Quest for a Comprehensive Federal Privacy Law: ADPPA vs APRA

Jul 11th '24

The legal need for robust data privacy regulations has become increasingly evident in today’s changing data privacy landscape. The complication of emerging (and differing) state data privacy laws further underscores the need for comprehensive federal privacy laws. This is an inflection point for information management and data security that we cannot afford to overlook.


As consumers become more conscious of how their personal information is collected, shared, stolen, sold, and utilized, federal policymakers face a daunting challenge. They must craft a comprehensive federal privacy law that strikes a delicate balance between protecting consumers and safeguarding business interests.


Two proposed bills, the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA), have emerged as potential solutions. Each bill brings a unique approach, sparking interest in its implications and possible impact on data privacy regulations.


The origins of the ADPPA

The ADPPA traces its roots back to 2019 when a bipartisan group of lawmakers introduced the Consumer Data Privacy and Security Act (CDPSA). This initial bill aimed to establish a national data privacy and security standard, preempting the growing patchwork of state laws that had begun to emerge. However, the CDPSA faced criticism from consumer advocacy groups and privacy experts, who argued that it did not go far enough in protecting individuals’ rights.


In 2022, the ADPPA was introduced as a revised version of the CDPSA, marking a significant evolution in the legislation. It incorporated feedback from various stakeholders and addressed concerns raised about its predecessor, demonstrating a commitment to improving data privacy and security at the federal level.


Key provisions of the ADPPA

The ADPPA seeks to achieve several goals, including:


  • Data minimization and purpose limitation: The bill requires companies to collect and use data only for specified purposes and to minimize the collection of personal information to what is reasonably necessary.
  • Consumer rights: The ADPPA grants consumers many rights, such as the right to access, correct, delete, and port their personal data, as well as the right to opt out of targeted advertising and the sale of their personal information.
  • Data security requirements: Companies must implement reasonable measures to protect personal information from unauthorized access, use, or disclosure.
  • Enforcement and oversight: The Federal Trade Commission (FTC) would be granted expanded authority to enforce the ADPPA’s provisions, including seeking civil penalties for violations.
  • Preemption of state laws: One of the most contentious aspects of the ADPPA is its preemption clause, which would override most state privacy laws, creating a uniform national standard.


The emergence of the APRA

In 2024, while the ADPPA was gaining attention, another group of lawmakers introduced the American Privacy Rights Act (APRA). APRA is a proposed data privacy law introduced on April 7, 2024, by U.S. Senator Maria Cantwell (D-WA) and U.S. Representative Cathy McMorris Rodgers (R-WA).


If enacted, APRA would establish a comprehensive federal consumer privacy framework, giving American citizens new federal rights regarding the collection, storage and use of data about them.


APRA background and purpose:

APRA aims to establish a nationwide standard for comprehensive data privacy and security regulation. It acknowledges individual data controls for consumers and the associated responsibilities of various corporations.


It provides the right to opt out of targeted advertising and specific algorithms. APRA also imposes additional requirements on significant stakeholders in the data landscape, including data brokers and “large data holders.”


How are APRA and ADPPA different?

APRA builds upon previous congressional efforts and includes elements from ADPPA (H.R. 8152), which the House Energy and Commerce Committee advanced during the 117th Congress. While APRA shares some similarities with ADPPA, it differs in several key areas:


  • Broader definition of personal information: APRA defines personal information more broadly, including not only traditional identifiers like names and addresses but also biometric data, geolocation information and online activity data.
  • Stronger consent requirements: Unlike ADPPA, which allows for implied consent in certain circumstances, APRA requires explicit, affirmative consent for the collection and use of personal information.
  • Private right of action: One of the most significant differences between the two bills is that APRA grants individuals a private right of action, allowing them to sue companies directly for law violations.
  • No preemption of state laws: While ADPPA aims to establish a national standard by preempting state laws, APRA takes a different approach, allowing state laws to remain in effect alongside federal law.
  • Broader coverage: APRA applies to a wider range of entities, including non-profit organizations and common carriers, while ADPPA includes some exemptions for certain types of organizations.


ADPPA and APRA address data privacy concerns differently

While both the ADPPA and APRA aim to address data privacy concerns, they differ in several key areas:


Preemption of state laws

ADPPA’s preemption clause has been a point of contention, with some arguing that it undermines states’ efforts to protect their residents’ privacy. In contrast, others argue that a national standard is necessary for businesses operating across state lines. Conversely, APRA allows state laws to coexist with federal law, potentially creating a more complex regulatory landscape.


Consent requirements

APRA’s stricter consent requirements have been praised by privacy advocates but criticized by some businesses as overly burdensome and potentially hindering innovation.


