to vehicle telematics.
Who It Affects
Intelligence agencies and DOJ (new query documentation, warranting, and retention duties); electronic communication and cloud providers (adjudicated technical‑assistance directives, reporting, and compliance systems); data brokers (prohibition on sales to federal law enforcement); consumer device and automotive telematics vendors (new vehicle data access rules); and state/local law enforcement (reporting requirements and limits on data-sharing with federal agencies).
Why It Matters
The bill changes the default: collection and contractor assistance remain possible, but queries, retention, and downstream use of U.S.-person data are tightly limited and auditable. That shifts compliance risk from narrow legal authorization toward operational controls, recordkeeping, and greater judicial and inspector‑general scrutiny—raising program-management, provider‑cost, and disclosure considerations for legal and privacy teams.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act rewrites how the federal government can query, use, and keep information derived from foreign-intelligence collection and from commercial datasets. It creates the concept of a ‘covered person’—either a U.S. person or someone known or believed to be in the United States—and forbids routine, warrantless queries that retrieve communications content or other information that, if sought for domestic law enforcement, would require a probable‑cause warrant.
Queries that do proceed must be justified with a stated foreign‑intelligence purpose and recorded in an audit-ready system that ties every search term and automated query back to a responsible officer.
Operational exceptions are narrow: a covered person who is the subject of a court order or warrant, a case of consent, narrowly defined emergency uses (with post‑hoc reporting), and defensive cybersecurity lookups. For emergency accesses that are later disapproved or not authorized, the Act bars use of the accessed material in investigations or prosecutions.
The Attorney General must assess compliance and the Act requires heads of agencies to install query‑record systems and report on compliance within 90 days.On retention, the Act mandates procedures to destroy “covered information” (evaluated or unevaluated content connected to covered persons) within five years of collection unless preserved for pending litigation or active investigations. On technical assistance, the Act forces the government to show necessity and narrow tailoring before directing provider assistance under Section 702 and requires FISC approval of the provider‑specific assistance method.Titles outside Section 702 make discrete but significant changes.
The Fourth Amendment Is Not For Sale Act prohibits federal law enforcement from buying covered personal data from data brokers unless limited statutory exceptions apply (public‑data exceptions exclude biometrics and location). The bill also modernizes ECPA: warrants are required for prospective and historical location, web‑browsing and search‑query records; subpoenas for subscriber data are tightened; and penalties, notice, and reporting mechanisms are expanded.
Finally, vehicle data are elevated: the bill creates a new chapter that requires warrants to access telematics and onboard data from noncommercial vehicles, except for express consent (with strict consent requirements) and emergency uses.
The Five Things You Need to Know
The bill bans accessing ‘covered information’ returned by a ‘covered query’—queries tied to U.S. persons or people located in the U.S.—unless the query meets a foreign‑intelligence purpose or one of narrow exceptions (consent, warrant/order, emergency, defensive cybersecurity).
Agencies must create an electronic record for every query and access that logs search terms, date, operator identifier, and a written justification; automated queries must be attributable to the responsible employee.
Covered information collected under Section 702 must be destroyed within five years unless the Attorney General documents a written exception for litigation preservation or ongoing investigation use.
The Fourth Amendment Is Not For Sale Act (Title II) prohibits federal law enforcement purchases of ‘covered personal data’ from data brokers, with limited carve‑outs (e.g.
compelled production under statutorily authorized compulsory process and narrowly defined public‑data exceptions that explicitly exclude biometrics and location data).
The bill creates a warrant regime (or strict consent alternative) for vehicle telematics and on‑board data for noncommercial vehicles, and makes evidence obtained in violation presumptively inadmissible.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Stricter limits on Section 702 queries, reverse targeting, and retention
Title I places the operational burden on query‑level controls. It redefines key terms (covered person, covered query, covered information), prohibits accessing covered information returned by covered queries absent tight exceptions, and requires agencies to document every query/access in an auditable system. The Title also curbs reverse targeting (no intentional targeting of foreign persons when a significant purpose is to collect known covered‑person data), requires the primary purpose for Section 702 acquisitions to be foreign intelligence, and caps retention of evaluated and unevaluated covered information at five years unless expressly extended for litigation or active investigations.
Fourth Amendment Is Not For Sale — bans federal purchases from data brokers
This Title amends 18 U.S.C. 2702 to bar federal agencies from obtaining covered personal data in exchange for anything of value from commercial data brokers, with enumerated exceptions: certain lawfully obtained public data (excluding biometrics and location), compelled production under compulsory legal process that reimburses provider costs (e.g., NSLs in statute), background checks with consent, employment uses, and narrowly defined whistleblower‑award disclosures. It also requires minimization, auditing, and transparency reporting for acquisitions that involve compilations of mixed data.
Court supervision, accuracy certifications, and accountability for violations
Title III puts more of the FISA process under court and independent review: it creates a judicial warrant requirement for targeting U.S. persons or persons inside the U.S. for content or location‑style acquisitions; it imposes accuracy‑procedure certifications for all FISA applications (applicants must document supporting material and certify reviews); and it mandates IG audits. The Title also expands amici curiae roles (technical and civil‑liberties experts), allows amici to seek higher court certification, requires the DOJ to keep written records of its FISC interactions, and sets personnel consequences for willful or repeated violations—including a presumption in favor of termination in severe cases.
