MY DATA Act Stops Companies From Blocking Consumer Use of De-Identified Data, Grants FTC Enforcement Power

If you’ve ever felt like your personal data is just floating around out there, controlled by companies you barely remember signing up with, the MY DATA Act of 2025 is aiming to give you a little more control. This bill, officially the Manage Your Data and Allow Only Trusted Access Act, is pretty straightforward: it prevents private companies from stopping you from using your own data once that data has been stripped of your identity.

Specifically, a “covered entity”—which is basically any private company that collects, processes, or transfers your information—cannot take action against an individual for using de-identified data or cloaked data. Think of de-identified data as information that’s been scrubbed clean so it can’t be reasonably linked back to you (like knowing 100 people in your zip code bought coffee this morning, but not knowing which 100). Cloaked data is a bit trickier; it uses a unique persistent identifier—a special code—that hides your real identity while still allowing the company to communicate with you. The idea is to let you access and use this privacy-protected information without the company throwing up a roadblock. Any company that violates this is subject to enforcement by the Federal Trade Commission (FTC), which will treat it like an unfair or deceptive business practice.

The Fine Print: What’s Covered and What Isn’t

This bill is a win for consumer autonomy over data, but it’s crucial to understand the boundaries. For the average person, this means if you use a third-party app or service that relies on your anonymized health or financial data (perhaps to compare market trends or personal wellness metrics), the company that originally collected that data can’t legally shut down your access or punish you for using it. This provision recognizes that once data is sufficiently anonymized, it should be treated less like a proprietary company asset and more like a resource the individual can utilize.

However, the bill explicitly excludes government entities—Federal, State, or local—from the definition of a “covered entity.” This is a significant exclusion. While private companies face restrictions on how they manage your de-identified data, government agencies collecting similar data are not subject to the same prohibition. For instance, if a private health app must allow you to use your cloaked data, a state-run health service collecting the same type of information would not be bound by this specific rule. This creates a double standard in data privacy protection.

The Challenge of Cloaking

One of the bill’s core concepts, cloaked data, is also where some practical questions arise. The bill defines it as using unique identifiers to effectively hide your identity while still allowing communication. This is a great concept for privacy, but achieving true, un-re-identifiable cloaking is technically difficult. Since the bill doesn't specify the technical standards required to meet this definition, there’s a medium level of vagueness. Companies might try to argue that their cloaking methods are sufficient, while consumer advocates might push back, potentially leading to disputes the FTC will have to sort out. The effectiveness of this protection hinges entirely on how robust these technical identifiers truly are.

Another important carve-out is that the prohibition doesn't apply if the covered entity is acting as a “service provider.” This means a company could potentially contractually reclassify its role to avoid the core prohibition, which is something the FTC will need to monitor closely to prevent companies from finding loopholes.

Ultimately, the MY DATA Act is a strong step toward giving individuals more power over their digital footprint, particularly when it comes to utilizing their own information in privacy-preserving ways. It introduces clear enforcement authority for the FTC and sets a standard that private entities must respect consumer use of de-identified data. But like any new regulation, the real impact will be determined by how the FTC interprets the technical definitions and enforces the rules, especially around those slippery service provider exceptions and the government exclusion.