US lawmakers have introduced legislation that would prohibit artificial intelligence companies from selling or monetising user health and location data, marking the most direct regulatory challenge yet to AI platforms’ data practices.
Senator Elizabeth Warren and Representative Mary Gay Scanlon filed the Health and Location Data Protection Act, which would specifically prevent AI companies including OpenAI’s ChatGPT and Anthropic’s Claude from profiting from sensitive personal information collected through their services, according to The Verge AI.
The proposed legislation arrives as AI companies face mounting scrutiny over data handling practices. Whilst major AI platforms currently state they do not sell user data directly, the bill would close potential loopholes around data licensing, sharing arrangements with third parties, and future monetisation strategies that could emerge as companies seek profitability.
The timing reflects growing congressional concern about AI companies’ access to intimate personal information. Users increasingly share health symptoms, medical questions, and location-specific queries with AI assistants, creating vast repositories of sensitive data that currently face limited regulatory protection specific to AI applications.
Under the proposed framework, AI companies would face explicit prohibitions on transferring health and location data to data brokers, advertisers, or other commercial entities. The legislation would also require companies to implement stronger safeguards around how such information is stored and processed internally.
Business Impact
The legislation poses asymmetric risks across the AI sector. Large language model providers including OpenAI, Anthropic, and Google’s AI division would face immediate compliance obligations, potentially requiring significant infrastructure changes to segregate and protect health-related data flows.
Healthcare AI startups could gain competitive advantage if the legislation creates clearer regulatory boundaries. Companies already operating under HIPAA compliance frameworks may find themselves better positioned than general-purpose AI platforms suddenly required to implement medical-grade data protection.
Data brokers and advertising technology firms stand to lose potential revenue streams. The legislation would effectively block what some analysts had projected could become a significant market as AI platforms matured their monetisation strategies beyond subscription fees.
For investors, the proposal introduces fresh uncertainty into AI company valuations. Whilst current business models rely primarily on subscription revenue and API access fees, the legislation would constrain future monetisation options precisely as companies face pressure to justify their substantial operating costs.
Regulatory Context
The bill represents a sector-specific approach distinct from broader AI safety legislation currently under consideration. Rather than addressing algorithmic bias or model capabilities, it targets the commercial infrastructure surrounding AI deployment.
The proposal also reflects lawmakers’ recognition that existing health privacy frameworks, including HIPAA, contain significant gaps when applied to AI companies. HIPAA primarily regulates healthcare providers and insurers, not technology platforms where users voluntarily share health information.
European regulators have already begun examining similar issues under GDPR frameworks, but the US currently lacks comprehensive federal privacy legislation. This bill would create AI-specific restrictions ahead of broader data protection rules.
What’s Next
The legislation faces uncertain prospects in a divided Congress, though bipartisan concern about data privacy could provide momentum. Industry groups will likely argue that overly restrictive rules could hamper beneficial health applications of AI technology.
Companies should monitor whether the bill gains co-sponsors from both parties and whether similar provisions appear in other legislative vehicles. The proposal establishes a baseline that could influence state-level legislation even if federal passage stalls.
The bill’s introduction signals that AI companies’ data practices will face sustained regulatory attention, regardless of this specific legislation’s fate. Firms relying on expansive data collection should prepare for tightening constraints on how personal information, particularly health data, can be commercially exploited.