Reforms to non‑FISA intelligence surveillance activities
Title IV mirrors several of Title I protections for intelligence activities carried out outside the FISA framework. The bill extends the covered‑query and reverse‑targeting concepts to other foreign‑intelligence collection, prohibits warrantless acquisition of purely domestic communications, requires minimization and destruction rules for unevaluated datasets, and obligates DNI reporting on acquisitions that include covered persons. It also requires public reporting of violations and declassification of certain records of wrongdoing.
Independent oversight: IGs, PCLOB parity, and reporting of AG immunity certifications
Title V enhances independent oversight. It directs IGs at DOJ and each element of the IC to audit FISA applications and Section 702 directives and to report findings publicly (subject to redactions). It expands whistleblower protections and pay parity for the Privacy and Civil Liberties Oversight Board staff, and requires timely congressional notice when DOJ grants or certifies provider immunity or issues ongoing certifications for provider assistance.
ECPA modernization: location, browsing, queries, and metadata
Title VI updates ECPA: it adds statutory definitions and warrant protections for historical and prospective location information, web‑browsing records, and search‑query records; it harmonizes subpoenas for subscriber records across providers; and it narrows exceptions for real‑time metadata collection by requiring specific and articulable facts (closer to a probable‑cause standard for some metadata tools). The Title also modernizes public reporting, and requires DOJ to publish machine‑readable forms for court reporting.
Car‑data protections: warrant rule for vehicle telematics
This new chapter to title 18 protects noncommercial vehicle telematics and on‑board data: federal agents must obtain a warrant to access telematics and event data recorders except where the vehicle operator gives express, informed consent (with specific consent elements), or a narrowly defined emergency exists. Evidence obtained without compliance is presumptively inadmissible and certain event‑recorder accesses are limited to safety exceptions set out in the Driver Privacy Act.
Transparency and reporting
Title VIII increases public and congressional transparency: it expands the administrative‑office and DNI reporting items (FISC certifications, amici appointments, counts of directives and queries, dissemination statistics showing masked vs. unmasked U.S.‑person identities), requires a DNI estimate of U.S. persons collected under Section 702, and directs the PCLOB to report on the use of surveillance authorities against protected activities and classes. It also requires timely declassification reviews of significant FISC opinions.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- United States persons and individuals located in the U.S.: The bill restricts warrantless queries and sets retention limits, reducing incidental collection and downstream use of their communications, browsing history, and location data.
- Privacy and civil‑liberties organizations: Expanded transparency (declassification deadlines, enhanced reporting, amici curiae access) and new statutory causes of exclusion (inadmissibility where emergency queries were not later approved) strengthen oversight tools.
- Consumers whose data are held by data brokers: Federal bans on law‑enforcement purchases of covered personal data cut a revenue stream for brokers and reduce the ease with which personal profiles are shared with federal agencies.
- Owners of noncommercial vehicles and vehicle occupants: Warrant requirements and strict consent rules limit law‑enforcement access to telematics and onboard recordings and make misuse less likely to be used as evidence.
Who Bears the Cost
- Intelligence community and DOJ operational units: New query justification, auditing, documentation, and retention processes create programmatic overhead, require system changes, and may constrain some collection and analytic workflows.
- Electronic communication, cloud, and telematics providers: These companies must respond to orders only after stricter FISC sign‑off for technical assistance, implement attribution for automated queries, and build capabilities to meet reporting and cybersecurity‑assistance constraints—raising compliance and legal costs.
- Data brokers: The federal purchasing ban eliminates a market, requiring business model adjustments and exposing them to new certification and attestation duties where public‑data exceptions apply.
- Federal courts and FISC: Expanded amici program, declassification duties, IG audits, and certification reviews increase workload for judges and court support staff, and may require new administrative processes.
Key Issues
The Core Tension
The central dilemma is pragmatic: the bill tightens civil‑liberties guardrails (query bans, retention limits, purchase prohibitions) to reduce incidental exposure of U.S. persons but simultaneously imposes operational and technical burdens that can slow or complicate legitimate national‑security and public‑safety uses—forcing agencies to choose between speed and comprehensive legal compliance, with emergency exceptions that are narrow and risky if not followed by rapid judicial approval.
The bill resolves privacy gaps but creates serious implementation and operational tensions. One pragmatic problem is attribution and automation: the statute requires that automated queries be attributed to an officer who is the ‘proximate cause’ of the search and that all query terms, justifications, and operator identifiers be logged.
Agencies must make engineering changes across legacy systems to create audit trails that are complete, tamper‑resistant, and searchable—work that is expensive, time‑consuming, and dependent on vendor cooperation. Failure to implement robust systems will leave agencies vulnerable to internal noncompliance and the evidentiary exclusions the bill triggers.
Emergency exceptions are tightly constrained by reporting and post‑hoc approval rules. That protects privacy but creates a timing risk in life‑threat scenarios—agencies must balance speed and later exposure to criminal or administrative exclusion if a court denies retroactive authorization.
Similarly, the ban on federal purchases from data brokers will likely push agencies to seek alternate pathways (compelled process, data sharing with state/local partners, or development of in‑house data collection), stimulating legal disputes over intergovernmental data transfers and the line between lawful public data and informally monetized datasets.
Finally, definitional ambiguities in novel statutory terms such as ‘covered query’, ‘covered information’, and the contours of ‘foreign intelligence purpose’ will drive litigation and FISC guidance requests. The Act delegates substantial interpretive work to the Attorney General and the courts—expect years of rule‑making, FISC opinions, and DOJ guidance that will shape the practical effect of many sections.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.