U.S. Senator Elizabeth Warren and Representative Mary Gay Scullen formally introduced the revised "Health and Location Data Protection Act," explicitly expanding the scope of the law to include generative AI systems, aiming to comprehensively ban AI companies and data brokers from selling sensitive medical and personal health information input by users into chatbots.

Brain-Computer Interface AI Robot

This legislative move directly addresses privacy vulnerabilities caused by tech giants competing for medical applications—earlier this year, Elon Musk publicly urged users to upload detailed MRI scans and other medical records to xAI's Grok to test its diagnostic capabilities; OpenAI subsequently launched a secure environment specifically for handling medical records, and Anthropic followed with a HIPAA-compliant variant of Claude. In the absence of a unified federal digital privacy framework, user data security largely depends on companies' own privacy policy commitments.

To address this, the new bill not only requires the Federal Trade Commission (FTC) to develop binding regulations within 180 days but also plans to allocate $1 billion in dedicated enforcement funding over the next decade, and grants state attorneys general and ordinary citizens the right to sue violators directly. This move marks a regulatory shift toward imposing strict limits on the data boundaries used for training large AI models, attempting to reclaim ultimate control over personal privacy amid the commercial enthusiasm of tech companies that view biometric data as "fuel for models," carrying significant implications for the compliance direction of the commercial data governance in the generative AI industry.