The Personal Data
Sovereignty Act

This Act shall be known as the Personal Data Sovereignty Act. Its purpose is to implement Amendment XXIX to the Constitution of the United States by establishing the rights of Americans in their personal data, the obligations of entities that collect or process that data, the criminal and civil consequences for violations of those rights and obligations, and the federal authority necessary for enforcement.

As used in this Act:

Congress shall establish the Federal Data Sovereignty Authority as an independent agency within the executive branch. The FDSA shall be headed by a Director appointed by the President and confirmed by the Senate for a six-year term, removable only for cause. The FDSA shall have authority to:

• (a)Investigate violations of this Act, including through subpoena of records and testimony.
• (b)Issue binding guidance on consent standards, data minimization, and AI training requirements.
• (c)Impose civil penalties under § 2915.
• (d)Refer criminal violations to the Department of Justice for prosecution under § 2914.
• (e)Establish and maintain a public registry of collecting entities, their data categories, their stated purposes, and their consent records.
• (f)Establish minimum technical standards for data security, deletion, and portability.
• (g)Certify consent frameworks as compliant with § 2906.
• (h)Maintain a classified division for the investigation of violations involving national security systems under § 2910.

It is unlawful for any collecting entity or covered officer to:

• (a)Unconsented Collection. Collect personal data without sovereign consent as defined in § 2906, except as required by law for a specific governmental purpose.
• (b)Purpose Violation. Use personal data for any purpose not specifically disclosed and consented to at the time of collection, including secondary uses, data brokering, and profiling not contemplated in the original consent.
• (c)Unconsented AI Training. Use personal data for AI training without sovereign consent that specifically identifies AI training as a purpose, regardless of prior consent for other purposes.
• (d)Children's Data Violation. Collect, store, process, sell, share, or use for any commercial purpose the personal data of any minor, or use any data for AI training that was generated by or describes a minor. No consent, parental or otherwise, authorizes any act prohibited by this subsection.
• (e)Coerced Consent. Condition access to an essential service on the provision of personal data beyond what is strictly necessary for the delivery of that service, or impose any penalty, reduced access, or degraded service on a person who refuses consent to non-essential data collection.
• (f)Digital Identity Violation. Create, distribute, or profit from any synthetic representation of a person's digital identity — including voice clones, facial likenesses, deepfakes, or AI-generated avatars — without that person's explicit, specific, and compensated consent.
• (g)Deletion Refusal. Fail to permanently and completely delete a person's personal data within the timeframe required by § 2912 following a valid deletion request, or retain any copy, backup, derivative, or aggregated form of the data that permits re-identification of the person.
• (h)Foreign Transfer. Transfer personal data of an American person to any entity under the jurisdiction of a foreign adversary, or to any entity that cannot demonstrate, to the FDSA's satisfaction, that the data will be protected to the standards of this Act regardless of the jurisdiction in which it is held.
• (i)AI Concealment. Deploy an artificial intelligence system that interacts with a person in a manner designed to cause a reasonable person to believe they are interacting with a natural human being, or fail to disclose that content provided to a person has been generated or materially altered by artificial intelligence.
• (j)Unconsented Algorithmic Decision. Make a consequential decision affecting a person using an automated or AI system without providing the disclosures and offering the contestation rights required by § 2913.
• (k)Breach Concealment. Fail to notify the FDSA and affected persons of a data breach within the time required by § 2917, or take any action designed to conceal, minimize, or delay disclosure of a breach.
• (l)Authorization of Violations. As a covered officer, authorize, direct, approve, or after actual knowledge fail to prevent any act described in subsections (a) through (k).

No collecting entity shall collect personal data in excess of what is strictly necessary for the specific, disclosed purpose for which sovereign consent has been obtained. The collection of personal data "in case it is useful later," for the purpose of building profiles not disclosed at the time of collection, or for the purpose of sale or transfer to third parties not identified in the original consent, is a violation of this section regardless of whether the person has consented to data collection for other purposes. Data minimization is a structural requirement, not a preference.

