House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.

The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.

It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” said Brett Guthrie, R-Ky., Chair of the House Energy and Commerce Committee and Rep. John Joyce, R-Pa., who led a working charged with developing the draft legislation, in a statement.

The draft bill also imposes new requirements on businesses and other organizations to limit their collection of personal consumer data to what is “adequate, relevant and reasonably necessary” and only for purposes that are disclosed to consumers in advance. They must also adopt new safeguards for customers’ personal data and disclose any third parties they share it or sell it to, including adversarial foreign governments like Russia and China.

The Federal Trade Commission would be given greater oversight of data brokers that buy, collect, repackage and sell personal data to the highest bidder. The draft bill requires data brokers to register with the FTC, comply with data minimization, disclosure and data security mandates, and creates a new national data broker registry.

Cobun Zwiefel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop that based on the released draft and conversations on the Hill, the bill most resembles privacy laws passed by Virginia or Kentucky (the home state of Guthrie) in recent years, with an emphasis on providing notice and opt-out rights to individual consumers and often tying business compliance to “reasonable” standards of evidence that they acted to protect consumer data.  

At the same time, Zwiefel-Keegan said it could potentially further empower the Federal Trade Commission and state Attorneys General to investigate and sanction bad actors.

The bill is the product of more than 16 months of internal discussion and consensus-building within the GOP majority. While drafting it, a working group led by Rep. John Joyce (R-Pa.) and other House Republicans solicited feedback from 170 organizations and received more than 250 responses from the public to a Request for Information released last year.

While they have worked to achieve consensus within their own caucus, House Republicans did not involve Democratic members in the working group or drafting process, something observers said could make it difficult to attract bipartisan support.

Zwiefel-Keegan said that while the Republican drafters of the bill “would challenge Democrats to explain why they can’t support the type of bill that has been passed in blue states.”

But he also noted that there are “plenty of ways that people will point to how it’s weaker than a lot of blue state privacy laws,” including federal preemption of more robust state privacy laws like those in California, the lack of a private right of action allowing individuals to sue companies directly and a mandatory 45-day “curing” period that allows companies in violation of the law to come into compliance and avoid formal sanctions.  

“I think the privacy working group and the leadership of the committee thinks there’s a pretty strong chance of passing it out of committee.” After that the bill’s chances are likely dependent on other factors, like getting some Democrats on board and working with “red state representatives who may not like their own laws being preempted.”

Shortly after the draft bill was released, Rep. Frank Pallone, D-N.J., ranking member on the House Energy and Commerce Committee, said he was opposed and accused House Republicans of having “lost the plot” on passing national privacy legislation.

“This Republican privacy bill protects corporations and their bottom line, not people’s privacy,” Pallone said in a statement. “We should be protecting the little guy with a bill that empowers consumers, not one that preempts consumer protections at the behest of Big Tech.”

Eric Null, director of the privacy and data project at the Center for Democracy and Technology, indicated that the Secure Data Act falls short, calling it full of “easily exploitable loopholes” that let companies “hide behind cookie banners and lengthy terms of service rather than establishing meaningful privacy protections.”

Null was also critical of the bill’s lack of substance around AI, saying that Large Language Models pose significant privacy challenges today that will only worsen over time.

“Any federal privacy law discussed in 2026 should be future-proofed by protecting against growing AI-related privacy harms, namely by limiting data collection for AI training and preventing use of the technology to discriminate against protected classes, but this bill does neither sufficiently,” he said.

The American Civil Liberties Union also came out against the bill, with senior staff attorney Cody Venzke saying the GOP-led bill “places the onus on regular people” to sift through complex privacy policies created by businesses to request opt out or deletion of their data.

“And it leaves us without real recourse – even blocking us from going to court – if our requests go unanswered,” said Venzke in a statement.

In their joint statement, Guthrie and Joyce said they “look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The post House Republicans roll out national privacy bill appeared first on CyberScoop.

California Attorney General Rob Bonta announced an investigation Wednesday into xAI over allegations that its artificial intelligence model Grok is being used to create nonconsensual sexually explicit images of women and children on a large scale, marking the latest escalation in regulatory efforts to address AI-generated deepfakes.

The California investigation focuses on Grok’s “spicy mode,” a feature designed to generate explicit content that xAI has promoted as a distinguishing characteristic of its platform. According to Bonta’s office, news reports in recent weeks have documented widespread instances of users manipulating ordinary photos of women and children found online to create sexualized images without the subjects’ knowledge or consent.

“The avalanche of reports detailing the non-consensual, sexually explicit material that xAI has produced and posted online in recent weeks is shocking. This material, which depicts women and children in nude and sexually explicit situations, has been used to harass people across the internet. I urge xAI to take immediate action to ensure this goes no further. We have zero tolerance for the AI-based creation and dissemination of nonconsensual intimate images or of child sexual abuse material,” Bonta said in a release. 

