The American Data and Privacy Protection Act (ADPPA) is a comprehensive federal privacy bill with bipartisan support that aims to establish national data protection standards. The legislation passed the U.S. House Committee on Energy and Commerce with a 53-2 vote in July 2022 but still requires full House and Senate approval.
Key Coverage and Scope
Covered Entities
The ADPPA applies to "any entity collecting, processing or transferring covered data, including nonprofits and sole proprietors." The law also regulates cellphone and internet providers and common carriers but excludes government entities.
Covered Data
Protected information includes anything that identifies or can be reasonably linked to a person, plus:
- Biometric data
- Genetic data
- Geolocation information
Exclusions
The law excludes three categories:
- Deidentified data - Information that cannot be linked back to an individual
- Employee data - Data collected in the context of employment
- Publicly available information - Such as public social media accounts
Consumer Rights and Protections
The ADPPA establishes several key protections for consumers:
- Minimal data collection: Companies may only collect data when reasonably necessary and proportionate to requested services
- User control: Individuals gain rights to access, correct inaccuracies, and potentially delete personal data
- Consent protection: The law prevents companies from conditioning service access on accepting broad consent terms
- Research allowance: Permits data collection for peer-reviewed or public interest research
Enforcement and Private Right of Action
A significant feature of the ADPPA is the private right of action, allowing individuals to sue companies for violations. This enforcement mechanism distinguishes ADPPA from alternatives that would restrict enforcement to the Federal Trade Commission alone.
Federal Preemption
The ADPPA preempts most state privacy laws, including California's Consumer Privacy Act, though it preserves:
- State biometric privacy regulations
- Facial recognition-specific laws
This preemption remains negotiable as lawmakers continue drafting the final version.
Comparison to Existing Law
The legislation mirrors aspects of the 1986 Electronic Communications Privacy Act (ECPA), which established baseline national electronic surveillance protections while permitting states to enact stronger safeguards. The ECPA model has functioned effectively without overwhelming courts or commerce for decades.
Industry Response
The business community presents divided opinions:
- Major tech companies and the U.S. Chamber of Commerce oppose the private right of action provision, preferring FTC-only enforcement
- Legal scholars and privacy advocates generally view the legislation as necessary and workable with modifications
Why This Matters
Data routinely flows across international borders, so many U.S. companies have already built compliance with other nations' laws into their systems, including the EU's General Data Protection Regulation (GDPR). The ADPPA would establish comparable protections for American citizens who currently lack comprehensive federal privacy safeguards.
Key Takeaways
- The ADPPA is a bipartisan federal privacy bill that would create national data protection standards
- It covers most entities that collect, process, or transfer personal data
- Consumers would gain rights to access, correct, and delete their personal information
- The private right of action allows individuals to sue for violations
- The law would preempt most state privacy laws while preserving some biometric protections
- Many companies already comply with similar international standards like GDPR