January 6, 2023 By Mark Stone 5 min read

When it comes to data protection laws, the United States has long lagged behind Europe, whose  General Data Protection Regulation (GDPR) came into effect in 2018 as the gold standard in data protection.

Also, in 2018, California passed the California Privacy Protection Act, further expanding it to the California Privacy Rights Act (CPRA) in 2020. In August 2022, a new federal bill — the American Data Privacy and Protection Act (ADPPA) — passed Congress with a landslide 53-2 vote. The proposed federal law is similar to the CPRA but contains a few key differences that have Californian data privacy advocates concerned.

What are the compliance implications for businesses with both state and federal data privacy laws running in tandem? Is ADPPA’s preemption of state privacy laws good for businesses and consumers? Read on to learn more about the two bills, their differences and what it would mean for businesses if federal law preempts state laws.

What do both the California and federal laws have in common?

Who is included

Businesses that handle consumer data must adhere to these laws. CPRA only pertains to businesses and consumers in California. The ADPPA — if passed — would cover businesses across the United States.

Collecting and sharing data

Both laws restrict how much personal data a business can collect from consumers and that they only collect data necessary to provide the service. Consumers can opt out of both unnecessary data collection and any data sharing or selling to third parties.

Plus, they have the right to:

  • Know when companies collect their data
  • Request their data from the past 12 months
  • Request that companies delete their data.

Sharing or selling data to third parties

Under both laws, consumers can opt out of having their data shared with or sold to third parties and request that organizations delete that data. Businesses must clearly indicate when they intend to share or sell that data to third parties.

Reasonable data security measures 

Both laws include provisions that require businesses to take reasonable steps toward data security. Neither bill outlines specifically the minimum threshold for security, stating that it is the responsibility of the business to make every effort to keep consumer data secure.

While both bills have much in common, some key differences concern data privacy advocates.

For more information about what CPRA does and does not cover, click here. To review the proposed federal bill, click here.

Learn about IBM Security Guardium Insights

Contested differences between state and federal data privacy laws

While both bills have much in common, some key differences concern data privacy advocates. When a federal law preempts a state law, the federal law takes precedence over the state law or “overrides” it.

Here are some of the most significant differences between CPRA and ADPPA that could pose a challenge.

Does the law consider governments to be covered entities?

According to the proposed federal law, “Federal, State, Tribal, territorial or local government entities” need not meet data privacy requirements. This means that consumers cannot opt out of businesses sharing data with government entities. In contrast, CPRA does include government entities, limiting the ability of the government to use personal data.

IF ADPPA does pass into law, businesses will not be able to cite data protection laws as a reason for not sharing personal data with government entities.

Can the legislature amend these laws in the future? 

One of the more important discussions about the ADPPA versus CPRA is if they can be amended. CPRA states that the law can only be amended to introduce more consumer protections; it cannot be amended to be weaker. On the other hand, there is no such protection for ADPPA. The past few years have illustrated that federal bills protecting rights can easily be reversed or amended to be less stringent.

Data privacy activists are concerned that Congress can amend ADPPA to be weaker. If a more ineffective federal law preempts the stronger state law, it can leave Californians with flawed data protections.

Are there loopholes to opting out of data collection? 

Proponents of the CPRA law have criticized ADPPA for a massive loophole in opting out of data collection and storage. ADPPA outlines specific exceptions to opting out of data collection. The contested exception says that consumers cannot opt out if the data collection is used “to develop, maintain, repair or enhance or improve a product or service for which such data was collected.”

Critics of the bill suggest this exception is too large of a loophole.

Private right of action 

Private right of action refers to a consumer’s ability to sue a business for noncompliance with data protection laws. This is especially relevant in the case of data breaches. Both tech leaders and the U.S. Chamber of Congress were concerned that including private right of action to the federal law could open the door for class action lawsuits.

While ADPPA does include private right of action, critics point out that the consumer’s right to action is severely limited and excludes monetary compensation. Also contentious is that the weak private right of action provision severely stifles data security requirements. Privacy advocates worry that if consumers cannot hold businesses accountable by suing when their data falls into the wrong hands, businesses will not be motivated to meet security requirements.

CPRA’s private right of action only applies to data breaches. Still, it gives a lot more power to consumers to sue for monetary compensation, even if they cannot prove direct damages due to the data breach.

What would it mean for businesses if ADPPA preempts state law?

Differences between the proposed federal law and CPRA affect businesses and consumers in California only if the federal law preempts the state law.

In the current language, ADPPA preempts all state laws — including California laws — except for some specific provisions.

For these exceptions, state law will still hold:

  • State laws governing the collection and use of biometric and genetic information
  • The security breach private right of action provisions of CPRA
  • State laws regarding the privacy rights of students and employees
  • Specific state laws about the collection and use of personal data related to crimes, public safety, medical or health information and marketing or spam.

If ADPPA passes into law, it will supersede California law in every way except for the private right of action. That means businesses will not need to adhere to stricter California laws if the legislature amends the federal bill to be weaker in the future. In addition, federal law would not restrict businesses from sharing personal consumer data with government entities.

General wording regarding the exception of data collection can allow businesses to forgo opt-out options if they can prove they are collecting data to improve their products and services. In the age of personalized user experiences, proving this is a low bar to clear.

Legal security requirements put significant potential liability on businesses if they fall prey to cyberattacks. Under CPRA, the company is more liable, and a data breach means opening the business up to potential lawsuits. The proposed federal law gives fewer options for private right of action. This shields businesses from having to potentially offer monetary compensation. Unfortunately, the ADPPA does not preempt CPRA for this specific provision, so businesses operating in California should be aware of consumers’ comprehensive private right of action.

The future of data protection law

While ADPPA has passed in Congress, it still has a long way to go before being passed into law. Even if the law does not ever pass, the ADPPA is a comprehensive data protection law that can serve as an outline for businesses drafting their data protection compliance strategies.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today