Still No Federal Data Privacy Law: What Happened to the ADPPA?

by Bill Tolson

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

The new age of data protection laws began on May 25, 2018, with the passing of the EU’s General Data Protection Regulation (GDPR) law. The GDPR is a comprehensive data privacy and security law that established a strict framework for the collection, processing, storage and transfer of personal data from EU citizens. One interesting aspect of the GDPR is that it extends beyond the EU’s borders, meaning that any organization that collects EU consumer data is subject to the law — even those companies that are outside the EU.

The GDPR, the CCPA and more

At about the same time the GDPR became enforceable law, the California Consumer Privacy Act (CCPA) was passed, making its way through the California State Legislature in 2018 and becoming effective on January 1, 2020. The passage of the CCPA drove other states to create data privacy bills as well. At the time of writing this blog, 11 states have passed comprehensive data privacy laws: California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana and Texas.

Many of these state data privacy laws are very similar, including providing many of the same consumer rights, such as:

  • What personally identifiable information (PII) the organization has collected
  • How it's being used
  • If it has been sold, and to whom
  • Consumers can have their PII corrected or deleted

However, the individual state data privacy laws differ in important aspects, including definitions, exceptions, exclusions, fines and other end-user rights. Currently, there are an additional seven states with active data privacy bills in their legislatures.

There is no doubt that in the next five years, most U.S. states will also have passed data privacy laws. This growing tidal wave of differing state data privacy laws is raising alarms in business across the US. Many company boards have asked:

“Can any of these state data privacy laws act as a 'high-water mark' law?”

If an organization meets one of the laws, such as the CCPA, will it also meet the other state laws or will organizations need to keep track of each law and data-subjects separately? The answer is no.

As more states pass data privacy laws, companies that collect end-user PII will face a regulatory environment increasing in complexity, risk and cost. Also, as with the GDPR, these new data privacy laws have jurisdiction over their data subject’s PII — no matter where the non-compliant PII handling originated. For example, a company based in New York that suffers a data breach or mishandles a California resident’s PII is subject to the California data privacy law and fines.

At the federal level – The ADPPA

The American Data Privacy and Protection Act (ADPPA) is a federal bill that aims to provide U.S. consumers with foundational data privacy rights, create robust oversight mechanisms and establish meaningful enforcement. The bill was introduced on July 20, 2022, in the U.S. House of Representatives by Representative Frank Pallone. The bill seeks to replace the current (and growing) patchwork of state privacy laws with a comprehensive federal consumer privacy framework that would remove some of the complexity companies are facing with the expanding lineup of emerging state data privacy laws. The bill was approved by the House Committee on Energy and Commerce on July 20, 2022, with a 53-2 bipartisan vote. However, it failed to advance to the House or Senate in the last Congress.

Although the ADPPA was not enacted, its provisions could become law by being included in another bill in the future. In fact, it is common for legislative text to be introduced concurrently in multiple bills (called companion bills), re-introduced in subsequent sessions of Congress in new bills, or added to larger bills (sometimes called omnibus bills).

Due to the overwhelming bi-partisan support the ADPPA received in the House Energy and Commerce Committee, it still makes sense for organizations to review and understand it.

The ADPPA is a comprehensive bill that covers a broad range of data privacy topics and rights. Some of the key provisions of the bill include:

  • Consumer rights: The bill would provide consumers with several new rights, including the right to access their personal information, the right to have their personal information deleted, the right to opt out of the sale of their personal information, and the right to correct inaccurate PII. The ADPPA would also allow consumers to appeal if their correction request is denied. If a company denies a correction request, the company must provide the consumer with a clear explanation for the denial.
  • Data collection and use: The bill would restrict how organizations can collect and use personal information. For example, organizations would need to obtain consent from consumers before collecting their personal information, and they would need to use the information for the purposes for which it was collected.
  • Data security: The bill would require organizations to implement reasonable security measures to protect personal information from unauthorized access, use, disclosure, modification or destruction.
  • Enforcement: The bill would create a new Federal Privacy Commission to enforce the bill's provisions. The commission would have the power to investigate complaints, issue fines and bring lawsuits against organizations that violate the law.

The Private Right of Action

One consumer right included in the ADPPA (so far) is a Private Right of Action. This right ensures that consumers can sue companies directly for some violations of the ADPPA — instead of waiting for a government agency to sue the offending organization.

