[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 2367 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 2367
To establish a Federal tort relating to the appropriation, use,
collection, processing, sale, or other exploitation of individuals'
data without express, prior consent.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 21, 2025
Mr. Hawley (for himself and Mr. Blumenthal) introduced the following
bill; which was read twice and referred to the Committee on the
Judiciary
_______________________________________________________________________
A BILL
To establish a Federal tort relating to the appropriation, use,
collection, processing, sale, or other exploitation of individuals'
data without express, prior consent.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``AI Accountability and Personal Data
Protection Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Appropriate, use, collect, process, sell, or otherwise
exploit.--The term ``appropriate, use, collect, process, sell,
or otherwise exploit'' includes--
(A) the training of a generative artificial
intelligence system that is sold, rented, licensed, or
otherwise used by the provider of the generative
artificial intelligence system; and
(B) the generation, by a generative artificial
intelligence system, of any covered data that pertains
to an individual, including content that imitates,
replicates, or is substantially derived from the
covered data of the individual.
(2) Artificial intelligence.--The term ``artificial
intelligence'' has the meaning given that term in section 5002
of the National Artificial Intelligence Initiative Act of 2020
(15 U.S.C. 9401).
(3) Artificial intelligence system.--The term ``artificial
intelligence system'' means any data system, software,
hardware, application, tool, or utility that operates, in whole
or in part, using artificial intelligence.
(4) Covered data.--The term ``covered data''--
(A) means any information, data, or material,
regardless of form or format, that--
(i) identifies, relates to, describes, is
capable of being associated with, or can
reasonably be linked, directly or indirectly,
with a specific individual;
(ii) is derived, inferred, or generated
from information described in clause (i), or is
used to derive, infer, or generate information
described in clause (i); or
(iii) is generated by an individual and is
protected by copyright, regardless of whether
the copyright has been registered with the
United States Copyright Office or any other
registration authority; and
(B) includes--
(i) personally identifiable information;
(ii) unique identifiers, such as device
IDs, advertising IDs, or IP addresses;
(iii) geolocation data;
(iv) biometric information;
(v) behavioral data, such as browsing
history or purchasing patterns; or
(vi) inferred, derived, or predicted data
used to create a profile about an individual or
group of individuals.
(5) Express, prior consent.--The term ``express, prior
consent'' means a clear, affirmative act by an individual, made
in advance of any appropriation, use, collection, processing,
sale, or other exploitation of covered data, indicating a
freely given, informed, and unambiguous consent to the specific
appropriation, use, collection, processing, sale, or other
exploitation of covered data of the individual.
(6) Generative artificial intelligence system.--The term
``generative artificial intelligence system'' means an
artificial intelligence system that is capable of generating
novel text, video, images, audio, and other media based on
prompts or other forms of data provided by an individual.
(7) Personally identifiable information.--The term
``personally identifiable information'' means information that
can be used to distinguish or trace the identity of an
individual, either alone or when combined with other personal
or identifying information that is linked or linkable to a
specific individual.
(8) Predispute arbitration agreement.--The term
``predispute arbitration agreement'' means an agreement to
arbitrate a dispute that has not yet arisen at the time of the
making of the agreement.
(9) Predispute joint-action waiver.--The term ``predispute
joint-action waiver'' means an agreement, whether or not part
of a predispute arbitration agreement, that would prohibit, or
waive the right of, one of the parties to the agreement to
participate in a joint, class, or collective action in a
judicial, arbitral, administrative, or other forum, concerning
a dispute that has not yet arisen at the time of the making of
the agreement.
SEC. 3. FEDERAL TORT FOR MISUSE OF COVERED DATA.
(a) Liability.--Any person who, in or affecting interstate or
foreign commerce, appropriates, uses, collects, processes, sells, or
otherwise exploits the covered data of an individual, without the
express, prior consent of the individual, shall be liable to the
individual in accordance with this section.
(b) Private Right of Action.--
(1) In general.--Any individual whose covered data is
appropriated, used, collected, processed, sold, or otherwise
exploited without the express, prior consent of the individual
as described in subsection (a) may bring a civil action in an
appropriate district court of the United States or a State
court of competent jurisdiction against any person who--
(A) engaged in the appropriation, use, collection,
processing, sale, or other exploitation of the covered
data; or
(B) aided and abetted another person in the
appropriation, use, collection, processing, sale, or
other exploitation of the covered data.
