The Long Road Toward Federal Data Privacy

Caroline Tait

Associate Editor

Loyola University Chicago School of Law, JD 2024


In June of this year, the U.S. House Committee on Energy and Commerce’s Subcommittee on Consumer protection and Commerce met regarding the American Data Privacy and Protection Act (ADPPA). At this meeting the committee members highlighted that this bill, seeking to establish federal data privacy, is intended to be a compromise on the topic of federal privacy legislation as committee members from both sides agree that a federal privacy act is necessary.

In July, the ADPPA was passed by the House Energy and Commerce Committee by a 53-2 vote, but still faces pushback within the House as it has the potential to preempt state laws on data privacy. A National Law Review article cites Nancy Pelosi as a major critic of the ADPPA, as she has expressed concerns surrounding this bill and “its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act.”

The bill

This bill on data security would establish covered entities and covered data and impose a “baseline duty on all covered entities not to unnecessarily collect or use covered data… regardless of any consent or transparency requirements.” Covered entities are “any entity that collects, processes, or transfers covered data,” and covered data is “information identifying, linked, or reasonably linkable to an individual or device linkable to an individual.” This bill would be a huge step toward protecting data privacy as these covered entities, such as telecommunications carriers, would be entirely prohibited from “collecting, processing, or transferring covered data beyond what is reasonably necessary.”

During a committee markup meeting on the ADPPA in June of this year, Chairman of the Committee on Energy and Commerce, Frank Pallone, Jr. offered an opening statement. In this statement, he posited the bill as a way of protecting children and teens, stating that “companies, including social media platforms, will be flatly prohibited from targeting kids with harmful advertising” that could increase rates “of eating disorders, suicide, and other mental health issues.” This introduction by Chairman Pallone gives an insight into the protections sought that go beyond just protecting what an average citizen does on their phones and computers. The law firm Wilmer Hale summarized the key aspects of the ADPPA and cited children’s privacy as a major need for the bill that parties from both sides were able to agree upon, supporting the statement made by Chairman Pallone.

Additionally, the U.S Chamber of Commerce published an article in September of this year on what should and should not be included in a national privacy bill. This article emphasized that the ADPPA will not only have an impact on the big tech companies, but will impact every organization that collects data, no matter what the organization is. This will include anything from Facebook to hospitals and charity organizations. This wide range of coverage shows how comprehensive the ADPPA seeks to be.


Data privacy and protection has been a source of much debate in recent years. The ADPPA in particular has faced strong criticisms. Generally, there are two sides to the debate: privacy rights vs. civil and business rights. A National Law Review Journal article discussed both sides of the debate, noting that unsurprisingly major tech companies are against the bill, as they worry that the bill’s “inclusion of a private right of action with the potential to recover attorneys’ fees will lead to litigation abuse.”

The ADPPA also faces criticism at the state level. To understand this criticism, one must center data privacy at the state level. Certain states have adopted their own rigorous data privacy standards, such as Colorado. In July of 2021, Colorado was the third state to enact a privacy law concerning personal information and personal data, called the Colorado Privacy Act. In doing so, Colorado followed California and Virginia in establishing such regulation. The California Consumer Privacy Act “gives consumers more control over the personal information that businesses collect about them” and the Virginia Consumer Data Protection Act “establishes a framework for controlling and processing personal data”. If the ADPPA is passed, it will be interesting to see how both individual states and corporations that will be covered under the “covered entity” definition will react to this new legislation.

Further, in July following the vote, state attorneys expressed concern over how this new legislation would impact them. Specifically, a group of state attorneys and state leaders wrote letters to lawmakers expressing their concerns about how the bill would threaten state privacy laws and how the bill did not create enough of a “ceiling” such that states would still have to regulate data privacy. 

What’s next?

The Chamber of Commerce has given insight into what needs to be done for the ADPPA or another federal privacy act to pass, stating that it will collaborate with members of Congress to draft federal privacy legislation that is able to preempt state law so that citizens in all states will be protected equally. Given the preemption and federalist concerns, there is merit to the criticisms against the ADPPA which have been raised by certain states. At the same time, from a regulatory perspective, when dealing with covered entities from huge tech giants to non-profits, it is important that there be a streamlined federal law in place to ensure that these entities cannot use differences between state laws to avoid compliance. Ideally a compromise which recognizes the merits to both concerns could be reached, perhaps by narrowing the ADPPA’s preemption clause or specifying which parts of the state laws could be preempted by the ADPPA.