On March 19, Rep. Zoe Lofgren (D-CA-18) reintroduced the Online Privacy Act, legislation that would establish a comprehensive national baseline for how U.S. companies collect, use, process, and share Americans’ personal data online. This is the fourth time Lofgren has introduced the bill (previously in the 116th, 117th, and 118th Congresses, often with former Rep. Anna Eshoo). The bill, H.R. 8014 (Online Privacy Act of 2025), aims to address the lack of a unified federal privacy law amid growing data collection, behavioral targeting, and AI-driven systems.
For privacy compliance professionals, data protection officers, and legal teams at tech, e-commerce, and data-driven companies, this reintroduction deserves close attention. While passage is uncertain in a divided Congress, the bill’s provisions draw heavily from GDPR-style principles and go beyond many U.S. state laws with strong data minimization, a new dedicated enforcement agency, and criminal penalties for doxxing.
Why Now? The Persistent Federal Privacy Gap
The United States still has no comprehensive federal data privacy law. Companies must navigate a patchwork of state laws (CCPA/CPRA, Colorado Privacy Act, Virginia CDPA, and others), sector-specific rules (HIPAA, GLBA, COPPA), and FTC enforcement under Section 5. At the same time, the volume and sensitivity of personal data — including browsing history, location, biometrics, and inferred profiles — continue to expand rapidly with AI.
Rep. Lofgren stated:
“Privacy is a fundamental right, but for too long, Congress has failed to set clear nationwide rules to protect Americans’ personal data. The Online Privacy Act gives Americans the power to view, correct, and delete their information. This legislation shifts power back to the people and ensures federal law finally catches up to the realities of the 21st century.”
The bill has support from groups like Public Knowledge and Free Press Action, which emphasize strong data minimization, anti-discrimination protections, and a private right of action — especially important in the age of AI.
Online Privacy Act Provisions
The bill focuses on individual rights, company obligations, and strong enforcement. Here are the most relevant elements for compliance programs:
Strong Data Minimization and Purpose Limitation
Covered entities must clearly articulate the need for and minimize the personal information they collect, process, disclose, or maintain. This goes further than most current U.S. laws, which often allow broad collection if disclosed in a privacy policy. Companies would need documented minimization assessments.
Individual Rights
Right to access, correct, delete, and port their data (including sources and third-party sharing).
Right to choose how long their data is retained (with explicit consent needed for indefinite retention).
Right to human review of automated decisions that cause significant privacy harms (e.g., impacts on employment, credit, housing, or finances).
Opt-in consent required for behavioral personalization (renewed annually), with a non-personalized option offered.
Right to be informed when contact data is collected without a prior relationship.
Small businesses (based on revenue, employee count, and data volume thresholds) receive exemptions from several requirements.
Important Prohibitions
Ban on using private communications (emails, web traffic) for advertising or invasive purposes.
Criminal prohibition on doxxing (up to 5 years imprisonment).
Limits on employee and contractor access to user data.
Anti-discrimination protections in data processing.
New Digital Privacy Agency (DPA)
The bill creates an independent federal Digital Privacy Agency with rulemaking authority, investigation powers, and dedicated funding. The DPA would handle enforcement, issue regulations, manage complaints, and absorb certain FTC privacy functions.
Enforcement and Remedies
Civil penalties based on the scale of violations.
Private right of action allowing individuals (and nonprofits for class actions) to seek damages and injunctive relief.
Enforcement rights for state attorneys general.
Whistleblower protections and rewards.
Effective Date and Preemption
The law would take effect one year after enactment. It does not fully preempt stronger state laws — better consumer protections at the state level would remain in force.
What This Means for Your Compliance Program
If passed in its current form, organizations would likely need to:
Strengthen data inventories and mapping to support strict minimization and purpose limitation.
Update consent and preference management systems for opt-in personalization, retention choices, and annual renewals.
Enhance systems for handling data subject requests (access, correction, deletion, portability) with faster timelines and human-review processes.
Prepare for oversight by a new dedicated regulator.
Incorporate civil-rights and anti-discrimination reviews into AI and data processing activities.
The bill borrows from GDPR (rights, minimization, dedicated regulator) while adding U.S.-specific elements like doxxing criminalization and a focus on behavioral personalization. It is more prescriptive than current state laws but would bring much-needed national consistency.
Next Steps for Privacy Teams
Even if the bill does not pass this Congress, its reintroduction highlights ongoing momentum for federal privacy legislation. Forward-looking organizations are already:
Running gap assessments against the bill’s requirements.
Tightening data minimization and retention policies.
Testing scalable consent and rights-fulfillment workflows.
Monitoring activity in the House Energy and Commerce Committee.
Captain Compliance was designed for exactly this type of regulatory evolution — with tools for centralized privacy program management, automated DSAR handling, consent tracking, data mapping, and audit-ready reporting. These features help you stay prepared no matter how federal or state privacy rules develop.
We will continue tracking H.R. 8014 and any related developments. If your team wants help benchmarking your program against this bill or running a compliance gap analysis, our platform is ready to support you. If you’d like to read the full text click here for the Online Privacy Act text.
