WASHINGTON: The American Data Privacy and Protection Act (H.R. 8152, 117th Cong.) passed the House Energy and Commerce Committee 53-2 on July 20, 2022, the closest Congress has come to a comprehensive federal consumer data privacy law. It never reached the House floor. As of May 2026, the federal legislative gap remains. Twenty states have filled it, in part, with their own frameworks.
What the ADPPA Proposed: Core Provisions
H.R. 8152 was introduced on June 3, 2022 by Rep. Frank Pallone (D-NJ) and Rep. Cathy McMorris Rodgers (R-WA) in the House, with Senate companion support from Commerce Committee Chair Maria Cantwell (D-WA). The bill proposed a single, comprehensive federal standard replacing the patchwork of sector-specific statutes that govern U.S. data privacy.
The bill’s core framework rested on four pillars. First, data minimization: covered entities could only collect, process, and transfer personal data that was “necessary, proportionate, and limited” to specified purposes. Second, consumer rights: rights to access, correct, delete, and port personal data, with a 45-day response deadline. Third, targeted advertising restrictions: the bill prohibited targeted advertising to individuals known or reasonably likely to be under age 17. Fourth, a private right of action, amended in committee from four years post-enactment to two years, allowing injured individuals to sue for compensatory damages, injunctive relief, and attorneys’ fees.
The FTC would have received authority to enforce the statute, and Congress mandated creation of a new FTC bureau dedicated to ADPPA compliance within one year of enactment. Civil penalties for violations would be treated as unfair or deceptive acts under Section 5 of the FTC Act. State attorneys general and, as amended, the California Privacy Protection Agency retained concurrent enforcement authority. Proceeds of FTC and AG civil actions would flow into a “Privacy and Security Victims Relief Fund” established in the U.S. Treasury.
The bill applied to any entity that collected or processed data of more than 100,000 individuals annually, or more than 10,000 individuals if the entity derived revenue from selling that data. Small businesses below those thresholds faced lighter obligations: primarily a duty to publish a privacy notice and not sell sensitive data without consent.
Why ADPPA Stalled: The Preemption Fight
The bill died on a single structural question: whether federal law would set a floor or a ceiling on state privacy protections. ADPPA as drafted largely preempted state privacy laws, carving out narrow exceptions for state laws on financial data, medical records, and children’s privacy.
California moved immediately. On July 28, 2022, eight days after the committee vote, the California Privacy Protection Agency (CPPA) Board voted unanimously to oppose H.R. 8152. The CPPA argued that ADPPA’s preemption language would weaken the California Consumer Privacy Act (Cal. Civ. Code § 1798.100) and its 2023 successor, the California Privacy Rights Act, by stripping California of the ability to enact stronger future protections through legislation or voter initiative.
On February 28, 2023, Gov. Gavin Newsom, Attorney General Rob Bonta, and the CPPA filed a joint letter to Congress formally opposing the preemption provisions in H.R. 8152. The letter argued that the federal baseline should set a floor, not a ceiling, allowing states to exceed federal minimums. California’s position was not merely political. The CCPA’s $100 million-plus in AG enforcement actions since 2020 gave the state leverage to defend a framework it had spent years building.
Sen. Cantwell’s office signaled similar reservations about the bill’s scope, focusing on the adequacy of the private right of action timeline and the robustness of civil rights protections. Without Cantwell’s endorsement, the bill had no viable path through the Senate Commerce Committee. The 117th Congress expired in January 2023 without a floor vote.
A successor bill: the American Privacy Rights Act (H.R. 8818, 118th Cong.), introduced June 25, 2024, again by Rep. McMorris Rodgers and Sen. Cantwell, reached the markup stage before House Republican leadership signaled it would not advance. Revisions removing civil rights protections caused consumer advocates to withdraw support. H.R. 8818 expired with the 118th Congress in January 2025 and has not been reintroduced in the 119th Congress as of this writing.
The State Privacy Law Patchwork: 20 Laws and Counting
The federal vacuum accelerated state action. Prior to 2021, California held a near-monopoly on comprehensive state data privacy law. The CCPA (effective January 1, 2020) and the CPRA amendment (effective January 1, 2023) built the most sophisticated state-level privacy framework in the country. Virginia broke the dam.
