Congress Proposes Ban on AI Companies Selling Health and Location Data
Senators Warren and Rep. Scanlon have introduced the Health and Location Data Protection Act, which would prohibit data brokers — including AI chatbot providers — from selling Americans' health and location data. The bill would apply directly to conversations users have with AI assistants like ChatGPT and Claude.
Original sourceThe Health and Location Data Protection Act, introduced by Senator Elizabeth Warren and Representative Katie Scanlon, would make it illegal for data brokers to sell or transfer health and location data derived from Americans' interactions with AI chatbots. The proposal explicitly names AI services, meaning that sensitive information users share with tools like ChatGPT or Claude — symptoms, diagnoses, location check-ins — would be legally off-limits for sale to third parties.
The bill targets a gap that existing privacy law hasn't closed: HIPAA protects data shared with healthcare providers, but has no jurisdiction over what an AI company learns when a user asks a chatbot about their medications or mental health. Data brokers have already been observed packaging AI-derived behavioral profiles, and this legislation would attempt to cut off that pipeline at the source by banning the sale, not just regulating the collection.
Support for the bill is framed around a bipartisan concern — that health data shared in what users perceive as a private conversation can be aggregated, sold, and used for purposes ranging from targeted advertising to insurance underwriting. Proponents argue the absence of regulation has created a market incentive for AI providers to monetize sensitive disclosures that users made without understanding the downstream consequences.
The legislation faces the standard headwinds of any privacy bill in Congress: industry lobbying, jurisdictional debates about which agency enforces it, and the challenge of defining 'health data' in a way that's precise enough to be enforceable but broad enough to matter. Whether the bill advances or stalls, it signals a clear legislative intent to treat AI chatbot providers as data infrastructure — not just software — with corresponding obligations.
Panel Takes
The Skeptic
Reality Check
“The bill is directionally right but the enforcement mechanism is the whole question — and it's not answered here. HIPAA has been law for 30 years and health data is still being sold in every direction because defining 'health-adjacent' data is genuinely hard and the FTC is perpetually under-resourced. What kills this: it passes, gets challenged immediately on First Amendment commercial speech grounds, and spends four years in litigation while the data market keeps operating normally.”
The Futurist
Big Picture
“The falsifiable thesis here is that AI chatbots will become a primary vector for sensitive personal disclosure — and that bet is already paying out, which is why legislators are paying attention now rather than five years ago. The second-order effect nobody's talking about: if this passes, it creates a structural moat for AI providers who built privacy-preserving architectures early, because retrofitting data minimization onto a broker-dependent revenue model is expensive. This accelerates the bifurcation between AI companies that treat user data as a product and those that treat it as a liability.”
The Founder
Business & Market
“The companies this bill actually threatens aren't OpenAI or Anthropic — it's the downstream data broker ecosystem that buys inferred behavioral signals from smaller, less scrutinized AI products. The big labs will comply and issue a press release; the real pressure lands on the mid-tier 'AI wellness app' category that monetizes through data sales because their subscription conversion is too low to sustain the business otherwise. If this passes, watch for a wave of pivots or quiet shutdowns in that segment — the bill is effectively a forcing function for finding a real business model.”
The PM
Product Strategy
“The job this bill is hired to do is restore user trust in AI as a confidential interface — which is a real and unsolved problem, because right now users genuinely don't know what happens to the health context they give a chatbot. The product gap it exposes is that no major AI assistant has shipped a clear, in-context disclosure model that tells users at the moment of sensitive input exactly what's retained and sold. Legislation shouldn't be the thing that forces that feature to exist, but here we are.”