Definition of personal information

APRA’s broader definition of personal information has been lauded by those who argue that it better reflects the evolving nature of data collection and use. However, it has also raised concerns among businesses about potential compliance challenges.


Enforcement and oversight

While both bills grant the FTC enforcement authority, APRA’s inclusion of a private right of action introduces an additional layer of oversight and potential consequences for non-compliance.


A private right of action is a legal tool often found in federal and state laws that grants an individual or private party the authority to file a civil lawsuit against another party or a business for alleged harm. The inclusion of this limited private right of action was a compromise between consumer advocates who wanted stronger enforcement mechanisms and business groups concerned about excessive litigation. Key differences of the private right of action between the ADPPA and the APRA include:


  • Scope: APRA provides a broader private right of action, allowing lawsuits for any violation, while ADPPA limits it to specific types of sensitive data.
  • Notice and cure: ADPPA includes a 45-day notice and cure period before lawsuits can be filed, which APRA does not require.
  • Damages: APRA allows for statutory damages, while ADPPA only permits recovery of actual damages.
  • Covered entities: ADPPA’s private right of action exempts smaller businesses and non-profits, while APRA applies to all covered entities.


APRA allows for broader lawsuits and damages against a wider range of entities, taking a more impactful approach to the private right of action. On the other hand, ADPPA’s private right of action is more limited in scope and potential impact, reflecting a compromise aimed at reducing excessive litigation risks for businesses.


Where the two bills currently stand

As of June 2024, neither ADPPA nor APRA has been passed into law.


ADPPA was approved by the House Committee on Energy and Commerce in 2022 but has failed to advance to the House or Senate for a full vote, primarily due to the California delegation’s issue with its preemption provision.


A draft of APRA was introduced in April 2024 by the Senate Commerce Committee Chair and House Energy and Commerce Committee Chair. It’s seen as a potential successor to the ADPPA and is currently under consideration.


Both bills aim to establish a federal framework for data privacy protections in the US. They share some similarities but also have key differences, such as the scope of coverage and the level of protection afforded to minors. APRA builds upon past congressional efforts and incorporates elements from ADPPA.


Resolving competing interests

As ADPPA and APRA continue to navigate the legislative process, stakeholders from various sectors have been actively engaged in shaping the outcome. Consumer advocacy groups, privacy experts, and civil liberties organizations have been vocal in their support for stronger privacy protections. In contrast, businesses and industry groups have advocated for a balance that allows for innovation and growth.


Due to the state data privacy law landscape, companies face a costly future. Many states have already passed their own privacy laws that differ from those of other states. A critical provision of all state data privacy laws (so far) is the concept of an extra-jurisdictional or long-arm application of the law.


These terms mean “application outside the jurisdiction” and convey that the data privacy law reaches beyond the state’s borders (i.e., an organization in any other state that collects that state’s citizens’ personally identifiable information).


Due to this extensive new regulatory liability, businesses now face an increasingly complex data privacy regulatory environment.


Finding common ground between these competing interests has proven challenging so far. The urgency of addressing data privacy concerns has only increased as high-profile data breaches and privacy scandals continue to make headlines. ADPPA and APRA represent significant efforts to tackle this complex issue, but their differences highlight the ongoing debate about the appropriate balance between consumer protection and business interests.


Ultimately, the success of any federal privacy law will depend on its ability to address the concerns of all stakeholders while providing a clear and consistent framework for data privacy and security. As the legislative process continues and whether ADPPA, APRA — or a separate compromise bill — will emerge as the foundation for a comprehensive federal privacy law in the United States remains to be seen. Until then, businesses must stay informed about the evolving data privacy law landscape.


As the political debate surrounding data privacy, ADPPA and APRA continues, it has become evident that finding a legislative solution satisfying all stakeholders will require compromise and adaptation to emerging trends in data privacy.


Compromise is needed in data privacy legislation

One possible compromise could involve the preemption clause in ADPPA. Although a consistent national standard is attractive for businesses that operate across state lines, there might be an opportunity for a mixed approach that allows certain aspects of state laws to exist alongside the federal framework. This could mean allowing stronger state laws to continue in specific areas, such as biometric data privacy or data breach notification requirements.


Another possible compromise could involve the private right of action in APRA. Consumer advocates support this provision as it empowers individuals. Still, businesses may prefer a limited private right of action that applies only to specific types of violations or data rather than a broad private enforcement mechanism.


As the legislative process progresses, policymakers must also stay aware of emerging trends and technologies that may impact data privacy considerations. For example, the growing use of artificial intelligence and machine learning in data analysis and decision-making processes raises questions about the ethical use of personal data and the need for algorithmic transparency.


