The Consumer Data Privacy and Security Act of 2026 aims to establish a uniform federal standard for consumer data privacy and security across the United States. It defines key terms such as personal data , which includes information linked to an individual, and sensitive personal data , encompassing categories like biometric information, health data, financial account numbers, and geolocation. The Act applies to "covered entities" that determine the purpose and means of data collection or processing, and "service providers" acting on their behalf, with specific exceptions for small businesses regarding certain individual rights. A core provision of the bill requires covered entities to obtain an individual's consent before collecting or processing personal data, unless for specific permissible purposes like providing a service or complying with legal obligations. While implicit consent is generally allowed, express affirmative consent is mandated for sensitive personal data or disclosure to third parties for non-permissible purposes. Covered entities must provide clear, concise notice about data practices and offer individuals a means to withdraw consent at any time. The legislation grants individuals several key rights, including the right to know what data is collected and processed through publicly available privacy policies, and the right to access a copy of their personal data. Individuals also gain the right to accuracy and correction of their data and the right to erasure , allowing them to request deletion or de-identification of their personal data. These rights must be provided at no cost for the first two requests within a 12-month period, and entities must verify the requester's identity. To ensure data protection, the bill mandates that covered entities and service providers develop and maintain comprehensive data security programs with reasonable administrative, technical, and physical safeguards. These safeguards must be appropriate to the entity's size, complexity, and the sensitivity of the data. Larger entities, termed "applicable entities," are required to designate a privacy officer and conduct privacy impact assessments for material changes involving sensitive personal data, ensuring robust accountability. The Act also outlines specific rules for service providers, requiring contractual agreements with covered entities that dictate data processing instructions and include representations of compliance. Service providers must assist covered entities in fulfilling individual rights requests and generally delete or de-identify data upon completion of services. Enforcement of the Act falls primarily to the Federal Trade Commission , which can impose civil penalties for violations, and State Attorneys General are also empowered to bring civil actions. Significantly, the bill includes a strong preemption clause , stating Congress's intent to establish a uniform federal privacy framework that supersedes most state and local laws related to personal data privacy and security. However, it preserves certain state laws, such as those concerning data breach notifications, criminal or civil procedure, and specific federal laws like COPPA, GLBA, and HIPAA. The bill also allocates additional resources to the FTC for enforcement and mandates regular reporting to Congress on its effectiveness and implementation.