Closer than it has been

Every Congress since 2012 has seen comprehensive federal privacy legislation introduced. None has been enacted. The patterns of failure have been consistent — disagreements about scope, preemption, enforcement, individual rights, and the political weight of the industries affected.

The American Privacy Rights Act, the most recent major proposal, has gotten further than its predecessors. Bipartisan committee versions have advanced. The text has been substantially negotiated. Industry, civil society, and state attorneys general have engaged in detail. The bill has not been enacted; the proximate causes of stalling are familiar; the underlying policy has matured substantially.

This brief explains where federal privacy legislation actually stands, what the recurring sticking points are, and what passage would actually do.

What APRA does

The American Privacy Rights Act, in its various recent forms, provides:

Scope. Most data collection and processing by businesses meeting size thresholds (employee count, annual revenue, data volume). Smaller businesses face reduced requirements; certain entities (small nonprofits, government contractors handling specific data, etc.) face tailored treatment.

Data minimization. Collection of personal data must be limited to what is necessary for permitted purposes. Sensitive data (health, biometric, location, demographic, etc.) faces stricter purpose limits.

Individual rights. Access (you can find out what’s collected about you), correction (you can fix errors), deletion (you can require erasure), portability (you can take your data elsewhere), and limited opt-outs (targeted advertising, sale of data, profiling for high-impact decisions).

Consent for sensitive data. Affirmative consent requirements before sensitive data can be collected or processed for specific purposes.

Privacy by design. Risk assessments for high-risk processing. Data security obligations. Breach notification requirements.

Enforcement. FTC primary enforcement, state attorney general parallel enforcement, limited private right of action for serious violations.

Children’s data. Specific protections for users under 17, including stricter consent requirements and constraints on targeted advertising.

The substantive policy is in the same general space as European GDPR, California CCPA/CPRA, and the leading state-level privacy laws. The implementation details vary; the conceptual framework is consistent across these regimes.

What the preemption fight is actually about

The recurring sticking point in federal privacy legislation is preemption — whether federal law preempts state law on the same subject matter, and to what extent.

Industry generally favors broad preemption. The 50-state patchwork that has developed in the federal vacuum imposes substantial compliance costs; replacement with a single federal standard would reduce those costs even if the federal standard is stricter than the average state standard.

Civil society and state-level privacy advocates generally favor a federal floor that does not preempt state laws. Several state-level privacy frameworks (California’s, in particular) provide protections that would be lost if federal preemption were strict. The argument: federal law should set a meaningful baseline below which states cannot fall, while allowing states to experiment with stronger protections.

State attorneys general have specific institutional concerns about federal preemption. State AG enforcement of state privacy laws is a significant element of US privacy enforcement. Federal preemption that displaced state AG authority would centralize enforcement in the FTC — which has chronically constrained resources for the breadth of issues it addresses.

The negotiated middle ground in recent APRA drafts: partial preemption. Federal law preempts state laws on certain specific provisions (typically those where compliance complexity is high) while preserving state authority on others (typically those where state-level innovation is judged valuable). The negotiation over which categories fall into which bucket has been substantive and detailed.

What else is at stake

Several substantive policy questions remain in active negotiation:

Private right of action. Whether individuals can sue for privacy violations, or whether enforcement is limited to FTC and state AG action. Industry strongly opposes a broad private right of action; civil society generally supports it. The negotiated middle ground in recent drafts is a private right of action limited to specific serious violations and with class-action limitations.

Civil rights protections. Whether federal privacy law includes provisions specifically addressing algorithmic decision-making in employment, lending, housing, and other high-impact contexts. Civil rights organizations have pushed for stronger protections; some industry groups have resisted as scope expansion.

Data minimization standard. How strict the data-minimization requirement is, and how broad the “permitted purposes” exception is. Stricter minimization is more protective; broader permitted purposes give businesses more flexibility.

Children’s data scope. Whether protections extend to ages 13-17 or only the existing COPPA-protected under-13. Recent APRA drafts have extended to under-17.

Sensitive data definition. What categories of data face the stricter sensitive-data treatment. The list has been negotiated extensively — health, biometric, precise location, government identifiers, sexual orientation, immigration status, genetic, and other categories have all been considered.

FTC capacity. Whether the bill provides FTC with the staffing and authority needed to actually enforce a comprehensive privacy regime. Adequate FTC capacity is a recurring concern of advocates skeptical that legislation without enforcement infrastructure will deliver.

What state law has achieved in the federal vacuum

The 15+ state-level privacy laws now in effect provide a useful comparison and a backstop:

California (CCPA / CPRA). The most comprehensive state privacy framework, with a dedicated privacy enforcement agency (the California Privacy Protection Agency) that has produced active enforcement.

Virginia, Colorado, Connecticut, Utah, Texas, Tennessee, Oregon, Indiana, Iowa, New Jersey, New Hampshire, Delaware, Maryland, Montana, others. A patchwork of state laws, generally less protective than California’s but each providing meaningful baseline rights.

Patchwork costs. Compliance with multiple state regimes imposes real costs on businesses operating across state lines. The patchwork has produced industry pressure for federal preemption.

Patchwork benefits. State-level innovation has produced specific protections (California’s Delete Act for data brokers, Colorado’s AI Act, others) that probably would not have emerged through federal negotiation. The patchwork serves as a laboratory for what works.

If federal privacy legislation is enacted, its preemption scope will determine how much of the state-level innovation is preserved. The negotiating dynamic on this point has been protracted and remains active.

What to watch

• APRA reintroduction in the next Congress. Bipartisan negotiations have continued.
• State-level enforcement and innovation. California’s CPPA, state AG actions in other states.
• FTC rulemakings. FTC commercial-surveillance rulemaking and adjacent actions advance privacy protections through existing authorities.
• Industry posture. Whether major affected industries shift toward supporting comprehensive federal action.
• Children’s online safety and data legislation. KOSA and similar proposals intersect privacy law in important ways.

Bottom line

Federal privacy legislation has matured substantially over the past decade. The substantive policy is in a tight negotiated band where major elements are agreed; the recurring sticking points (preemption, private right of action, scope of civil-rights provisions) are contested but tractable. The political coalition for action has grown. Enactment is closer than it has been in a generation. The work of advocacy at this stage is on the specific provisions where the bill could be substantially better — preserving state authority, ensuring real enforcement, protecting civil rights — without losing the political coalition that has gotten the bill this far.