Sovereign consent under this Act requires all four of the following elements. The absence of any one element renders the consent legally void:

• (1)Explicit. Affirmatively given by an act specific to the data collection and purpose at issue. Pre-checked boxes, implied consent, consent by continued use, and consent buried in general terms of service do not satisfy this requirement. The consent must be given in plain language at no greater than an eighth-grade reading level, must specifically identify the data to be collected, the purpose for which it will be used, the entities with whom it will be shared, and the duration for which it will be retained.
• (2)Revocable. Withdrawable at any time by the person, by any means as simple as the means by which consent was given, with immediate legal effect. Revocation must not require the person to navigate more steps than were required to give consent. Revocation must not result in any penalty, loss of service, or degraded access to any essential service. Upon revocation, all obligations of this Act regarding deletion and portability apply immediately.
• (3)Non-Coercive. Given freely, without conditioning on access to any essential service, employment, housing, healthcare, education, or government benefit. The ability of a person to receive an essential service shall not be contingent on their consent to data collection beyond what is minimally necessary to deliver that service. A consent extracted as the price of necessity is not consent — it is coercion with paperwork.
• (4)Compensated for Commercial Use. Where personal data is used to generate commercial value — including through advertising, profiling, AI training, sale to data brokers, or any other commercial application — the person whose data generates that value is entitled to fair compensation. Congress shall establish a compensation framework within one year of this Act's passage. Until that framework is established, no commercial use of personal data is authorized under this Act without individual negotiated compensation agreements.

No artificial intelligence system shall be trained, in whole or in part, on personal data without sovereign consent that specifically and individually identifies AI training as a purpose. The following conditions apply without exception:

• (a)Prior consent for any other purpose — including advertising, service improvement, or research — does not constitute consent for AI training. AI training consent must be separately and specifically sought.
• (b)Data that was made publicly available by the person — including posts, comments, photographs, and other content shared on public platforms — does not thereby become available for AI training. Public availability is not consent.
• (c)Consent obtained before the passage of this Act does not constitute sovereign consent for AI training under this Act. Collecting entities must obtain fresh consent meeting the standards of § 2906 for any AI training use that postdates this Act's effective date.
• (d)Any AI system for which a collecting entity cannot demonstrate, upon FDSA request, that sovereign consent was obtained for each person whose data was used in training is in violation of this section from the date of first training use.
• (e)The burden of proving consent falls on the collecting entity. Absence of documentation of consent is presumed to be absence of consent.

• (a)No personal data of any minor shall be collected for any commercial purpose.
• (b)No personal data of any minor shall be sold, shared with third parties, or transferred to any entity other than the collecting entity for any purpose.
• (c)No artificial intelligence system shall be trained on data generated by, derived from, or describing any minor.
• (d)No commercial behavioral profile, interest profile, or predictive model shall be constructed for any minor.
• (e)All personal data of a minor held by any collecting entity at the time this Act takes effect shall be permanently deleted within ninety days of the effective date, except where retention is required for a specific legal obligation not related to commercial use.
• (f)Upon a minor reaching the age of eighteen, any collecting entity that holds data collected when the person was a minor shall notify the person and provide a full accounting of all data held, all purposes for which it was used, and all entities to which it was disclosed, and shall upon request delete all such data immediately.
• (g)A violation of this section is automatically assessed at the highest penalty tier under § 2914 and § 2915, regardless of harm, intent, or volume of data involved.

No agency, department, or instrumentality of the United States government, or of any state or local government, shall access, collect, purchase, or use personal data of an American person, or employ an artificial intelligence system to analyze, aggregate, or draw inferences from personal data, except:

• (a)Upon a warrant issued by a federal court of competent jurisdiction, supported by probable cause specifically describing the person whose data is sought, the data categories to be accessed, and the specific investigation for which access is sought. General warrants authorizing bulk collection or analysis are void.
• (b)With the explicit consent of the person, obtained under the same sovereign consent standards applicable to private collecting entities under § 2906.
• (c)Where strictly necessary to deliver a government service specifically requested by the person, limited to data minimally necessary for that service.

