New bill targets AI health data sales to brokers

Senator Elizabeth Warren (D-MA) and Representative Mary Gay Scanlon (D-PA) are preparing a new version of the Health and Location Data Protection Act. The proposal would ban the sale of Americans’ health and location information to data brokers, including data people enter into AI systems.

WTF Index TERMINATOR
◄ Terminator 2 Idiocracy 0 ►

The story centers on AI-era health and location data being sold to brokers, raising privacy and surveillance risks, though the bill is a mitigating response.

New bill targets AI health data sales to brokers

A revamped privacy proposal is taking aim at a growing risk in the AI era: sensitive health and location information moving from consumer services to data brokers. The new version of the Health and Location Data Protection Act would cover information people disclose to AI chatbots such as ChatGPT or Claude.

The bill is being prepared by Senator Elizabeth Warren (D-MA) and Representative Mary Gay Scanlon (D-PA), with Senators Ron Wyden (D-OR) and Bernie Sanders (I-VT) also sponsoring it. Its central idea is direct: Americans’ health and location data should not be sold to data brokers, including when that information is entered into AI systems.

What the proposal would change

The earlier version of the Health and Location Data Protection Act was first introduced in June 2022. That version prohibited data brokers from collecting and selling health and location data.

The new version is broader. Four years later, the bill has been expanded to ban other companies from selling that kind of data to brokers. It also specifically covers data entered into AI systems.

That distinction matters because the source of sensitive information is changing. People are no longer sharing health details only through traditional medical or administrative channels. They may also enter those details into consumer AI tools, including chatbots built by companies pursuing health and medical products.

Under the proposal described in the source article, the covered information includes Americans’ health and location information. The bill would limit the sale of that information to data brokers, including from chatbot services.

Why AI chatbots are now part of the debate

AI labs have been moving toward health and medical products. In January, Elon Musk publicly called for people to upload their medical records, including MRI scans, to Grok, xAI’s chatbot.

That same month, OpenAI introduced ChatGPT Health, described as a sandboxed tab within ChatGPT that it deemed more secure. OpenAI encouraged users to upload medical records and other sensitive information there. It also introduced ChatGPT for Healthcare, aimed at medical providers.

A few days after that, Anthropic followed with Claude for Healthcare, described as a “HIPAA-ready” tool for individuals, health providers, and hospitals.

These moves show why lawmakers are focusing on AI health data. When people use AI systems for health-related purposes, the information they provide can be highly personal. It may include medical records, details about symptoms, or other private health data that users would not expect to become part of a broader data market.

The proposed bill responds to that concern by focusing on what happens after information is entered into these tools. It does not only address data brokers themselves. It would also restrict other companies from selling health and location data to brokers.

The privacy gap behind the bill

The source article points to a larger privacy problem in the United States. The US lacks an overall federal framework for data privacy, despite years of attempts.

That leaves many users dependent on what companies say they will do. Sara Gerke, a law professor at the University of Illinois Urbana-Champaign, told The Verge in January that data protection for tools like OpenAI’s and Anthropic’s “largely depends on what companies promise in their privacy policies and terms of use,”.

For users, that creates uncertainty. If a person uploads medical records or other sensitive information to an AI service, the practical protection for that data may depend heavily on company commitments. The proposed Health and Location Data Protection Act would move at least one part of the issue into enforceable rules: the sale of health and location information to data brokers.

The bill also reflects a broader shift in how AI policy is being framed. Instead of focusing only on model behavior or chatbot outputs, lawmakers are also looking at the data flowing into AI systems. Health data and location data are treated as especially sensitive because they can reveal intimate details about a person’s life.

How enforcement would work

The bill would require the Federal Trade Commission to enact the rules within 180 days. Enforcement would not be limited to one path.

According to the source article, the proposal would allow the FTC, state attorneys general, and affected individuals to sue to enforce it. It would also earmark $1 billion to the FTC over the next 10 years for enforcement.

Those enforcement details are central to the bill’s practical importance. A ban on selling sensitive data is only meaningful if there are ways to challenge violations. By naming the FTC, state attorneys general, and affected individuals, the proposal creates multiple routes for enforcement.

The funding provision also signals that enforcement is not being treated as an afterthought. The bill would dedicate money over a 10-year period for the FTC to carry out the work.

What lawmakers say is at stake

Senator Warren framed the proposal around data brokers and sensitive personal information. In a statement, she said:

“It’s more important than ever that we crack down on data brokers that are raking in giant profits from selling Americans’ most sensitive information ,” said Senator Warren in a statement. “Especially as more people enter their private health data into AI, we need to make sure that information isn’t exploited by the highest bidder.”

The bill is expected to debut in the coming weeks. If introduced as described, it would mark an effort to update data privacy rules for a moment when AI companies are asking users to trust them with increasingly sensitive information.

The core question is simple: when a person shares health or location data with an AI tool, should that information be available for sale to data brokers? The new version of the Health and Location Data Protection Act is built around the answer that it should not be.