The violations included in the Private Right of Action include:

  • Unauthorized access or disclosure of personal information
  • Failure to implement reasonable security measures to protect personal information
  • Collection or use of personal information without consent
  • Sale of personal information without consent
  • Discrimination against consumers who exercise their privacy rights

Consumers who sue under the ADPPA can seek damages, injunctive relief and other remedies.

There are several new state data privacy laws, which include variations of the Private Right of Action (at the time of this writing).

These state laws include:

  • California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Virginia Consumer Data Protection Act (VCDPA)

The specific provisions that a particular state's Private Right of Action covers will vary from state to state. Consumers in states without a Private Right of Action may still be able to file complaints with their state attorney general or other regulatory agencies; however, they will not have the ability to sue offending companies directly.

The ADPPA's Private Right of Action is limited in scope. Individuals can only sue companies for violating specific law provisions (listed above). Additionally, individuals would first need to notify the Federal Trade Commission (FTC) of their intent to sue. The FTC would have the authority to intervene in the lawsuit if they choose to.

The inclusion of a private right of action in the ADPPA is a significant development in data privacy law. It gives individuals a powerful tool to hold companies accountable for mishandling their personal data. However, the limited scope of the private right of action means that it may not be effective in all cases.

The ADPPA's Private Right of Action is a complex legal provision and is a hot-button issue for many federal legislators.

Debunk off channel communications myths

The ADPPA preemption provision

The ADPPA includes a preemption provision that would override many state data privacy laws, including CCPA and CPRA. This has been a controversial issue, with some consumer advocates arguing that preemption would weaken consumer privacy protections and others arguing that it is necessary to create a uniform and less complex national data privacy law.

The preemption provision means that state laws that cover the same topics as the ADPPA — such as data collection, use, and disclosure — would be preempted and unenforceable. The preemption provision was a major priority for organizations. It would (in most cases) mean that instead of having to track and comply with an expanding state data privacy law landscape, organizations would only have one U.S. data privacy law to follow. This would drastically reduce the complexity and cost of data privacy compliance.

However, the state of California raised objections to this provision, and because the Speaker of the House at the time was from California, the ADPPA was not brought to the floor for a vote.

Will the Federal Trade Commission step in?

Additionally, because of the lack of a federal data privacy law, the FTC has provided guidance that it will begin adopting regulations and enforcement that focus on consumer data privacy and data security.

The FTC has been a long-time vocal advocate for data privacy law regulations and enforcement. The FTC has stated that data privacy is now a top priority and will use all its tools to protect consumers from unfair and deceptive data privacy practices.

The FTC has issued several guidance documents on data privacy law enforcement. In 2016, the FTC issued a report on the data privacy practices of companies in the mobile app ecosystem that found companies were collecting and using sensitive consumer data without obtaining proper consent. The FTC also issued a report on the data privacy practices of data brokers, which found that data brokers collected and sold a wide range of personal data about consumers without consumers' knowledge or consent.

Recently, the FTC has taken numerous enforcement actions against companies for data privacy violations. For example, in 2019, the FTC settled a case with Facebook for $5 billion for violating users' privacy. The FTC alleged that Facebook misled users about how their data was being used and that the company allowed third-party app developers to access user data without permission.

Consumer advocates have praised the FTC's data privacy law enforcement efforts. However, some businesses have criticized the FTC for being too aggressive in its enforcement actions.

A positive sign many are waiting to see in the evolving privacy policy challenge would be for the FTC to open a privacy rulemaking push under its Section 18 authority to establish binding privacy Federal regulations for all the industries under its jurisdiction.

Current FTC Chair Lina Khan and Commissioner Rebecca Slaughter have already indicated they favor this approach. The agency has twice provided notice of its intention to proceed with privacy rulemaking. With the recent addition of privacy advocate Alvaro Bedoya as a third vote, the commission could soon move ahead with this agency regulatory approach.

What does the future hold?

The outlook for the passage of the ADPPA is still uncertain. Despite the challenges, there is a chance that the ADPPA could be passed in the next Congress. The Biden administration has expressed support for the bill, and there is bipartisan support in Congress. However, it is possible that the legislation could be delayed or even derailed by other legislative priorities.

There is little doubt that a U.S. federal data privacy law will eventually be passed. But until then, companies that collect, store, sell or use PII will face an increasingly complex and risky regulatory landscape.

Organizations that harvest PII would be well advised to take all data privacy laws seriously and ensure their C-Level management and boards are made aware of the liability and the need to spend additional funds to reduce the overall risk. The fines issued to organizations for non-compliance could potentially put many companies out of business.

Share this post!

Bill Tolson
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

Contact Us

Tell us about yourself, and we’ll be in touch right away.