No government agency shall purchase personal data from a private data broker as a substitute for obtaining a warrant. Data so purchased shall not be used in any proceeding and shall be permanently deleted. The purchase of personal data without a warrant is a violation of this section regardless of whether the data was commercially available.

The use of artificial intelligence to construct predictive profiles of persons based on race, religion, national origin, political affiliation, sexual orientation, or gender identity is prohibited without exception. A government official who authorizes or uses such a system shall be subject to the penalties of § 2914.

Personal data of American citizens and residents is subject to the full protections of this Act regardless of where it is physically stored or processed. The following rules apply:

• (a)Any collecting entity that stores or processes personal data of Americans in a foreign jurisdiction does so subject to the obligations of this Act. Physical location of data does not determine the legal protections that attach to it.
• (b)No personal data of an American person shall be transferred to or held by any entity in a position where a foreign adversary can compel its disclosure. An entity that cannot certify to the FDSA that the data it holds cannot be accessed by a foreign adversary government is prohibited from holding that data.
• (c)Any foreign entity that collects, processes, or profits from personal data of Americans — including through advertising, data brokering, AI training, or any other commercial use — is subject to this Act as a condition of that access. Market access to Americans is contingent on compliance with Americans' constitutional rights.
• (d)The FDSA shall maintain a list of prohibited data holders — entities that have been determined to be unable or unwilling to comply with this section — and shall prohibit the transfer of Americans' personal data to any entity on that list.

Every American person has the following enforceable rights with respect to their personal data held by any collecting entity:

No collecting entity shall condition compliance with these rights on any payment, fee, waiver, or consent to additional data collection. Failure to comply within the time periods specified is a per-day violation for purposes of civil penalties under § 2915.

No consequential decision affecting an American person shall be made by or primarily based upon an automated or artificial intelligence system without the following protections:

• (a)Disclosure. The person must be informed, at or before the time the decision is communicated, that the decision was made or substantially influenced by an automated or AI system.
• (b)Explanation. The person must receive a plain-language explanation of the principal factors that determined the outcome, specific to their case, within ten days of requesting one. Generic explanations of system design do not satisfy this requirement.
• (c)Human Review. The person must have the right to request review of the decision by a qualified human being with the authority to override the automated determination. The human reviewer must actually review the case, not merely ratify the system's output.
• (d)Protected Characteristics. No consequential decision system shall use, directly or as a proxy, a person's race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity, or political affiliation. A system that produces disparate outcomes across protected classes is presumed to be using protected characteristics unless the collecting entity demonstrates otherwise.
• (e)Audit Rights. The FDSA shall have the right to audit any algorithmic decision system used for consequential decisions, including access to training data, model weights, decision logs, and outcome statistics disaggregated by protected class.

Every person interacting with any system deployed by a collecting entity has the right to know, at the time of the interaction:

• (a)Whether they are interacting with an artificial intelligence system or a natural person. This disclosure must be made at the initiation of the interaction and must be repeated upon request.
• (b)Whether any content, recommendation, summary, or communication they receive has been generated or materially altered by an artificial intelligence system.
• (c)Whether any image, video, or audio presented to them depicting a real person has been generated or modified by artificial intelligence.

The deliberate design of an AI system to cause a person to believe they are interacting with a natural human being — through the use of human names, expression of emotions, claims of personal experience, or other means — is a violation of this section regardless of whether the person asks about the system's nature. Deception in the design is the violation. Discovery of the deception is not required.

A natural person who commits a violation of § 2904 shall be subject to criminal prosecution and the following penalties:

Covered officers convicted under § 2904(l) shall be sentenced at one tier above the tier that would otherwise apply and shall not be indemnified by any entity for criminal fines. Each affected person constitutes a separate count for purposes of charging, though sentences may run concurrently at the court's discretion in cases involving very large numbers of affected persons.

