Emerging Federal Privacy Legislation: Status and Outlook

Federal privacy legislation in the United States has operated through a fragmented sectoral model for decades, with statutes like HIPAA, COPPA, and GLBA covering specific industries rather than establishing a baseline national standard. Legislative efforts to enact a comprehensive federal privacy law have accelerated since 2019, producing competing frameworks in Congress that differ substantially on preemption scope, private rights of action, and enforcement architecture. Understanding the current legislative landscape is essential for compliance professionals, data protection officers, and researchers navigating the data protection providers maintained across this reference network. This page maps the structural elements, key legislative variants, and jurisdictional decision points that define the federal privacy debate.

Definition and scope

Comprehensive federal privacy legislation refers to proposed statutes that would establish uniform baseline rights for individuals regarding the collection, use, sharing, and deletion of personal data — applicable across industries rather than within a single sector. The defining feature distinguishing these proposals from existing law is horizontal applicability: coverage would extend to any entity handling personal data above a defined threshold, rather than only to healthcare providers or financial institutions.

The two most prominent proposals to reach committee action in recent Congresses are the American Data Privacy and Protection Act (ADPPA), which advanced out of the House Energy and Commerce Committee in 2022 with a 53-2 vote (House Committee on Energy and Commerce, July 2022), and the American Privacy Rights Act (APRA), introduced in 2024 by bipartisan leadership on the same committee. Both proposals draw on foundational fair information practice principles codified in sources such as the FTC's 2012 Privacy Report and the OECD Privacy Guidelines (originally issued in 1980, revised in 2013).

The Federal Trade Commission (FTC) would serve as the primary enforcement authority under both frameworks, with additional enforcement authority granted to state attorneys general. The scope of coverage under the ADPPA was defined to include entities subject to FTC jurisdiction, carving out common-carrier telecommunications entities and certain nonprofits, consistent with FTC Act Section 5 jurisdictional boundaries.

How it works

Proposed comprehensive federal privacy frameworks operate through a layered mechanism with five structural components:

1. Individual rights establishment — Codifying rights to access, correction, deletion, and data portability, modeled on rights structures found in the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100 et seq.) and the EU's General Data Protection Regulation (GDPR).
2. Data minimization obligations — Prohibiting collection and use of data beyond what is reasonably necessary for a disclosed purpose, a standard both the ADPPA and APRA explicitly adopt.
3. Algorithmic accountability provisions — Requiring impact assessments for covered algorithms that present risk of consequential harm, drawing on framework language from the NIST AI Risk Management Framework (AI RMF 1.0) (NIST).
4. Preemption architecture — Determining whether federal law displaces state privacy statutes. The ADPPA contained broad preemption with specific carve-outs for state laws on employee privacy, student privacy, and the Illinois Biometric Information Privacy Act (BIPA). The APRA 2024 draft narrowed preemption scope in response to opposition from California legislators.
5. Enforcement pathway — Establishing FTC rulemaking authority, civil penalty structures, and — most contentiously — a private right of action allowing individuals to sue for statutory damages.

The private right of action provision has been the primary obstacle to Senate passage in each iteration. The ADPPA's inclusion of a delayed private right of action (effective four years after enactment) drew opposition from the U.S. Chamber of Commerce and industry groups, while privacy advocates including the Electronic Privacy Information Center (EPIC) argued the delay was itself a structural weakening.

Common scenarios

The following scenarios represent the primary contexts in which federal privacy legislation would materially alter compliance obligations relative to the current sectoral patchwork:

Cross-sector data brokers — Data aggregation companies operating outside GLBA or HIPAA jurisdictions currently face regulation only in states that have enacted data broker registration laws (as of 2024, Vermont and California maintain the most developed frameworks). A federal statute would impose nationwide disclosure, opt-out, and deletion obligations on this category of entity for the first time.

Small business thresholds — Both ADPPA and APRA proposed tiered obligations based on revenue and data volume. Under the ADPPA structure, entities with under $41 million in annual revenue, fewer than 100,000 individuals' data processed annually, and no data sale revenue would qualify as "small data holders" with reduced obligations — a direct parallel to GDPR's Article 30(5) exemption structure.

Sensitive data categories — Health data outside HIPAA coverage (such as wellness app data), precise geolocation, biometric identifiers, and data concerning minors receive heightened treatment under proposed frameworks, consistent with the sensitivity classifications used in state laws like the Virginia Consumer Data Protection Act (VCDPA, Va. Code §59.1-571).

Children's data — Both frameworks proposed strengthening COPPA-equivalent protections to cover teenagers up to age 17, extending the current 13-year threshold established under the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501).

Decision boundaries

The critical structural distinctions that determine how proposed federal privacy law would interact with existing obligations break into three classification axes:

Federal floor vs. federal ceiling — A floor model preserves state laws that exceed federal minimums; a ceiling model preempts them. The ADPPA (2022) leaned toward ceiling preemption; the APRA (2024) moved toward a floor model with enumerated exceptions. This distinction determines whether California's CCPA/CPRA framework survives enactment — a point that stalled ADPPA Senate advancement, given resistance from the California delegation.

Sectoral carve-outs vs. unified coverage — Both proposals exclude data already regulated under HIPAA, GLBA, and the Fair Credit Reporting Act (FCRA) at the entity or data level. The FCRA-governed credit reporting ecosystem (15 U.S.C. §1681) remains separately administered through the Consumer Financial Protection Bureau (CFPB).

FTC enforcement vs. dedicated agency — Unlike the EU model, which created independent Data Protection Authorities under GDPR Article 51, all major US proposals vest primary federal enforcement in the FTC — an agency with a broad consumer protection mandate but no dedicated privacy division equivalent in size or specialization to EU counterpart bodies. The FTC's current privacy enforcement authority derives primarily from Section 5 of the FTC Act and sector-specific rules; a comprehensive statute would significantly expand that jurisdictional base.

Professionals assessing organizational readiness for a federal privacy statute should consult the section for guidance on how this reference network structures its coverage of the evolving compliance landscape, and the how to use this data protection resource page for navigation within this domain.