Data privacy is an ongoing concern for Americans. A national study from 2014 found that over 90% of respondents believed they had lost control of how their personal data is used by companies, and that 80% were concerned about government surveillance of online communications. Nearly a decade later, the vast majority of Americans remained concerned and confused about how companies and the government use their personal data. Tech companies like Google, Meta, and Microsoft often collect data about users’ activities, preferences, and interactions on social media platforms and websites. This data can include users’ demographic information, browsing history, location, device information, and social interactions. While a majority of data tracking happens within apps, companies can also employ hard-to-detect tracking techniques to follow individuals across a variety of apps, websites, and devices. This can make it difficult for users to evade data tracking even when they decline data collection permissions.
Background: ADPPA and APRA
To address longstanding concerns about data privacy, lawmakers proposed The American Data Privacy and Protection Act (ADPPA) in 2022. ADPPA aimed to “limit the collection, processing, and transfer of personal data” of consumers while also “generally prohibit[ing] companies from transferring individuals’ personal data without their affirmative express consent.” Representative Frank Pallone (D-NJ) and Ranking Member Cathy McMorris Rodgers (R-WA) sponsored the bill. ADPPA passed out of the House Committee on Energy and Commerce with almost unanimous support, but was not brought up for a vote before the close of the 117th Congress. Two years later, lawmakers introduced the American Privacy Rights Act (APRA), a similar data privacy bill with more robust mechanisms for data control and privacy. To understand the APRA, it’s crucial to examine the various arguments for and against its predecessor, the ADPPA.
Arguments in Favor of the ADPPA
The push for ADPPA reflected a need to create uniform privacy standards on a federal level. Many businesses and industry groups supported the ADPPA because it would have standardized data privacy policies across the United States through a preemption clause that overrides similar state laws. Supporters argued that this would eliminate the challenge and high cost of enforcing a patchwork of data privacy laws across 20 states.
Other proponents applauded the ADPPA’s efforts to maintain civil rights for marginalized users. In a letter to House Speaker Pelosi (D-CA), 48 civil rights, privacy, and consumer organizations highlighted the bill’s provisions to require technology companies to test their algorithms for bias and increase online protections for users under 17 years old. They argued that these provisions, along with limitations on data collection without user consent, would “provide long overdue and much needed protections for individuals and communities.”
Criticisms of the ADPPA
Although the ADPPA garnered strong bipartisan support in committee, it ultimately failed to pass. Some experts argued that the bill contained loopholes that could be exploited by companies to avoid compliance, including inadequate provisions addressing data brokers, a limited private right of action, and the potential for gaps in enforcement. The ADPPA’s private right of action clause, which allows individuals and groups to take civil action against tech companies in Federal court for violating the ADPPA’s provisions, drew much debate. While the original bill was rewritten to permit a private right of action beginning two years after the passage of the bill rather than four years, some lawmakers still feared that this two-year delay left a gap in enforcement. As for the data broker question, the ADPPA would have implemented more robust hurdles to the sale of user data, but did not ban the brokerage of sensitive data outright. Given the growing influence of the data brokerage industry, some argued that the ADPPA overlooked a critical component of the data privacy ecosystem by omitting strong regulations on data brokerage.
The greatest criticism of the ADPPA concerned its preemption clause. While ADPPA would have supplemented existing data privacy legislation in states like Virginia and Colorado, other states were worried that the implementation of ADPPA would overrule stronger privacy laws at the state level. California lawmakers feared that the ADPPA’s preemption clause would nullify the stricter provisions in the California Consumer Privacy Act, weakening their state’s pre-existing privacy protections. While the ADPPA contains carve-outs for some parts of strict state-level laws and was rewritten to allow the California Privacy Protection Agency to enforce ADPPA compliance, these provisions did not satisfy lawmakers who worried that privacy protections for their constituents would still be rolled back. Ultimately, many cite opposition from Californian legislators as a major reason why the ADPPA failed to pass.
The APRA: A New Framework
In 2024, Senate Commerce Committee Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (D-WA) introduced the American Privacy Rights Act (APRA) as a new federal framework for data privacy protection. Senator Cantwell had been an outspoken critic of ADPPA’s right to private action. Both ADPPA and APRA contain similar provisions to establish a centralized procedure for users to opt-out of data sharing and to require corporations to collect no more data than is necessary to meet specific needs. Additionally, both bills include a state law preemption clause, with differing exceptions to the state laws they override. APRA’s preemption clause has received similar criticisms to ADPPA’s clause, as California legislators fight for a “floor” for privacy rights rather than a “ceiling.”
In contrast to the ADPPA, the APRA includes a much broader private right of action, allowing individuals to sue companies for violations immediately. This differs from the ADPPA’s two-year delay on private suits that intended to give businesses time to comply. The APRA also expands the ADPPA’s definition of covered organizations to include agencies that process the sensitive data of over 700,000 connected devices. Additionally, the APRA includes more specific provisions to protect data for users under the age of 17. The APRA is currently undergoing a similar process to its predecessor, and was most recently referred to the House Committee on Energy and Commerce. It will likely take months for decisions to be made regarding the bill’s passage out of committee, but the bill has garnered significant bipartisan support and shows promise in the current Congress.
Conclusion
In today’s digital age, more Americans than ever are concerned about the data they share and how it’s used. With evolving social media algorithms and corporate data collection strategies, bills like the ADPPA and the APRA provide potential routes to stronger protections for user privacy. The debate surrounding both bills centers on balancing the need for a uniform federal standard with the preservation of stronger state laws, and reconciling strict consumer protection with the likelihood of corporate compliance. As lawmakers consider these factors, data privacy bills like the APRA are likely to make progress in coming months.