The Virginia Consumer Data Protection Act (Va. Code Ann. § 59.1-571 et seq.) took effect January 1, 2023. It established consumer rights to access, correct, delete, and port personal data; mandated data protection assessments for high-risk processing activities; and granted the Virginia Attorney General exclusive enforcement authority with civil penalties up to $7,500 per violation following a 30-day cure period. The VCDPA applies to controllers or processors that handle personal data of at least 100,000 Virginia residents annually, or at least 25,000 Virginia residents if the entity derives more than 50 percent of gross revenue from personal data sales.
Colorado, Connecticut, Utah, and Texas followed. By the close of 2024, twenty states had enacted comprehensive consumer data privacy laws, including Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, and Rhode Island. Eight of those states, Colorado, Connecticut, Kentucky, Montana, Oregon, Texas, Utah, and Virginia, have since amended their original enactments to address emerging issues in data broker obligations, automated decision-making, and sensitive data categories.
Enforcement postures vary. California’s CPPA holds independent rulemaking authority and has initiated formal enforcement proceedings. Texas relies on the AG’s Consumer Protection Division. Virginia and most other states funnel enforcement through their attorneys general with cure-period requirements that give covered entities a warning before penalty exposure. The cure windows range from 30 days (Virginia) to 60 days (Colorado) to no cure right at all in Connecticut after a specified date.
The compliance burden is real. A company processing data of residents in all twenty states faces twenty distinct regimes: different applicability thresholds, different consumer rights timelines, different definitions of “sensitive data,” and different enforcement mechanisms. The absence of a federal standard means legal teams must map data flows against a matrix that expands with each legislative session.
Federal vs. State Privacy Frameworks: Key Provisions
| Provision | ADPPA (H.R. 8152, 2022 — never enacted) | CCPA/CPRA (Cal. Civ. Code § 1798.100) | VCDPA (Va. Code Ann. § 59.1-571) |
|---|---|---|---|
| Effective / Introduced | Introduced June 3, 2022; died Jan. 2023 | CCPA effective Jan. 1, 2020; CPRA effective Jan. 1, 2023 | Effective Jan. 1, 2023 |
| Applicability Threshold | >100,000 consumers processed/yr; or >10,000 if data sold | Annual gross revenue >$25M; or >100,000 consumers; or >50% revenue from data sales | >100,000 VA residents/yr; or >25,000 + >50% revenue from data sales |
| Consumer Rights | Access, correct, delete, port; 45-day response | Access, correct, delete, port, opt-out of sale/sharing; 45-day response (extendable) | Access, correct, delete, port, opt-out; 45-day response |
| Data Minimization | Yes — “necessary, proportionate, limited” | No explicit minimization requirement (CPRA adds purpose limitation) | Yes — data must be adequate, relevant, and limited to stated purpose |
| Sensitive Data | Opt-in consent required (includes health, financial, biometric, precise geolocation) | Opt-out for sensitive data sharing; opt-in for minors under 16 | Opt-in consent required for sensitive data processing |
| Targeted Advertising — Minors | Prohibited for known/reasonably assumed under-17s | Opt-in required for under-16s; parental consent under-13 | Prohibited for known under-18s (2023 amendment) |
| Private Right of Action | Yes — after 2 years post-enactment; 45-day notice + cure | Yes — limited to data breaches involving unencrypted personal information | No — AG enforcement only |
| Civil Penalties | Up to $10,000/violation (FTC Act unfairness standard) | Up to $2,663/unintentional; $7,988/intentional (2025 inflation-adjusted) | Up to $7,500/violation after failed cure |
| Enforcement Body | FTC (new bureau) + State AGs + CPPA | California AG + California Privacy Protection Agency (CPPA) | Virginia AG (exclusive) |
| Preemption of State Law | Broad — narrow carve-outs for financial, health, children’s laws | N/A (state law) | N/A (state law) |
| Rulemaking Authority | FTC — mandatory rules on algorithm audits, data security standards | CPPA — active rulemaking program (regulations effective 2023, 2024) | None — statute is self-executing |
FTC Enforcement Under Section 5: What Exists Without ADPPA
The United States has no omnibus federal consumer data privacy statute. What it has is Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has used Section 5 as the primary federal data privacy enforcement instrument for two decades.
