This bill, titled the Data Care Act of 2025, aims to establish clear responsibilities for online service providers concerning the collection and use of end user data. It defines an online service provider as any entity engaged in interstate commerce that collects individual identifying data about end users. The legislation mandates three core duties for these providers: a duty of care, a duty of loyalty, and a duty of confidentiality. The duty of care requires providers to reasonably secure individual identifying data from unauthorized access and to promptly inform end users of any breach involving their sensitive data . The duty of loyalty prohibits providers from using individual identifying data in ways that benefit them to the detriment of an end user, or that would result in foreseeable physical or financial harm, or be unexpected and highly offensive to a reasonable end user. The duty of confidentiality restricts the disclosure or sale of this data unless consistent with the duties of care and loyalty, and requires third parties receiving data to adhere to the same duties through contractual agreements and regular audits. Enforcement of these duties falls primarily to the Federal Trade Commission (FTC) , which will treat violations as unfair or deceptive acts or practices, extending its jurisdiction to include nonprofit organizations and common carriers. Additionally, state attorneys general are empowered to bring civil actions against violators on behalf of their residents, with provisions for civil penalties for knowing or repeated violations. The bill also specifies that the rights and remedies provided are non-waivable and clarifies that it does not modify or limit other existing privacy or security laws.