The investigation will examine whether xAI violated California law in developing and maintaining features that facilitate the creation of such content. Bonta stated his office would “use all the tools at my disposal to keep California’s residents safe,” though he did not specify which statutes may have been violated.

xAI, founded by Elon Musk, also owns the social media platform X, where Grok-generated images have circulated. 

The company has not publicly responded to the investigation announcement. Musk posted Wednesday that he was “ not aware of any naked underage images generated by Grok. Literally zero.”

CyberScoop has reached out to X for comment. 

The announcement comes a day after the Senate unanimously passed the DEFIANCE Act, which would grant victims of nonconsensual sexually explicit deepfakes the right to pursue civil action against those who produce or distribute such content. The bill now moves to the House, where similar legislation stalled in 2024 despite Senate approval.

The Senate’s passage of the DEFIANCE Act represents a rare moment of bipartisan consensus on technology regulation. The legislation, introduced by Sens. Dick Durbin, D-Ill., and Lindsey Graham, R-S.C., received no objections during a unanimous consent request Tuesday on the Senate floor.

The bill would establish federal civil liability for individuals who knowingly produce, distribute, or possess with intent to distribute nonconsensual sexually explicit digital forgeries. Rep. Alexandria Ocasio-Cortez, D-N.Y., who has acknowledged being a victim of explicit deepfakes, introduced companion legislation in the House with support from seven Republicans and six Democrats.

The technology to create such content has become increasingly accessible to the general public, lowering barriers that once limited deepfake production to those with specialized technical knowledge.

California has emerged as a focal point for AI regulation, with state lawmakers passing several bills aimed at addressing AI safety concerns. Bonta has been particularly active on issues involving AI and children, meeting with OpenAI executives in September alongside Delaware’s attorney general to discuss concerns about how AI products interact with young people. In August, he sent letters to 12 major AI companies following reports of sexually inappropriate interactions between AI chatbots and children.

California’s investigation comes as the United Kingdom announced earlier this week that it was also conducting its own investigation into the proliferation of deepfakes on X. 

The post California AG launches investigation into X’s sexualized deepfakes appeared first on CyberScoop.

The University of Pennsylvania joined the steadily growing number of victim organizations impacted by the widespread data theft and extortion campaign involving a notorious ransomware group’s exploitation of a zero-day vulnerability and other defects in Oracle E-Business Suite earlier this year. 

The university filed a data breach notification in Maine Monday, confirming nearly 1,500 Maine residents were affected by an intrusion into its Oracle EBS environment over a three-day period in early August. 

The Ivy League school and dozens of other victims were not aware of the attack until Oracle acknowledged the critical vulnerability after members of the Clop ransomware group sent extortion emails to alleged victim organizations in late September. Attackers exploited multiple vulnerabilities to steal large amounts of data from several Oracle EBS customers in August, according to Mandiant.

The university said it determined some personal information was stolen from its Oracle EBS system on Nov. 11, but did not provide details about how many people were impacted and what type of data was stolen during the attack. 

“The University of Pennsylvania was one of nearly 100 already identified organizations simultaneously impacted by the widely exploited Oracle E-Business Suite incident, involving a previously unknown security vulnerability in Oracle’s system,”a spokesperson for the university said in a statement.

“Penn has implemented the patches that Oracle issued to resolve the vulnerability,” the spokesperson added. “Penn has found no evidence that any of this information has been or is likely to be publicly disclosed or misused for fraudulent purposes.”

Other Ivy League schools were impacted by the targeted attacks on Oracle EBS customers as well, including Dartmouth College and Harvard University. 

Dartmouth filed data breach disclosures in California and Maine last month confirming that its Oracle EBS environment was also compromised over a few days in August. Personal data exposed by the breach included names, Social Security numbers and financial account information, according to Dartmouth. 

Harvard University said it was investigating a data breach involving its Oracle EBS system in mid-October, noting at the time that a limited number of people in a small administrative unit were impacted. Harvard said it found no evidence of compromise to other systems. 

The pool of victim organizations impacted by the mass exploitation of vulnerabilities in Oracle EBS underscores the risk posed by interconnected and widely used systems.

Cox Enterprises last month said personal data on almost 10,000 people was exposed by an attack on its Oracle EBS environment, which it discovered in late September. The attack occurred during the same period as other victim organizations in August, the media and automotive company said in a data breach notification filed in California. 

Logitech said it, too, was impacted by the widespread attacks on Oracle EBS customers. “The data likely included limited information about employees and consumers and data relating to customers and suppliers. Logitech does not believe any sensitive personal information, such as national ID numbers or credit card information, was housed in the impacted IT system,” the computer peripherals and software vendor said in a Nov. 20 regulatory filing.

Other previously confirmed victims include The Washington Post, Envoy Air and GlobalLogic. 

Clop specializes in exploiting vulnerabilities in file-transfer services and has successfully intruded multiple technology vendors’ systems to steal massive amounts of data for extortion efforts. These attacks typically flow downstream, ensnaring organizations and people multiple layers removed from the initial targeted victims.

Clop infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attacks appeared first on CyberScoop.