180 days is the enforcement clock Democrats want to put on AI health-data sales — a sign that Washington sees chatbot medical disclosures less as casual app chatter and more as a brokerable privacy risk.
Senator Elizabeth Warren (D-MA) and Representative Mary Gay Scanlon (D-PA) plan to introduce a revised Health and Location Data Protection Act that would ban the sale of Americans’ health and location information to data brokers, including information entered into AI systems, according to 9to5Mac. The Verge, cited by 9to5Mac, reports that the bill would also be sponsored by Senators Ron Wyden (D-OR) and Bernie Sanders (I-VT).
The deeper signal is not just “AI privacy bill.” It is that lawmakers are trying to close the gap between what users think they are doing — asking a chatbot about symptoms, records, scans, or sensitive health fears — and what many consumer AI products may treat as usable data.
A 2022 Privacy Bill Gets Rewritten for ChatGPT, Grok, and Claude
The original version of the Health and Location Data Protection Act was first introduced in June 2022. The new version, expected “in the coming weeks,” has been expanded for the AI era.
| Bill version | Reported target | AI-specific change |
|---|---|---|
| June 2022 version | Data brokers collecting and selling health and location data | No AI-specific detail in the supplied source |
| 2026 planned version | Other companies selling such data to brokers | Specifically covers data entered into AI systems |
That expansion matters because AI companies are no longer waiting passively for users to type vague symptom questions. The source material says they have actively encouraged more sensitive health use cases.
In January, Elon Musk publicly called for people to upload medical records, including MRI scans, to Grok, xAI’s chatbot. That same month, OpenAI introduced ChatGPT Health, described as a more secure sandboxed tab inside ChatGPT, and encouraged users to upload medical records and other sensitive information. OpenAI also introduced ChatGPT for Healthcare, aimed at medical providers. A few days later, Anthropic followed with Claude for Healthcare, described as a “HIPAA-ready” tool for individuals, health providers, and hospitals.
This is the core tension: AI labs are building toward health workflows, but consumer trust still depends heavily on what companies promise in policies and terms.
“HIPAA-Ready” Does Not Answer the Consumer Chatbot Problem
The source material does not say the new bill rewrites HIPAA. It does show why the phrase “HIPAA-ready” may not settle the privacy question for ordinary chatbot users.
Sara Gerke, a law professor at the University of Illinois Urbana-Champaign, told The Verge in January that data protection for tools like OpenAI’s and Anthropic’s “largely depends on what companies promise in their privacy policies and terms of use.” That is the weakness the proposed bill appears designed to address.
9to5Mac’s Ben Lovejoy makes the consumer-risk argument more bluntly: many AI chatbots have terms that allow conversations to be used as training data, and app terms may allow data to be collated and sold.
That distinction is crucial. A medical record uploaded into a chatbot can be far more than a document. It can become part of a broader conversation: symptoms, fears, medications, family details, location clues, insurance worries, and mental health context. The proposed bill targets the sale of that kind of health and location information to data brokers.
“It’s more important than ever that we crack down on data brokers that are raking in giant profits from selling Americans’ most sensitive information,” Warren said in a statement. “Especially as more people enter their private health data into AI, we need to make sure that information isn’t exploited by the highest bidder.”
The Real Numbers Are Enforcement Numbers: 180 Days, $1 Billion, 10 Years
The supplied sources do not provide adoption figures for AI health queries, so the strongest numbers here are legislative ones.
The planned bill would require the Federal Trade Commission to enact rules within 180 days. It would allow the FTC, state attorneys general, and affected individuals to sue for enforcement. It would also earmark $1 billion for the FTC over the next 10 years.
Those provisions make the proposal more than a symbolic ban. The private right of action matters because affected individuals would not have to wait solely for federal enforcement. The state AG role matters because enforcement could come from multiple directions. The FTC funding matters because privacy rules without investigative capacity often collapse into paperwork.
MLXIO analysis: the bill is narrowly aimed at downstream commercialization, not at every AI health use case. Based on the source material, it would ban sales to data brokers; it would not, by itself, answer every question about training, retention, product improvement, or medical accuracy.
That narrower focus may be deliberate. Selling sensitive data to brokers is easier to frame politically than regulating every internal AI data practice at once.
Apple’s Siri Example Shows One Possible Privacy Split
9to5Mac argues that if users insist on sensitive chatbot conversations, Siri is the safer route because both Apple’s existing Siri handoff to ChatGPT and the new Siri AI use of Google Gemini models are subject to Apple privacy requirements that forbid collection of user data.
That is one model: route requests through strict privacy constraints rather than relying on broad user consent buried in terms.
The proposal also sharpens a broader product-design split MLXIO readers have seen around private AI memory, including Lumo 2.0 Grabs AI Memory Without Selling Your Data: can an assistant become more useful without turning user history into a resale asset? It also sits alongside the wider debate over powerful consumer AI releases, a theme in Too Powerful for Public? Claude Fable 5 Hits Users, though this bill is narrower than model safety. It is about health and location data sales.
The Hard Fight Is Over Definitions, Not Slogans
The proposal sounds simple: do not sell health data from AI chats to brokers. The hard part is drafting that rule tightly enough to work.
Several questions remain unresolved in the supplied source material:
- Health data: Does the bill cover only uploaded medical records, or also user-written symptoms and health fears?
- AI systems: Does it apply only to chatbots like ChatGPT, Claude, and Grok, or to any app with embedded AI features?
- Sale: Does the final text cover only direct sales to brokers, or broader commercial transfers?
- Enforcement: How aggressively would the FTC use the proposed $1 billion over 10 years?
- Timing: The bill is planned for introduction “in the coming weeks,” so final language could still shift.
MLXIO analysis: the strongest version of this bill would treat health-related chatbot disclosures as sensitive by default when they are sold or transferred to brokers. A weaker version could leave too much room for companies to classify sensitive exchanges as general product data.
The Next Privacy Fight Moves Beyond Data Brokers
This bill, as described, targets the sale of health and location data. That is only one layer of the AI privacy problem.
The next fight will likely focus on what happens before any sale: whether sensitive health conversations are used for training, how long they are retained, who can access them, and whether users can meaningfully separate medical queries from ordinary chatbot history. The supplied sources already point in that direction by noting that many chatbot terms allow conversations to be used as training data.
For users, the practical takeaway is immediate: do not assume a chatbot health conversation is protected just because the topic is medical. For AI companies, the warning is equally direct: health features invite health-grade scrutiny.
The evidence to watch is the bill text. If it clearly covers AI-entered health information, gives the FTC the promised enforcement tools, and preserves the right for affected individuals to sue, this could become one of the first serious federal attempts to wall off chatbot health disclosures from the data-broker market. If the definitions narrow, the headline may survive while the privacy protection shrinks.
Impact Analysis
- The bill would treat health details shared with AI chatbots as sensitive data that cannot be sold to brokers.
- It signals growing concern that consumer AI tools may expose medical disclosures outside traditional health privacy rules.
- The proposal could force AI companies to rethink how they collect, use, and monetize user-submitted health information.
