The U.S. may finally get a federal privacy law to rival Europe’s GDPR

David Meyer
Alex Wong—Getty Images

Get ready for a lobbying furor, because there’s suddenly a plausible, bipartisan, bicameral push to finally give the U.S. a comprehensive data-privacy law, going way beyond the protections for medical and children’s data that already apply countrywide.

The bill, which will be formally introduced later this month, is called the American Privacy Rights Act, or APRA. It was unveiled yesterday (yes, on a Sunday) by Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.), who respectively chair the House and Senate Commerce Committees. And its contents look awfully familiar from my vantage point here in Europe, home of the General Data Protection Regulation (GDPR).

APRA would let Americans opt out of targeted advertising and minimize the personal data that companies hold on them. They would be able to tell companies to give them access to their data, to correct or delete it, and to demand a downloadable version of their data that they could port over to a rival service provider. Companies would be unable to pass on sensitive personal data without the subject’s express consent and be banned from using “dark patterns” on pages where users choose their privacy preferences to subliminally divert them from exercising their new rights.

Consumers would gain the right to opt out of companies making algorithmic decisions about them in crucial areas like employment, housing, and education. Companies would have to abide by stronger data security standards, to protect people’s data—with executives bearing ultimate responsibility, though it should be noted that small businesses (with revenues under $40 million) that don’t collect much data would remain exempt from the bill’s provisions. The law would enable enforcement by the Federal Trade Commission and in private suits by victims.

Of course, many of these rights are already available to Americans, but only in certain states. The absence of a comprehensive federal data privacy law has resulted in an increasingly confusing patchwork of state laws. One example: California, Colorado, Connecticut, Utah, and Virginia all let people opt out of targeted advertising, but only California mandates the opt-out wording and demands that the opt-out link appear on a service’s homepage. And these are just the states that already have such laws in place—over the next two years, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, and Texas are all due to see their own takes on a comprehensive privacy law come into effect.

APRA would almost completely flatten the landscape by preempting all state privacy laws, except in specific legal domains including civil rights, consumer protection, and contracting. That’s a big deal for tech firms, as it means predictability (the GDPR provided the same benefit in the EU when it came into effect nearly six years ago).

However, it’s also a big deal for APRA’s prospects in Congress. The last big push of this kind was the American Data Privacy and Protection Act (ADPPA) of 2022, which was also a Rodgers coproduction, but which Cantwell sunk because it didn’t preempt state laws, and would have given Americans in general weaker protections than those given to, say, Californians. The new proposal’s backers promise it will be “stronger” than any state law.

“This landmark legislation gives Americans the right to control where their information goes and who can sell it,” Rodgers said in yesterday’s statement. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.” Rodgers also noted that Americans “overwhelmingly want these rights,” while Cantwell described the agreement as “the protections Americans deserve in the Information Age.”

Indeed, Pew Research’s polling consistently shows that a strong majority of American adults do want more regulation of consumer data, be they Democrats or Republicans (though Democrats are a little likelier to be clamoring for more rules).

Big Tech has also been overtly keen on getting a proper federal privacy law in place—Meta’s Mark Zuckerberg, Microsoft’s Satya Nadella, and Apple’s Tim Cook have all called for an American GDPR of sorts over the past several years—and Microsoft privacy chief Julie Brill provided the sector’s first reaction to the APRA proposal late last night. “The U.S has long deserved to join the rest of the world in establishing comprehensive privacy legislation,” Brill (a former FTC commissioner) posted on X, with applause for Cantwell and Rodgers.

But again, now comes the lobbying. Everyone wants a predictable, harmonized regulatory landscape, still, I’m guessing not everyone wants American consumers to get full EU-grade privacy rights that limit what companies can do with the personal data they hold, particularly as the AI explosion makes those resources more valuable than ever. More news below.

David Meyer

Want to send thoughts or suggestions to Data Sheet? Drop a line here.

This story was originally featured on Fortune.com

Advertisement