Person in a blue shirt holding a vintage camera outdoors, wearing a red watch and bracelet.

Lawmakers Move to Curb AI-Sourced Health Data Sales as Chatbots Become New Privacy Risk

Lawmakers want to stop AI health data sales to brokers, expanding privacy protections to chatbot inputs like medical records and location data.

In short

U.S. lawmakers plan to update a privacy bill to block the sale of health and location data, including sensitive information people enter into AI chatbots. The proposal would give the FTC new enforcement powers and target data brokers as AI tools move deeper into healthcare.

  • The bill would ban sales of health and location data to brokers, including data entered into AI chatbots.
  • Warren and Scanlon plan to reintroduce the measure with support from Wyden and Sanders.
  • The FTC would get rulemaking authority, enforcement power, and $1 billion over 10 years.
  • The push comes as OpenAI, Anthropic, and xAI expand AI products aimed at healthcare use cases.

As AI chatbots become a place where people increasingly disclose intimate details about their lives, U.S. lawmakers are moving to close a privacy gap they say has become far more urgent in the age of generative AI. A revamped federal proposal would bar companies from selling Americans’ health and location information to data brokers — and would specifically extend those protections to sensitive details people type into systems such as ChatGPT, Claude, or Grok.

Senator Elizabeth Warren and Representative Mary Gay Scanlon are preparing to reintroduce the Health and Location Data Protection Act in an updated form that reflects how quickly consumer data has become embedded in AI products. The new version would broaden the bill’s reach well beyond traditional data brokers, targeting a wider set of companies that collect, handle, or monetize sensitive personal information.

The legislation arrives at a moment when major AI firms are racing to position their chatbots as tools for health guidance, medical record review, and patient support. That ambition has created a new policy problem: if users upload scans, medical histories, or location clues into AI systems, what prevents that information from later being shared, sold, or exposed?

For lawmakers pushing the bill, the answer is that current law does not provide enough protection — and the risk has only grown as AI adoption accelerates. The proposal is intended to force a stronger federal standard on information that many Americans would reasonably expect to remain private.

Why the bill is being revived now

The original Health and Location Data Protection Act was first introduced in 2022, before generative AI exploded into the mainstream. At that time, the bill focused primarily on data brokers, the firms that collect personal information from a variety of sources and resell it for advertising, profiling, risk scoring, and other uses.

Lawmakers behind the measure now believe the privacy landscape has changed enough to justify a broader rewrite. AI tools have become new repositories for health-related disclosures, and those systems can capture everything from symptoms and diagnoses to medication history, treatment concerns, and location signals that may reveal visits to clinics, hospitals, or sensitive service providers.

The rewritten bill would not only restrict brokers from buying and selling those details. It would also prohibit other companies from selling them to brokers in the first place, including information entered into AI systems.

That expansion matters because many consumers do not think of a chatbot interaction as a data sale. But the legal framework around generative AI often depends on privacy policies and terms of service rather than a comprehensive federal privacy law. In practice, that means companies can define the rules around collection and sharing, leaving users with limited leverage when sensitive data is involved.

What the proposed law would do

The bill is designed to create a stronger national standard for health and location privacy. It would give the Federal Trade Commission a central enforcement role and authorize broader legal action if companies violate the rules.

According to the proposal, the FTC would be required to write implementing regulations within 180 days of enactment. Enforcement would not be limited to the agency itself: state attorneys general and affected individuals would also be able to sue.

To make that enforcement realistic, the bill sets aside $1 billion for the FTC across a 10-year period.

That funding is notable. Privacy laws often run into a familiar problem in Washington: they are drafted with strong language but weak enforcement. By attaching dedicated resources, sponsors are signaling that this proposal is meant to function as a serious regulatory regime, not just a symbolic statement.

Core provisions at a glance

Provision What it would do
Ban on selling health and location data Prevents companies from selling sensitive information to data brokers
Coverage of AI inputs Extends protections to data entered into chatbots and other AI systems
FTC rulemaking deadline Requires the agency to issue rules within 180 days
Private and state enforcement Allows states and individuals to sue for violations
FTC funding Sets aside $1 billion over 10 years for enforcement

How AI changed the privacy equation

The push for this legislation is tied to a fast-moving shift in how AI companies are marketing their products. Large language models were once sold mainly as writing assistants and productivity tools. Increasingly, however, they are being positioned as interfaces for health-related tasks.

That shift became especially visible earlier this year.

