In Washington, privacy debates are increasingly colliding with a new kind of data pipeline—one that doesn’t look like the old “data broker” model at all, but can still end up feeding the same downstream marketplace. A fresh push from Sen. Elizabeth Warren and Rep. Mary Gay Scanlon is aimed squarely at that problem: it would restrict not only the sale of Americans’ health and location information by traditional data brokers, but also the broader ecosystem of companies that can collect, package, and sell sensitive details to those brokers. And crucially, the updated proposal is designed for an AI era in which people may reveal intimate information to chatbots and other digital tools without realizing how quickly it can be repurposed.
The bill—an updated version of the Health and Location Data Protection Act—has been in development for weeks, according to reporting. It builds on earlier legislation introduced in 2022 that targeted data brokers directly, seeking to stop them from collecting and selling Americans’ health and location data. But the new draft reflects a reality that has become harder to ignore since then: the most sensitive information doesn’t always originate in a brokerage database. It can be generated through apps, devices, online services, and increasingly through interactions with AI systems that respond to users in natural language. The question lawmakers are now asking is whether the law should follow the data, not just the label.
At the center of the proposal is a simple but far-reaching idea: health and location data are uniquely sensitive, and the downstream sale of that information should be heavily restricted—especially when it involves data that could be inferred, derived, or revealed through modern digital tools. That includes information people might share while using AI chatbots such as ChatGPT or Claude, where users often describe symptoms, medical concerns, diagnoses they suspect, medications they’re taking, or even the circumstances surrounding their health. Even when a user never explicitly says “sell my data,” the structure of today’s data economy can still turn those inputs into something that can be traded, licensed, or used to build profiles.
To understand why this matters, it helps to look at what “health and location data” means in practice. It’s not limited to obvious categories like medical records or GPS coordinates. Location data can include patterns—where someone goes, when they go there, how frequently they visit certain places, and what those visits might imply. Health data can include direct information (a diagnosis, a prescription, a lab result) but also indirect signals: the timing of symptoms, the type of care sought, the language used to describe pain or mental health, and the context around those descriptions. In an AI-driven world, those signals can be transformed into structured features that are easier to monetize and easier to combine with other datasets.
That transformation is one reason the bill’s scope is expanding. The earlier version focused on data brokers collecting and selling health and location data. The updated proposal goes further by addressing other companies that might sell such data to brokers. In other words, it targets the supply chain. If a company collects sensitive information and then sells it onward—whether to a broker, a reseller, or another intermediary—the bill aims to prevent that transfer when the information falls into protected categories.
This is where the AI era becomes more than a buzzword. AI systems don’t just store information; they process it. They interpret it, summarize it, and sometimes generate outputs that reflect the user’s intent and personal context. That processing can create new data artifacts: embeddings, classifications, inferred attributes, and behavioral patterns. Even if a chatbot doesn’t “sell” anything directly, the broader question is whether the information that flows into the system—or the insights derived from it—can be treated as a commodity in the same way as traditional brokered data.
Lawmakers appear to be aiming at that gray zone. The updated bill is described as being better suited to the AI era, which suggests it’s not merely repeating the 2022 approach with minor tweaks. Instead, it’s designed to address how sensitive information can move through modern data ecosystems—systems that may involve multiple vendors, analytics providers, advertising partners, and data aggregators. The bill’s logic is that if the end result is the same—sensitive health and location information being sold to data brokers—then the legal framework should treat the pathway as unacceptable, regardless of whether the origin was a medical app, a location-tracking service, or an AI conversation.
One of the most consequential aspects of the proposal is its potential to cover information people reveal to AI chatbots. This doesn’t mean every user input to an AI system would automatically become illegal to use or impossible to process. But it does signal that lawmakers are concerned about the possibility that sensitive content—especially content that can be tied back to an individual—could be repurposed and sold downstream. In the current environment, users often assume that “I typed it into a chatbot” is different from “I gave it to a data broker.” The bill’s premise challenges that assumption by focusing on the sensitivity of the information and the downstream market it could enter.
