On March 19, 2026, Representatives Anna Eshoo and Zoe Lofgren introduced HR 8014, the Online Privacy Act of 2026 -- the latest and most ambitious attempt to establish a comprehensive federal privacy framework in the United States. The bill proposes sweeping consumer rights, targets algorithmic manipulation, creates a new enforcement agency, and would fundamentally change how companies collect and use personal data. Here is what the bill does, how it compares to existing laws, and what it means for your privacy -- whether or not it ultimately passes.
What Is the Online Privacy Act of 2026?
The Online Privacy Act of 2026 is a proposed federal law that would create a unified set of privacy rights for all Americans. Unlike the current patchwork of state-level privacy laws -- led by California's CCPA/CPRA, followed by laws in Colorado, Connecticut, Virginia, and others -- this bill would establish a single federal standard that applies nationwide.
This is not the first time this legislation has been introduced. Representatives Eshoo and Lofgren previously introduced versions of the Online Privacy Act in 2019, 2021, and 2023. None of those earlier versions advanced beyond committee. The 2026 version builds on those prior efforts with updated provisions addressing artificial intelligence, algorithmic profiling, and the data broker industry.
HR 8014 is currently in the House Energy and Commerce Committee, with referrals also sent to the House Judiciary Committee and the House Science, Space, and Technology Committee. As of now, the bill has one sponsor.
Why the U.S. Still Lacks a Federal Privacy Law
The United States remains one of the only major democracies without a comprehensive federal privacy law. The European Union enacted the GDPR in 2018. Canada, Brazil, Japan, South Korea, and many other countries have established national privacy frameworks. In the U.S., privacy protection depends on where you live -- California residents have robust rights under the CCPA/CPRA, while residents of many other states have few or no statutory privacy protections. The Online Privacy Act of 2026 aims to close this gap, but previous attempts have failed due to partisan disagreements over enforcement mechanisms, preemption of state laws, and the scope of private right of action.
Key Consumer Rights in the Bill
The Online Privacy Act of 2026 establishes eight core rights for consumers. These would apply to any personal information collected or processed over the internet by a "covered entity" -- essentially any company that collects personal data online, subject to certain small business exemptions.
- Right of Access: Know what personal data a company has collected about you and obtain a copy in a usable format.
- Right of Correction: Require companies to fix inaccurate personal information they hold about you.
- Right of Deletion: Request that a company delete your personal data, with limited exceptions for legal obligations.
- Right of Portability: Receive your data in a standardized, machine-readable format so you can transfer it to another service.
- Right to Human Review of Automated Decisions: When an algorithm makes a significant decision about you -- such as denying credit, employment, or housing -- request that a human review that decision.
- Right of Individual Autonomy: Companies could not use your data to manipulate your behavior. This targets behavioral personalization -- algorithms that profile users and deliver content designed to exploit psychological vulnerabilities.
- Right to Be Informed: Companies must clearly disclose what data they collect, how they use it, and who they share it with -- in understandable language, not dense legal jargon.
- Right of Impermanence: Companies could not retain your personal data indefinitely. Data must be deleted after it is no longer necessary for the purpose for which it was collected.
Targeting Behavioral Personalization
One of the bill's most significant provisions targets behavioral personalization -- the use of algorithms to profile individuals and deliver personalized content, recommendations, or advertisements based on behavioral data. Under the bill, companies would need to offer users meaningful alternatives to behaviorally personalized experiences. Users could opt out of algorithmic profiling without losing access to the service.
Enhanced Protections for Children
The bill classifies data belonging to children under 16 as sensitive data, requiring opt-in consent with verified parental consent. This goes significantly beyond COPPA, which only covers children under 13 and has been widely criticized for failing to keep pace with how children actually use the internet.
Data Brokers Would Face New Restrictions
The Online Privacy Act of 2026 would impose significant new obligations on data brokers -- companies that collect and sell personal information without a direct relationship with the individuals whose data they trade. Under the bill, data brokers would be required to honor deletion requests, disclose their data sources, and comply with the same rights framework as any other covered entity. For the millions of Americans whose names, addresses, phone numbers, and other personal details are currently bought and sold without their knowledge or consent, this would represent a major shift in the legal landscape.
