This is an explainer about proposed legislation, not a prediction that it will pass.
Some of your most sensitive information — where you go and what your health profile looks like — can be bought and sold by companies you've never heard of. A group of US lawmakers wants to make much of that illegal. Led by Senator Elizabeth Warren and, in the House, Representative Mary Gay Scanlon, they have repeatedly introduced the Health and Location Data Protection Act, which would bar data brokers from selling, sharing or licensing Americans' health and location data, according to Warren's office. The push has resurfaced as artificial intelligence sharpens worries about how sensitive data is harvested.
What the bill would do
A data broker is a company that collects personal information — often from apps, websites, loyalty programs and public records — and sells it on, usually without the person's knowledge. The bill would make it broadly unlawful for brokers to sell or transfer two especially sensitive categories: health data and location data. It would task the Federal Trade Commission (FTC) with writing rules to enforce the ban and let the FTC, state attorneys general and harmed individuals take action, per coverage of the legislation. It carves out exceptions — for example, data already covered by health-privacy law (HIPAA), legitimate journalism, and uses with genuine consumer consent.
Why now — the AI angle
Two forces have revived the issue. First, documented harms: location data has been used to identify people visiting reproductive-health clinics, addiction-treatment centers and mental-health facilities, raising safety and surveillance concerns. Second, the AI boom. Modern AI systems are built on enormous quantities of data, and AI and ad-tech firms increasingly buy bulk datasets — including detailed consumer health and location profiles — to train and target their models. A blanket ban on selling that data would cut directly into those pipelines.
Underlying it all is a gap: the US has no comprehensive federal privacy law like the EU's GDPR. Health information collected by wearables and apps typically falls outside HIPAA, so it can flow to brokers largely unregulated. That patchwork is what bills like this try to address.
The business stakes
For our readers, this is a business-model story as much as a privacy one. The data-broker industry is large and growing — valued in the hundreds of billions of dollars globally — and personal data underpins big chunks of advertising, marketing and, increasingly, AI. A ban on trading health and location data would impose real compliance costs and restrict access to training and targeting data for brokers, ad-tech players and AI developers alike. It's part of a wider tightening of rules around AI and data that companies are now having to plan for.
Will it pass?
History counsels caution. Versions of this bill have been introduced in prior Congresses and did not advance, and in a closely divided Washington its odds are uncertain. But the direction of travel is clear: states have moved (Vermont and California, among others, regulate data brokers), regulators have stepped up scrutiny, and the political appetite to rein in data sales — especially around health and location — keeps growing.
The bottom line
Whether or not this particular bill becomes law, it captures a real and rising tension: the business of selling personal data is colliding with mounting public and political pressure, and AI is intensifying both the demand for data and the worry about how it's used. For companies whose models depend on buying personal information, the safe assumption is that the rules are tightening — the only real questions are how fast, and at what level. For everyone else, it's a reminder of just how freely sensitive data can change hands today.
