Your therapist can't sell your secrets, but your AI chatbot can — until now, maybe.
The Summary
- Senator Elizabeth Warren and Rep. Mary Gay Scanlon are updating the Health and Location Data Protection Act to explicitly ban AI companies from selling users' health and location data to brokers
- The 2022 version targeted data brokers; the 2026 version targets the companies feeding them — including ChatGPT, Claude, and other AI platforms
- The bill recognizes what HIPAA doesn't: your mental health conversation with an AI isn't protected like one with a licensed therapist
The Signal
The original Health and Location Data Protection Act died quietly in 2022. Data brokers kept brokering. Four years later, the problem got an AI-shaped upgrade.
People tell AI chatbots everything. Anxiety symptoms. Medication side effects. Where they were when the panic attack hit. The kind of intimate health detail you'd share with a therapist, except your therapist operates under HIPAA and your chatbot operates under a terms-of-service agreement written by product lawyers optimizing for data collection.
"Your therapist can't sell your secrets, but your AI chatbot can — until now, maybe."
The updated bill closes the loop. Instead of just banning data brokers from buying and selling health and location data, it bans the originating companies from selling to brokers in the first place. OpenAI, Anthropic, Google, Meta — if you're running an AI platform where users disclose health information, you can't package it up and sell it downstream.
Here's what makes this different from typical privacy theater:
- It acknowledges AI chatbots as health data collection points, not just "productivity tools"
- It targets the supply side of the data broker economy, not just the middlemen
- It treats location data and health data as equally sensitive, which matters when your phone knows you visited a cancer clinic
The timing isn't coincidental. AI adoption is exploding precisely because these tools feel conversational, personal, trustworthy. That intimacy is the product. You wouldn't tell a search engine you're struggling with suicidal thoughts. You might tell Claude. And if Claude's parent company can sell aggregated, anonymized versions of that conversation to a mental health analytics firm, who then sells insights to insurers, you've just created a HIPAA workaround at scale.
The Implication
If this bill passes, AI companies will need to choose: build business models around subscription revenue and compute efficiency, or keep chasing the data monetization playbook that made Web2 social platforms billions. The smart money says they'll choose subscriptions. The lazy money will lobby against the bill.
For users, the implication is simpler. Right now, your AI assistant might be your most honest confidant and your biggest privacy liability at the same time. Legislation like this is the first attempt to reconcile that tension. Watch which companies fight it.