  • In January, Elon Musk urged people to upload medical records such as MRI scans to Grok.
  • OpenAI launched ChatGPT Health, describing it as a more secure, sandboxed area within ChatGPT for health-related uploads.
  • The company also introduced ChatGPT for Healthcare, aimed at medical providers.
  • Anthropic followed with Claude for Healthcare, which it described as “HIPAA-ready” for people, hospitals, and clinicians.

Those launches show how deeply AI firms want to move into the medical and wellness market. But they also reveal the stakes. Once people begin entering medical records, imaging, symptoms, or provider notes into consumer AI systems, the distinction between a convenience feature and a high-risk data pipeline starts to blur.

Privacy advocates and legal scholars have warned that users may be assuming more protection than the law actually guarantees. In many cases, the real limits on data use come from company policies rather than a comprehensive federal statute.

“The protection people get from these tools mostly depends on what companies promise in their privacy policies and terms of service,” legal experts have warned in recent discussions of AI health products, underscoring how little national privacy law currently constrains the sector.

The absence of a broad federal privacy framework means that a chatbot conversation about a chronic condition, a mental health concern, or a recent diagnosis could fall into a regulatory gray area unless a company voluntarily restricts how the information is retained, used, or shared.

Data brokers remain a central target

Even before the rise of generative AI, lawmakers had concerns about the shadowy data brokerage industry. These companies often sit between consumers and the entities that actually use personal information, packaging and reselling data on a massive scale.

Health and location data are especially sensitive because they can reveal more than most people realize. A location trail can expose visits to medical clinics, addiction treatment centers, fertility facilities, mental health offices, or other services people may not want public. Combined with health records, those data points can be used to infer pregnancy status, medication use, or serious diagnoses.

That is why the revamped bill does not stop at direct sales of health data. It also addresses the upstream flow of information that can feed into the brokerage ecosystem.

In effect, the proposal aims to shut off one of the easiest channels through which sensitive data moves from a user’s private conversation into a commercial market built around profiling and resale.

Why location data matters as much as medical data

Privacy legislation often focuses on health records because they are obviously sensitive. But location information can be just as revealing, especially when it is persistent and precise.

Repeated visits to a particular address, transit pattern, or business can reveal medical treatment, personal relationships, religious activity, or legal services. In the AI era, that risk grows because users may voluntarily disclose context in prompts that can be combined with background location signals.

The bill’s sponsors appear to be treating the two categories as inseparable. That reflects a modern understanding of privacy: the danger is often not a single data point, but the ability to combine many data points into a detailed portrait of a person’s life.

Who is backing the proposal

The legislation is being led by Warren and Scanlon, and it also has the support of Senator Ron Wyden and Senator Bernie Sanders. The lineup reflects a long-running bipartisan-in-the-left-of-center concern about data monetization, platform power, and consumer privacy.

Warren, in particular, has made data broker regulation a recurring issue. Her argument has remained consistent: companies should not be allowed to profit from the most sensitive corners of consumers’ lives simply because the law has not kept up.

Warren said in a statement that curbing data brokers is more urgent than ever because they are making large profits from Americans’ most sensitive information, and she argued that the rise of AI makes it especially important to prevent private health information from being turned into a commodity.

That framing is important. The bill is not just about preventing abuse after a breach. It is about limiting the commercial incentives that encourage the collection and resale of sensitive information in the first place.

What makes the AI angle different from older privacy fights

Previous privacy battles often centered on websites, apps, and advertising IDs. AI changes the debate in several ways.

  1. Users disclose more freely. Chatbots encourage conversational input, which can make people feel they are speaking in confidence.
  2. Prompts can be highly sensitive. Users may paste records, scans, test results, and treatment notes into a single session.
  3. Health use cases are expanding quickly. Chatbots are increasingly marketed to patients, doctors, and hospitals.
  4. Retention practices are unclear to consumers. Many people do not fully understand whether their inputs are used for training, stored for safety, or shared with vendors.

These dynamics make AI privacy more complex than traditional consumer data collection. A person may not realize that a casual question to a chatbot about a symptom or a scanned document could become part of a larger data lifecycle.

That is one reason the proposal specifically names AI systems. Lawmakers are signaling that existing language about health data and brokers is not broad enough to cover the new ways people interact with software.

The role of the FTC

The Federal Trade Commission would sit at the center of enforcement under the bill, if it becomes law. That would give the agency a chance to set detailed rules around what counts as prohibited sale, what qualifies as covered information, and how companies should handle AI-generated or AI-submitted sensitive data.

But the commission is already stretched across several major technology enforcement fronts, from competition concerns to deceptive AI claims. The added funding in the bill appears intended to address that reality by giving the agency the personnel and resources it would need to pursue privacy cases at scale.