There’s also a broader policy tension embedded in the proposal: the difference between consent and meaningful consent. Many privacy frameworks rely on notice-and-choice mechanisms—terms of service, opt-outs, and broad permissions buried in settings. But for health and location data, the stakes are so high that lawmakers are increasingly skeptical that generic consent is enough. People may not understand what counts as health data, what counts as location data, or how AI-derived inferences could be used. They may not realize that a conversation about symptoms could be turned into a profile that predicts future behavior, influences targeting, or enables discrimination. The bill’s expansion can be read as an attempt to reduce reliance on user comprehension and instead impose stronger limits on the sale of sensitive information by default.
The timing of this effort is also telling. AI adoption has accelerated rapidly, and with it, the number of ways personal information can be collected and processed. Some AI systems are integrated into healthcare workflows, customer support, and productivity tools. Others are used casually by individuals who want help understanding medical questions, managing anxiety, or planning next steps after a concerning symptom. In each case, the user’s input can be deeply personal. Even if the user’s intention is benign—seeking advice, clarity, or reassurance—the data trail can be complicated.
That complexity is exactly what makes the bill’s “downstream” focus important. Data markets rarely operate as a single transaction. Information can be collected, cleaned, enriched, combined with other sources, and then sold in forms that are less recognizable to the original provider. A dataset might not be labeled “health data,” but it can still contain health-related inferences. A dataset might not be labeled “location data,” but it can still encode movement patterns. The bill’s approach suggests lawmakers want to prevent the final step—selling sensitive information to brokers—because that final step is where the information becomes widely distributable and difficult to control.
If the bill advances, it could also force companies to rethink how they handle sensitive categories internally. Even if a company believes it is not “selling” data, it may be transferring it through contracts, licensing arrangements, or vendor relationships. The updated proposal’s emphasis on covering other companies that sell such data to brokers implies that lawmakers are looking beyond direct sales and toward the broader concept of transfer for commercial purposes. That could have ripple effects across advertising technology, analytics, and data enrichment services that currently operate in the margins of privacy law.
There’s another angle that makes this proposal feel particularly urgent: the risk of re-identification and inference. Health and location data are powerful because they can be used to identify individuals even when direct identifiers are removed. Location traces can be unique. Health-related patterns can be distinctive. When combined with other datasets—public records, consumer purchase histories, device identifiers, or social media activity—the resulting profile can become highly specific. AI systems can accelerate this process by extracting meaning from unstructured text and converting it into structured signals. That means the harm isn’t only about what is explicitly shared; it’s also about what can be inferred.
This is why the bill’s framing around “better suited to the AI era” matters. Traditional privacy laws often assumed that data moved in predictable channels: a broker collects, a broker sells, and the user’s role ends at the point of collection. AI complicates that model. Users interact with systems that interpret language and context. Those systems can generate derived information that wasn’t present in raw form. And the data ecosystem around AI—training, evaluation, analytics, and third-party services—can create multiple opportunities for sensitive information to be repackaged.
The updated bill appears to be trying to close those opportunities by treating health and location data as protected categories that shouldn’t be commodified through downstream sales. While the exact legal mechanics will depend on the final text, the direction is clear: limit the ability of companies to profit from the circulation of sensitive personal information, especially when that information can be tied to individuals and can reveal intimate aspects of their lives.
For users, the practical impact could be significant, even if the bill is not yet law. If companies face restrictions on selling health and location data to brokers, it could reduce the availability of those datasets in the broader market. That, in turn, could affect how advertisers target, how insurers assess risk, how employers screen, and how other actors build profiles. It could also reduce the likelihood that a user’s private conversation—about symptoms, mental health, or personal circumstances—becomes part of a dataset that is later used for purposes they never intended.
But the proposal also raises questions that will likely shape the debate as it moves forward. For example, how will “health and location data” be defined precisely? Will the bill focus on data that is directly collected, or also on inferred attributes derived from that data? How will it treat anonymized or de-identified information? And what about legitimate uses—such as public health research, clinical operations, or fraud prevention—that may require access to sensitive data under strict safeguards? Lawmakers will need to balance privacy