The AI Accountability and Personal Data Protection Act (Bill No. S.2367) was introduced on Monday, July 21st by U.S. Senators Josh Hawley (R-Mo.) and Richard Blumenthal (D-Conn.). Released in tandem with President Trump’s “America’s AI Action Plan”, this bipartisan bill purportedly aims to establish guardrails for the AI industry while protecting consumer data rights and creators’ intellectual property, but the Ecommerce Innovation Alliance (EIA) has serious concerns about the proposed legislation and its potential to lead to increased opportunistic “shakedown” style litigation.

This Act applies to entities, including those deploying generative AI systems, that misuse personal or inferred data.Several key provisions, including the “federal right to sue for data misuse” and the “inability to enforce arbitration agreements,” could have significant and sweeping impacts on ecommerce businesses.

The Federal Right to Sue for Data Misuse: A New Legal Avenue for Individuals

The Act seeks to establish a federal tort relating to the collection, use or exploitation of individuals’ data without express, prior consent. This means the legislation would empower individuals to directly sue any company that “appropriates, uses, sells, or exploits their personal data or copyrighted works without clear, affirmative consent”. 

Specifically, the bill allows individuals to sue companies for “pirating their data for AI training” and for the “use of their personal data or copyrighted works without giving consent”. Key aspects of the Federal right to sue include:

• Who can be sued? Any person who, in or affecting interstate or foreign commerce, appropriates, uses, collects, processes, sells, or otherwise exploits the “covered data” of an individual without their express, prior consent can be held liable. This also extends to those who aid and abet such actions. The scope of “appropriates, uses, collects, processes, sells, or otherwise exploits” specifically includes the training of a generative artificial intelligence system that is sold, rented, licensed, or used by its provider. It also covers the generation by a generative AI system of any covered data pertaining to an individual, including content that imitates, replicates, or is substantially derived from the individual’s covered data.
• What is “Covered Data”? This is broadly defined to mean any information, data, or material that identifies, relates to, describes, or can reasonably be linked, directly or indirectly, with a specific individual. Crucially for ecommerce and creative industries, it explicitly includes data that is generated by an individual and is protected by copyright, regardless of whether the copyright has been registered. Examples provided in the bill include personally identifiable information, unique identifiers (like device IDs or IP addresses), geolocation data, biometric information, behavioral data (such as browsing history or purchasing patterns), and inferred, derived, or predicted data used to create a profile.
• What constitutes “Express, Prior Consent”? This term means a clear, affirmative act by an individual, made in advance of any data exploitation, indicating a freely given, informed, and unambiguous consent to the specific appropriation, use, collection, processing, sale, or other exploitation of their covered data. Consent will not be deemed valid if obtained through coercion or deception. Furthermore, consent is invalid if it’s made a condition of using a product or service where the exploitation of covered data exceeds what is reasonably necessary to provide that product or service. For data sharing with third parties, consent is only valid if each third party is specifically and clearly disclosed to the individual when consent is sought, and this disclosure is affirmatively presented in a manner that ensures it is seen and acknowledged. This disclosure must be presented distinctly and separately from any privacy policy, terms of service, or other general conditions, and cannot be satisfied by merely including a hyperlink or general reference. Any purported consent obtained solely through such general documents or via non-specific or passive disclosure is invalid and unenforceable.

The Act provides individuals with a private right of action and imposes minimum statutory damages even in the absence of any actual harm. An individual who prevails in a civil action brought under this Act may recover: “damages in an amount equal to the greater of: actual damages; 3 times “any profits from the appropriation, use, collection, processing, sale, or other exploitation of the covered data”; or $1,000, in addition to the potential for punitive damages and attorney fees.

Much like the TCPA, which has spawned a cottage industry of plaintiff attorneys, if adopted these provisions will incentivize plaintiffs attorneys to bring class action cases threatening treble damages and attorney fees, even when no concrete harm is established.

The Critical Impact of the Inability to Enforce Arbitration Agreements

The provision concerning arbitration agreements should also be of concern to ecommerce businesses. The act explicitly states that it “bans predispute arbitration agreements and class action waivers.” This is a monumental shift that greatly increases risk for ecommerce businesses.

Specifically, the bill states, “Notwithstanding any other provision of law, including chapter 1 of title 9, United States Code (commonly known as the ‘‘Federal Arbitration Act’’), a predispute arbitration agreement or predispute joint-action waiver shall not be valid or enforceable with respect to any claim arising under this Act”.  Any agreement that attempts to waive, limit, or preclude an individual’s right to bring an action in a court of law or to participate in a joint, class, collective, or representative action concerning any claim arising under this Act “shall be deemed contrary to public policy and shall be null, void, and unenforceable”.

Implications for Ecommerce Businesses:

• Increased Litigation Risk: By banning predispute arbitration agreements and explicitly protecting the ability of individuals to “sue in court and join class actions”, this bill significantly amplifies the potential for widespread and costly legal challenges. This shifts disputes from potentially private, out-of-court arbitration to public, often more prolonged and resource-intensive traditional litigation, including class actions.
  
• Fundamental Shift in Dispute Resolution: For companies that currently rely heavily on arbitration clauses in their terms of service to manage consumer disputes, this bill directly nullifies that approach for claims related to data misuse under this Act. This reintroduces the potential for significant legal expenses, negative publicity, and the substantial resource drain associated with navigating court proceedings for alleged data misuse or copyright infringement.

The bill has been referred to the Senate Judiciary Committee. The Ecommerce Innovation Alliance will continue to monitor its progress.  Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.