By allowing both state attorneys general and private parties to sue, the bill also avoids relying solely on federal enforcement. That structure matters because the FTC cannot police every possible violation on its own, particularly in a fast-moving industry where product offerings evolve rapidly.

Potential enforcement model

  • FTC writes rules within six months of the law taking effect
  • Companies are expected to conform privacy practices to the new federal standard
  • State attorneys general can bring actions on behalf of residents
  • Affected individuals can seek redress directly
  • FTC receives a dedicated enforcement budget over 10 years

The policy backdrop in Washington

The U.S. still does not have a comprehensive federal privacy law, despite years of debate, draft proposals, and periodic bipartisan interest. That vacuum has left lawmakers to tackle specific problems one at a time — children’s privacy, location tracking, biometric data, data brokers, and now AI-assisted health disclosure.

This bill is best understood as part of that fragmented approach. Rather than trying to build a full privacy code from scratch, sponsors are targeting one especially alarming category of data and one fast-growing set of risks.

That strategy may be more politically viable than broader privacy reform. But it also means the law, if passed, would still leave many questions unanswered about AI data governance, especially around model training, internal retention, cross-border transfer, and secondary use by vendors.

Still, the proposal would be an important signal that lawmakers are no longer willing to let companies improvise their own rules when people share medical information with chatbots.

What companies may have to change

If enacted, the bill could force companies to revisit how they collect, store, and monetize user inputs. That would likely affect consumer-facing AI apps, health-focused AI tools, and any business that brokers or shares data from those systems.

Firms may need to:

  • Rework consent language and disclosures
  • Separate health-related inputs from other data streams
  • Limit or eliminate resale pathways involving brokers
  • Strengthen internal retention controls
  • Document how chatbot inputs are used and by whom

For some AI companies, that could mean major product changes. Health-related features have become a growth area because they create new reasons for consumers and organizations to pay for premium services. But that same trend increases regulatory exposure if the information involved is highly sensitive.

Companies that want to build trust in healthcare will likely need to demonstrate that they can do more than offer flashy tools. They will have to prove they can handle data responsibly.

Why consumers should pay attention

For ordinary users, the issue is straightforward: what you tell a chatbot may not stay inside a private conversation unless the law says it must. That is especially concerning when the subject is a medical condition, a therapy note, a scan, or a clue about where a person has been.

Many people are likely to assume that a chatbot behaves more like a doctor’s office than an ad-supported platform. In reality, the privacy rules may be far looser.

The proposed legislation seeks to correct that mismatch between expectation and reality. It would not solve every risk associated with AI, but it would make one thing clearer: companies should not be allowed to turn Americans’ health and location information into inventory for sale.

Timeline of the bill and the AI privacy shift

Date Development
June 2022 Original Health and Location Data Protection Act introduced
January 2026 Major AI health-use announcements from xAI, OpenAI, and Anthropic
Coming weeks Warren and Scanlon plan to unveil the updated bill
After enactment FTC would have 180 days to issue implementing rules

The broader significance

The debate over this bill is not really just about one class of data or one family of technologies. It is about whether American privacy law can adapt fast enough to a market in which AI tools are becoming the place where people reveal their most personal information.

If health data is now being entered into chatbots, the legal system has to answer a new question: who controls that information after it is shared?

Lawmakers backing the bill are arguing that the answer should not be “whoever can profit most from it.” They want a rule that treats health and location data as categories deserving stricter protection, regardless of whether they are collected through a website form, a mobile app, or a conversation with an AI assistant.

That could make the proposal one of the clearest early attempts in Washington to regulate the privacy risks specific to generative AI rather than treating them as an extension of older internet problems. As the industry keeps pushing into healthcare, that distinction may matter more with each passing month.

For now, the message from Capitol Hill is simple: if AI companies want to handle medical and location data, they may soon have to do it under much tougher rules.

superintelligencenews@gmail.com
Share this 🚀

Related Posts 🚀

Trending now

Overgrown railway tracks surrounded by dense green foliage in a forested area
After Tesla lawsuit, Proception lands $11 million to chase the robot hand prize
Meta logo on a textured beige wall, featuring a blue infinity symbol followed by the word "Meta" in black letters.
Meta Begins Unwinding $2 Billion Manus Deal After Beijing Orders Breakup
Man with glasses holding a microphone, gesturing with his hand, wearing a blue sweater, mint logo in the top right corner.
Amodei’s own AI warnings may have helped trigger Washington’s move against Anthropic
Three individuals seated with microphones in hand, under a screen displaying the word "Anthropic".
Anthropic Pulls Fable 5 and Mythos 5 After U.S. Order Sets Off Global AI Shockwaves