A collecting entity found to have violated this Act shall be subject to civil penalties as follows:

• (a)Per-Violation Penalty. Not less than $1,000 per affected person per violation, up to a maximum of the greater of $10,000,000,000 or four percent of global annual gross revenue for the preceding fiscal year, whichever is greater, per violation.
• (b)Children's Violations. The per-person penalty for any violation of § 2908 shall be not less than $10,000 per affected minor per violation, with no cap on aggregate liability.
• (c)AI Training Violations. For violations of § 2907, the penalty shall include disgorgement of all commercial value derived from the AI system trained on unconsented data, including all revenue attributable to the system's operation from the date of first unconsented training use.
• (d)Mandatory Debarment. Any collecting entity convicted of a willful violation shall be excluded from federal contracts for not less than five years.
• (e)Structural Remedies. For repeat violations or violations involving more than one million affected persons, the FDSA may seek court-ordered structural remedies including mandatory data deletion, prohibition on specific data collection practices, and appointment of an independent compliance monitor.
• (f)Disgorgement. All profits derived from any unconsented use of personal data shall be disgorged regardless of whether a criminal conviction is obtained.

No exception, exemption, waiver, safe harbor, or carve-out from the requirements of this Act shall exist or be created for:

• (a)Research, academic, journalistic, or educational purposes, except that bona fide journalistic investigation of matters of genuine public concern may access personal data under a specific FDSA exemption obtained in advance, limited to the specific investigation, and subject to audit.
• (b)Small businesses, startups, or entities below any revenue threshold. The right of Americans to control their personal data does not depend on the size of the entity that took it.
• (c)Publicly available data. Data that a person made publicly available is not thereby consented for all uses, including AI training, profiling, and sale.
• (d)Anonymized or de-identified data that can be re-identified by any means reasonably available to the collecting entity.
• (e)Prior collection. Data collected before the effective date of this Act is subject to all provisions of this Act from the effective date forward.
• (f)Consent obtained under prior law or prior industry standards that do not meet the sovereign consent requirements of § 2906.

Any collecting entity that experiences a breach of security resulting in unauthorized access to or disclosure of personal data shall:

Failure to provide timely notification is a separate violation under § 2904(k) and is subject to per-day penalties from the date the breach was discovered. Concealment of a breach, including deliberate destruction of logs or evidence, is a criminal violation under § 2914 at Tier III regardless of other harm.

No person shall be discharged, demoted, threatened, harassed, or in any other manner discriminated against as a reprisal for:

• (a)Reporting to the FDSA, law enforcement, or Congress any violation or suspected violation of this Act.
• (b)Refusing to participate in any act that the person reasonably believes constitutes a violation of this Act.
• (c)Testifying or providing evidence in any proceeding related to a violation of this Act.

A whistleblower who provides information leading to a successful FDSA enforcement action resulting in civil penalties shall receive not less than fifteen percent of the penalty collected. Retaliation against a whistleblower is a criminal offense subject to five years imprisonment and shall not be indemnified by any entity.

Any person whose rights under this Act have been violated shall have a private civil right of action in federal court against the collecting entity and any covered officer who authorized or failed to prevent the violation. A person need not prove actual harm beyond the violation itself to maintain an action under this section. Damages shall include:

• (a)Statutory damages of not less than $1,000 and not more than $10,000 per violation, at the court's discretion based on the nature and severity of the violation.
• (b)Actual damages, including economic harm, reputational harm, emotional distress, and any harm resulting from the unconsented use.
• (c)Punitive damages of not less than three times actual damages for willful violations.
• (d)Attorney's fees and costs.
• (e)Injunctive relief requiring deletion, cessation of use, or any other appropriate remedy.

Class actions are expressly authorized under this section. No arbitration agreement, class action waiver, or forum selection clause in any terms of service or other agreement shall bar a claim under this section.

• (a)Civil actions under § 2919 shall be brought within six years of the date the person knew or reasonably should have known of the violation.
• (b)Criminal prosecution under § 2914 shall be brought within ten years for Tier I–III offenses and within twenty years for Tier IV–V offenses.
• (c)All limitations periods are tolled from the date of the violation until the date the affected person receives actual notice of the violation, where the collecting entity failed to provide required breach notification under § 2917.
• (d)For violations involving children's data under § 2908, the limitations period for the affected person's private right of action does not begin to run until the person reaches the age of twenty-five.
• (e)No statute of limitations applies to violations that caused the death of the affected person.