WeVote

Bill

Bill

S 4211

Consumer Data Privacy and Security Act of 2026

119th Congress Introduced by Jerry Moran

S. 4211 establishes a comprehensive federal privacy framework that grants individuals strong rights over their data, imposes strict security requirements, and enforces compliance p

Introduced in Senate
0
WeVote Research Nonpartisan
Bill Summary · S 4211

Summary: Consumer Data Privacy and Security Act of 2026 (S. 4211, 119th Congress)

Purpose and overall aim
- Establish a comprehensive federal framework to protect consumer privacy and data security.
- Create uniform federal standards that preempt most state privacy laws, while preserving certain state-law carve-outs and existing federal protections.
- Empower the Federal Trade Commission (FTC) to enforce the Act, with related enforcement by state Attorneys General and a role for common carriers and nonprofit organizations.

Key provisions and changes

1) Definitions (Section 2)
- Establishes core terms: personal data, collection, processing, service provider, covered entity, de-identify, delete, privacy officer, meaningful consent, etc.
- Defines “sensitive personal data” (e.g., SSN, health data, financial data, biometric data, precise geolocation, race/ethnicity, etc.) and sets limits on handling.
- Distinguishes between covered entities and service providers; excludes certain employee data and publicly available information from protections in specific circumstances.
- Introduces the concept of pseudonymization and determines materials for which information is considered linked or linkable to an individual.

2) Collection and Processing of Personal Data (Section 3)
- General rule: a covered entity may collect/process personal data only with explicit or implicit consent for a specific purpose, or based on permissible purposes (Section 3(c)).
- Third-party data handling: when a covered entity discloses data to a third party, or a service provider processes data on behalf of a covered entity, notices and consent requirements apply; third parties must also exercise due diligence.
- Implied consent framework, with explicit consent required for sensitive data or for disclosures to third parties for purposes not described in the notice.
- Material changes to policies require notification to affected individuals; in some cases, service providers must notify the covered entity or modify processing accordingly.

3) Individual Rights (Section 5)
- Privacy controls: entities must provide accessible ways for individuals to exercise rights (access, deletion, correction, data portability, etc.) at no cost initially.
- Right to access: verified requests must yield a copy of personal data and list of third-party disclosures; data portability in machine-readable formats where feasible.
- Rights to accuracy, correction, and dispute resolution processes.
- Right to erasure (deletion) with small-business considerations for timely compliance.
- Verification requirements: identity verification for requests; additional information allowed if needed to confirm identity.
- Limitations and declines: entities may decline requests under specified conditions (e.g., feasible re-identification risks, legal obligations, security concerns).

4) Security (Section 6)
- Entities must implement a comprehensive data security program with administrative, technical, and physical safeguards.
- Programs must be appropriate to size, complexity, data sensitivity, and risk; include risk assessments, access controls, incident response, and regular reviews.
- Requires safeguards for third-party data transfers and ongoing assessments for vulnerabilities.

5) Accountability (Section 7)
- Applies to entities that process large-scale data (over 20 million individuals or significant sensitive data).
- Requires a designated privacy officer, duties to oversee compliance, and coordination with the FTC and other authorities.
- Requires privacy impact assessments for material changes involving sensitive data, with formal approvals and documentation.

6) Service Providers (Section 8)
- Service providers must contractually bind to the covered entity’s directions, purposes, and processing limits.
- Due diligence required; service providers must notify changes and assist in responding to data-rights requests.
- Subcontractor clauses ensure downstream contractors comply with similar privacy/security obligations.
- Service providers must assist with rights requests and deletion, and must delete data after the service is completed, subject to legal requirements.

7) Enforcement (Section 9)
- FTC enforcement: violations treated as unfair or deceptive acts/practices; FTC Act powers apply to this Act.
- Civil penalties for knowing violations, with penalties tied to the number of affected individuals and other aggravating factors.
- State Attorneys General can bring civil actions; the FTC may intervene in such actions.
- No private right of action for individuals.

8) Federal Preemption and Relations to Other Laws (Section 10)
- Express preemption of most state privacy and security laws related to personal data, with specific, enumerated exemptions (e.g., breach notification laws, FERPA, GLBA, HIPAA privacy rules, employment data laws, etc.).
- Savings for certain federal laws and programs; some existing privacy statutes continue to apply where not inconsistent.
- Compliance with a covered entity’s obligations under other federal laws can satisfy this Act’s requirements.

9) Other Administrative Provisions
- Commission resources, guidance, and reporting requirements to implement and adapt the Act.
- Effective date: Sec. 14 indicates an effective date (text shows provision but not a specific date in the excerpt).

Who is affected

  • Covered entities and service providers that collect or process personal data of individuals in the United States.
  • Large entities (and certain service providers) subject to heightened accountability and privacy-impact assessments.
  • Small businesses receive some exemptions from certain sections (e.g., rights and processing requirements under Section 5).
  • State attorneys general play a role in enforcement alongside the FTC.

Important timeline and process notes

  • The bill sets a framework for when notices and material changes must be communicated to individuals.
  • Privacy impact assessments must be performed before proceeding with material changes involving sensitive data, with the privacy officer approving outcomes.
  • The Act provides an enforcement timeline through penalties and state-federal coordination, but specific dates for enactment (e.g., when compliance starts) would be determined by the enacted version and the effective date in Sec. 14.

Bottom line
- S. 4211 creates a comprehensive federal privacy regime combining consumer rights (access, deletion, data portability), explicit consent standards, strong data-security requirements, and robust FTC enforcement, while aiming to harmonize existing laws through preemption (with enumerated exemptions) to establish a uniform national standard.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.