A New Digital Privacy Agency
Rather than relying solely on the Federal Trade Commission, the bill would create a dedicated Digital Privacy Agency (DPA) with rulemaking authority, enforcement tools including fines and mandatory practice changes, research capabilities, and public reporting requirements. This mirrors the approach taken by other countries, including the EU's national data protection authorities and the UK's Information Commissioner's Office.
Who Is Covered -- and Who Is Exempt
The bill applies to any covered entity that collects or processes personal information over the internet -- from major technology platforms to e-commerce businesses. However, small business exemptions based on annual revenue, employee count, and data volume thresholds prevent disproportionate compliance burdens on businesses that pose minimal privacy risks.
How It Compares to Existing Laws
Versus the GDPR
The Online Privacy Act shares many structural similarities with the EU's General Data Protection Regulation, including rights of access, deletion, portability, and the creation of a dedicated enforcement agency. However, the GDPR has a broader legal basis framework and includes a private right of action that allows individuals to sue for damages -- a feature whose inclusion in the U.S. bill has been a major point of political contention.
Versus State Laws (CCPA/CPRA, etc.)
California's CCPA and its successor, the CPRA, currently provide the strongest privacy protections available to Americans. The Online Privacy Act would extend similar rights -- and in some cases stronger rights, particularly around algorithmic decision-making and data impermanence -- to all Americans regardless of which state they live in. A key unresolved question is whether the federal law would preempt state laws, replacing them with the federal standard, or whether states would remain free to enact stronger protections.
Will It Pass?
Realistically, the path to passage is difficult. Previous versions in 2019, 2021, and 2023 all failed to advance, and the 2026 version currently has only one sponsor. The major obstacles remain: disagreements over state law preemption, the scope of private right of action, and intense industry lobbying. That said, public support for federal privacy legislation continues to grow, driven by high-profile data breaches and increasing awareness of algorithmic profiling and data broker practices. Even if HR 8014 does not pass in its current form, it establishes the framework that future legislation is likely to build upon.
What You Can Do Right Now
You do not need to wait for Congress to act in order to protect your privacy. There are steps you can take today:
- Exercise your existing rights: If you live in California, Colorado, Connecticut, Virginia, or another state with a privacy law, use your rights to request data deletion, opt out of data sales, and limit targeted advertising.
- Opt out of data broker sites: Even without a federal law, you can submit opt-out requests to data broker and people-search sites individually -- though the process is time-consuming and requires ongoing maintenance as brokers re-list your data.
- Adjust your privacy settings: Review the privacy and advertising settings on every major platform you use. Opt out of personalized advertising where possible. Limit app permissions on your phone.
- Support the legislation: Contact your representatives and let them know you support comprehensive federal privacy legislation. Public pressure is one of the most effective tools for moving bills through committee.
- Use privacy-protective tools: Password managers, encrypted messaging apps, VPNs, and privacy-focused browsers all reduce the amount of personal data that companies can collect about you.
How PrivacyOn Helps You Take Control Today
The Online Privacy Act of 2026 would give Americans powerful new rights over their personal data -- if it passes. But regardless of what happens in Congress, the data broker industry continues to collect and sell your personal information right now, today. Waiting for legislation is not a strategy.
PrivacyOn removes your personal information from over 100 data broker and people-search sites -- the same companies that the Online Privacy Act would regulate. With 24/7 continuous monitoring, PrivacyOn detects when brokers re-add your information and removes it again automatically. Dark web monitoring alerts you if your data appears in underground marketplaces. Family plans cover up to 5 people, providing household-wide protection. Plans start at just $8.33 per month.
Federal privacy legislation may eventually give everyone the right to demand data brokers delete their information. Until that day comes, PrivacyOn gives you the tools to exercise that right on your own -- effectively, continuously, and starting today.