Beyond the specific regulations of the ADPPA and APRA, a wider discussion is developing about the importance of data privacy in the digital economy. As more areas of our lives become connected to digital technologies, there is an increasing acknowledgment that data is an asset that should be handled with responsibility and ethics.


Some experts have suggested moving towards a “data rights” paradigm, where individuals would have more control and say over their personal information, like property rights. This might include ways for individuals to profit from their data or to participate in the economic advantages resulting from its use.


Effects on information management and archiving

The proliferation of new (differing) state data privacy laws across the United States will significantly impact how organizations manage and govern their information. Some of the key ways these state laws will affect corporate information management practices include:


  • Data mapping and inventory: Companies must carefully map and inventory the personal data they collect, process and store to understand their obligations under various state laws. This includes identifying what data qualifies as personal information, where it is located, how it moves and who can access it.
  • Data governance frameworks: Robust data governance frameworks will become essential to ensure compliance with varying state requirements concerning data collection, use, retention, security and consumer rights such as access, deletion and opt-outs. Companies must establish policies, processes, and controls aligned with each state law or wait for a preempting federal law to be passed.
  • Consumer rights management: With many states granting expanded consumer rights, corporations will need mechanisms to efficiently handle data subject access requests related to data access, portability, deletion, opt-outs from sales/sharing and other privacy rights across different jurisdictions.
  • Data security enhancements: Most state laws require companies to implement reasonable data security practices corresponding to the risks. This may involve enhancing security controls, conducting risk assessments, designating data protection officers and implementing processes like data protection impact assessments.
  • Third-party risk management: Companies must closely evaluate and monitor data sharing/processing with third parties to ensure compliance with state laws.
  • Recordkeeping and documentation: State laws often require detailed recordkeeping and documentation related to data processing activities, consumer requests, risk assessments and data protection impact assessments to demonstrate compliance.
  • Employee training: Due to varying privacy requirements across states, comprehensive employee training on data handling, consumer rights, incident response and compliance processes are essential.
  • Regulatory reporting and breach notifications: Different state laws have varying data breach notification requirements. Corporations need streamlined processes to assess incidents and notify regulators and consumers within mandated timeframes across jurisdictions.
  • Internal investments: Corporations will likely invest in privacy management technology, automation tools and skilled personnel to implement compliance across various state privacy regulations efficiently.


Considering the varied state data privacy laws, corporations must adopt a centralized and rigorous approach to data governance. This approach should encompass consistent practices, documentation, and controls while still accommodating the specific requirements of each state in which they operate.


ADPPA and APRA are significant efforts to establish a comprehensive federal privacy law in the United States. However, their differences highlight the ongoing challenges of balancing consumer protection and business interests in the digital age.


As the legislative process continues, stakeholders from various sectors will need to engage in constructive dialogue and seek areas of compromise. Although finding a perfect solution that satisfies all parties may be elusive, the urgency of addressing data privacy concerns and providing a clear regulatory framework cannot be overstated.


Ultimately, the success of any federal data privacy law will depend not only on its specific provisions but also on its ability to adapt to emerging technologies and evolving societal attitudes toward data privacy. By recognizing the cultural changes, policymakers can create a foundation for responsible data stewardship that fosters data subject trust and innovation while protecting individual rights and upholding democratic values.


FEATURED WHITE PAPER: Data Lifecycle Management | Introducing a tiered approach to data management


Source: Smarsh


About Bill Tolson

Bill Tolson is President of Tolson Communications LLC, an advisory and consulting firm. He has 25-plus years in the archiving, information governance, data privacy, data security, and eDiscovery industries. Bill has held executive leadership positions in a wide range of high technology organizations, from consulting firms and technology startups to multinationals. Companies include Contoural, Hewlett Packard, StorageTek, Iomega, Hitachi Data Systems, Recommind, Actiance and Archive360 where he was the Vice President of Global Compliance and eDiscovery for seven years.


Bill is a frequent speaker at legal and information governance industry events and has authored four eBooks including Email Archiving for Dummies, Cloud Archiving for Dummies, The Bartenders Guide to eDiscovery and the Know IT All’s Guide to eDiscovery. Bill has also authored 60 plus industry articles and hundreds of blogs as well as hosting 37 podcasts with industry pundits, subject matter experts, state legislators, and attorneys.


About Smarsh

Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.


Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.


Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit


About us

LS Consultancy are experts in Marketing and Compliance, and work with a range of firms to assist with improving their documents, processes and systems to mitigate any risk.


We provide a cost-effective and timely bespoke copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Need A Regulatory Marketing Compliance Consultant? A Bit More About Us


Contact us


Why Not Download our FREE Brochures! Click here.


Call Us Today on 020 8087 2377 or send us an email.


We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…



Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.


Facebook | Instagram | LinkedIn | X (formerly Twitter) | YouTube


Contact us