A comprehensive federal data privacy law in the United States has never been closer to reality. Even with bipartisan and bicameral support, it still has many obstacles to overcome to get through Congress. The most recent hurdle was making it out of the House Committee on Energy and Commerce, which sent the bill to the full House for consideration after numerous compromises led to a 53-2 vote to advance. The following is a big picture overview of the ADPPA in its current form.

Who Supports/Opposes it, and What are the Major Points of Contention?

Proponents of the bill cite the need for comprehensive data privacy legislation at the U.S. federal level to “create a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms.”[1] In addition, many companies in the business community also support the law as a way to create a national standard as opposed to a patchwork of different state laws.

Preemption of state law is a major point of contention. Section 404 (b)(1) specifies that:

No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.[2]

Some exceptions to this preemption principle are found in Section 404 (b)(2), which generally include consumer protection laws of general applicability, civil rights, employee or student privacy, data breach notification, and contract or tort laws, to highlight a few. Some specific laws are also called out in Section 404 (b)(2), including the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, as well as section 1798.150 of the CCPA on consumer actions based on personal information security breaches.

The California Privacy Protection Agency (CPPA) Board is one of the most vocal opposers of the ADPPA, arguing that it preempts important provisions of the CCPA and CPRA. The House Committee on Energy and Commerce sought to lessen the impact on California by noting in amended Section 404 (b)(3) that the CPPA may enforce the ADPPA “in the same manner it would otherwise enforce the CCPA,” but this concession didn’t resolve the CPPA’s preemption concern. In a letter sent to U.S. House Speaker Nancy Pelosi, D-California, the CPPA discusses how the CPRA sets a “floor” on privacy protections, allowing for stronger privacy rights but not weaker ones. They continue that the ADPPA is below the CPRA floor, weakens the privacy rights of C.A. citizens, and that it’s a ceiling limiting the extension of privacy rights instead of a floor. A more in-depth analysis of the argument against preemption can be found here.

The private right of action is also a point of contention. The US Chamber of Commerce argued that a private right of action will “encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.”[3] Others argue that the private right of action is too limited as currently drafted because there is a right-to-cure process for most violations and because arbitration is mandatory. An analysis of the private right of action can be found here, which includes an opinion about its perceived weakness as currently drafted.

Who is Regulated?

“Covered entities” include “any entity or any person…that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and

  • is subject to the Federal Trade Commission Act [or]
  • is a common carrier subject to the Communications Act of 1934… or
  • is an organization not organized to carry on business for their own profit or that of their members; and

includes any entity or person that controls, is controlled by, or is under common control with another covered entity.”[4]

Exclusions are listed in (SEC. 2)(9)(B), which include federal, state, and local governmental entities and entities collecting, processing, or transferring covered data on their behalf.

What types of data are regulated?

“Covered data” is defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.”[5] Exclusions in (SEC. 2)(8)(B) include de-identified data, employee data, publicly available information; or “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

What are some noteworthy provisions?

Data Minimization provision under (Title I)(Sec 101) prohibits covered entities from collecting, processing, or transferring covered data unless that activity is “limited to what is reasonably necessary and proportionate to-

  • provide or maintain a specific product or service requested by the individual [or]
  • deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the covered entity; or
  • effect a purpose expressly permitted under subsection (b).”

Permissible purposes under subsection (b) include several related to carrying out the transactions and services requested by the individual, such as authenticating users of a product or service or fulfilling a warranty service. Permissible purposes also include purposes unrelated to the transaction, like preventing security incidents, fraud, and illegal activity or complying with legal obligations.

Section 102 establishes some loyalty duties for covered entities, laying out several restricted data practices. Most significantly it restricts collection or processing of sensitive personal data except where its “strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains, or to effect a purpose enumerated in section 101(b)(1) through (10).” Notably missing are the purposes related to marketing or advertising in 101(b)(10) and (11). Section 102 also addresses collection, processing, or transferring of social security number and aggregated internet search or browsing history subject to exceptions.

Section 103 discusses Privacy by Design, requiring covered entities to “establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data.” The highlights of this requirement involve mitigating privacy risks and implementing reasonable training and safeguards to promote compliance.

Title II deals with Consumer Data Rights, which include many of the foundational rights found in other privacy laws such as the GDPR and CCPA. For example, section 202 discusses transparency, requiring covered entities to publicly share their privacy policy that spells out data collection, processing, and transfer activities. Section 203 grants individuals certain rights concerning access, correction, deletion, and portability of their covered data. Section 204 deals with individuals’ rights to consent and to withdraw consent.

How are Covered Entities Held Accountable?

Title III has several requirements geared towards accountability. Section 301 requires executives to certify within one year of enactment of the Act that there are reasonable controls to ensure covered entities’ compliance and reporting structures in place. It also requires covered entities to designate a privacy officer. Title III additionally contains technical compliance requirements along with requirements for the Federal Trade Commission to review controls. More robust controls are also required based on the size and nature of the information collected by covered entities.

Who will Enforce it?

Title IV, section 401 specifies compliance will be carried out by a new Bureau of Privacy organized under the Federal Trade Commission. Section 402 also allows civil enforcement by state attorneys general or state privacy authorities within federal district courts where the interest of the residents of that state could be adversely affected by the activities of a covered entity. Finally, section 403 provides a limited private right of action to individuals beginning four years after the Act takes effect (which was already discussed above).


The likelihood of passing this law still may be a long shot based on how far it still needs to go to get through Congress and who is responsible for initiating the next steps. If it doesn’t pass in this Congress, many believe it will be years before a federal privacy law is seriously discussed again, especially if party control changes in the midterms. Regardless, though, it’s significant that the priority of federal privacy law is gaining momentum. Bipartisan and bicameral support of an idea is a giant leap forward and sets a new stage for privacy law in the United States. The ADPPA will also remain important because, in its current form, it is a much stronger piece of legislation than any prior federal privacy law that has received serious discussion in Congress and likely sets a new, more stringent baseline for future legislative debate. If privacy law hasn’t yet impacted your organization, it’s likely to soon. If you need help strategizing how to minimize privacy risks in your records retention schedule or RIM program, Zasio can help.

[1] “HOUSE AND SENATE LEADERS RELEASE BIPARTISAN DISCUSSION DRAFT OF COMPREHENSIVE DATA PRIVACY BILL” Jun 3, 2022 Press Release https://energycommerce.house.gov/newsroom/press-releases/house-and-senate-leaders-release-bipartisan-discussion-draft-of

[2] H.R.8152 – American Data Privacy and Protection Act Section 404 (b)(1) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[3] “U.S. Chamber Warns It Will Oppose Any Privacy Legislation That Creates a Blanket Private Right of Action.” May 31, 2022. https://www.uschamber.com/technology/data-privacy/u-s-chamber-warns-it-will-oppose-any-privacy-legislation-that-creates-a-blanket-private-right-of-action

[4] H.R.8152 – American Data Privacy and Protection Act (SEC. 2)(9)(A) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[5] ID at (SEC. 2)(8)(A).


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Rick Surber, CRM, IGP

Author: Rick Surber, CRM, IGP

Senior Analyst / Licensed Attorney