Skip to content

Senator Hassan, Colleagues Reintroduce Legislation to Protect People’s Personal Data Online

Data Care Act Will Stop Websites and Apps from Using Personal Data to Harm Users, Protect User Information from Hacks, and Hold Companies Accountable for Misuse

WASHINGTON –  Senator Maggie Hassan (D-NH) today joined Senator Brian Schatz (D-HI) and 15 of their colleagues in reintroducing legislation to protect people’s personal data online. The Data Care Act would require websites, apps, and other online providers to take responsible steps to safeguard personal information and stop the misuse of users’ data.


“When you go to the doctor, or to the bank, you expect that the information you give will not be misused – and we should have that same standard when making a purchase or providing personal information online,” Senator Hassan said. “There’s no reason that consumers should be forced to wade through dense terms and conditions of service agreements – or forgo online services entirely – so that companies do not exploit their data. This is a commonsense bill to ensure that online service providers are acting in the best interests of their customers.”


Doctors, lawyers, and bankers are legally required to exercise special care to protect their clients and not misuse their information. While online companies also hold personal and sensitive information about the people they serve, they are currently not required to safeguard consumers’ data in the same way. This leaves users in a vulnerable position; they are expected to understand or predict how the information that they give to providers can be used – an unreasonable expectation for even the most tech-savvy consumer. By establishing an explicit duty for online providers, Americans can trust that their online data is protected and used in a responsible way.


The Data Care Act establishes reasonable duties that will require providers to protect user data and will prohibit providers from using user data to the user’s detriment:


  • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene. States and the FTC may go after both first- and third-party data collectors;
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.