(2) Remedies.--An individual prevailing in a civil action
brought under paragraph (1) may recover--
(A) compensatory damages in an amount equal to the
greater of--
(i) actual damages;
(ii) treble any profits from the
appropriation, use, collection, processing,
sale, or other exploitation of the covered data
of the individual as described in subsection
(a); or
(iii) $1,000;
(B) punitive damages;
(C) injunctive relief; and
(D) attorney's fees and costs.
(3) Affirmative defense of consent.--
(A) In general.--It shall be an affirmative defense
to a civil action under paragraph (1) brought by or on
behalf of an individual whose covered data was
appropriated, used, collected, processed, sold, or
otherwise exploited if the defendant demonstrates that
the individual provided express, prior consent for such
appropriation, use, collection, processing, sale, or
other exploitation of the covered data of the
individual.
(B) Invalid grounds for consent.--Consent to the
appropriation, use, collection, processing, sale, or
other exploitation of covered data shall not be deemed
valid if such consent was obtained--
(i) through coercion or deception; or
(ii) as a condition of using a product or
service through which the appropriation, use,
collection, processing, sale, or other
exploitation of the covered data exceeds what
is reasonably necessary to provide that product
or service.
(c) Inapplicability of the Federal Arbitration Act.--
(1) In general.--Notwithstanding any other provision of
law, including chapter 1 of title 9, United States Code
(commonly known as the ``Federal Arbitration Act''), a
predispute arbitration agreement or predispute joint-action
waiver shall not be valid or enforceable with respect to any
claim arising under this Act.
(2) Unenforceable agreements.--Any agreement purporting to
waive, limit, or preclude the right of an individual to bring
an action in a court of law or to participate in a joint,
class, collective, or representative action concerning any
claim arising under this Act shall be deemed contrary to public
policy and shall be null, void, and unenforceable.
(3) Determination under federal law by federal court.--An
issue as to whether this Act applies with respect to a dispute
shall be determined under Federal law. The applicability of
this Act to an agreement to arbitrate and the validity and
enforceability of an agreement to which this Act applies shall
be determined by a court, rather than an arbitrator,
irrespective of whether the party resisting arbitration
challenges the arbitration agreement specifically or in
conjunction with other terms of the contract containing such
agreement, and irrespective of whether the agreement purports
to delegate such determinations to an arbitrator.
(4) Collective bargaining agreements.--Nothing in this Act
shall apply to any arbitration provision in a contract between
an employer and a labor organization or between labor
organizations, except that no such arbitration provision shall
have the effect of waiving the right of a worker to seek
judicial enforcement of a right arising under a provision of
the Constitution of the United States, a State constitution, or
a Federal or State statute, or public policy arising therefrom.
(d) Specific Disclosure of Third Parties Required.--
(1) In general.--Consent required under subsection (a)
shall not be valid for the appropriation, use, collection,
processing, sale, or other exploitation of covered data by or
to any third party unless--
(A) each third party is specifically and clearly
disclosed to the individual to whom the covered data
pertains at the time consent is sought; and
(B) the disclosure described in subparagraph (A) is
affirmatively presented to the individual to whom the
covered data pertains in a manner that ensures the
disclosure is seen and acknowledged.
(2) Presentation.--Any disclosure described in paragraph
(1)--
(A) shall be presented distinctly and separately
from any privacy policy, terms of service, or other
general conditions or agreements; and
(B) shall not be satisfied by the mere inclusion of
a hyperlink or general reference to a privacy policy,
user agreement, or other similar document.
(3) Invalid consent.--Any purported consent for the
appropriation, use, collection, processing, sale, or other
exploitation of covered data by or to any third party obtained
solely by inclusion within such general documents described in
paragraph (2) or via non-specific or passive disclosure shall
be invalid and unenforceable.
SEC. 4. RELATIONSHIP TO EXISTING LAW.
(a) No Preemption of Existing State Laws.--Nothing in this Act
shall be construed to preempt or limit any law, rule, regulation, or
common law doctrine of any State that is in effect as of the date of
enactment of this Act.
(b) Minimum Standard.--This Act shall be construed as establishing
a minimum standard for the tort described in section 3(a), and nothing
in this Act shall be deemed to prohibit or restrict the application of
any State law, rule, regulation, or common law doctrine that provides
greater or additional rights, remedies, or protections than the rights,
remedies, and protections provided under this Act.
<all>