The statutory gap is structural. The FTC Act exempts common carriers (historically telephone companies), nonprofits, and financial institutions subject to the Gramm-Leach-Bliley Act. The FTC cannot write general-purpose privacy rules under its Section 18 Magnuson-Moss rulemaking authority without satisfying a burdensome procedural standard, a constraint that slowed the Commission’s 2022 commercial surveillance rulemaking initiative substantially.
Despite those limits, FTC enforcement in 2024 was among the most aggressive in the agency’s privacy history. The Commission reached a $16.5 million settlement with Avast Limited in February 2024, prohibiting the antivirus vendor from selling or licensing web browsing data collected through its software after the agency found that Avast had harvested data from users who believed the software protected them from tracking. The finalized consent order, announced June 2024, required deletion of data transferred to Avast’s subsidiary Jumpshot from 2014 through 2020.
The FTC also brought four separate enforcement actions against data brokers: X-Mode Social/Outlogic, InMarket Media, Mobilewalla, and Gravy Analytics, for unlawful collection, aggregation, and sale of precise consumer location data. The X-Mode action, finalized January 2024, was the first FTC settlement of its kind against a data broker specifically for location data sales. Separate litigation against data broker Kochava remained pending as of early 2025.
The 2025 enforcement environment shifted following a change in FTC leadership. Commissioner Andrew Ferguson, elevated to Acting Chair in January 2025, signaled a preference for established statutory theories, particularly COPPA (15 U.S.C. § 6501 et seq.) and GLBA, over novel unfairness expansions under Section 5. The agency maintained that AI-related exaggerated capability claims remain a priority, but the post-2024 posture is less likely to produce sweeping structural remedies against data brokers absent a new statutory mandate.
Sector-specific federal statutes fill narrow lanes. HIPAA governs protected health information for covered entities. COPPA regulates online collection of personal information from children under 13. GLBA governs financial institutions’ customer data. The Electronic Communications Privacy Act (18 U.S.C. § 2510) addresses interception of wire communications but was enacted in 1986 and does not address modern data broker practices. None of these laws creates a general consumer right to access, delete, or port personal data held by commercial entities outside their sector.
What’s Next: Congressional Prospects and State Momentum
The 119th Congress has not produced a federal privacy bill with significant forward momentum as of May 2026. S. 490: the Protecting Americans’ Privacy Act of 2025, introduced February 2025, remained in committee referral. The political dynamics that killed both the ADPPA and APRA persist: preemption scope, the private right of action’s breadth, and the role of state regulators remain the three fault lines on which bipartisan coalitions fracture.
The state trajectory runs in the opposite direction. Twenty states now have comprehensive privacy laws in force as of 2026; eight took effect this year alone. State enforcement activity is increasing. The California CPPA has demonstrated it will use its independent enforcement authority, it opened a formal enforcement proceeding against a major data broker under the CPRA in 2024. Texas AG enforcement under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541) commenced in 2024 against companies failing to honor opt-out requests.
Industry groups including the U.S. Chamber of Commerce and trade associations representing ad tech companies continue to press for a federal standard, primarily to achieve the compliance uniformity that a preemptive federal law would provide. Consumer advocacy organizations counter that the California framework represents the strongest consumer protection in the country and that federal preemption at a lower standard would constitute a net regression.
The most likely near-term scenario is continued state expansion with federal legislation remaining stalled absent a triggering event, a major data breach affecting tens of millions of consumers, sustained public attention, or a shift in Senate Commerce Committee dynamics. The FTC’s rulemaking authority under Section 5 remains a second vector, though the current Commission leadership has narrowed its interpretation of that authority.
For compliance officers and policy counsel, the operational reality is a 20-jurisdiction matrix that will reach 25 or more states by 2027 at current legislative velocity. Federal preemption, if it arrives, will be negotiated against that existing architecture, not designed from scratch.