Has the American Privacy Rights Act been signed into law?

No. As of mid-2026, the APRA has not been enacted. The bill was introduced in April 2024 with bipartisan support from Senate Commerce Committee Chair Maria Cantwell and House Energy and Commerce Committee Chair Cathy McMorris Rodgers. It advanced through committee markup but stalled before reaching a floor vote due to disagreements over preemption scope, private right of action, and FTC enforcement authority. Updated versions continue to be discussed in subsequent congressional sessions, and the core framework remains the most likely template for eventual federal privacy legislation.

Would APRA replace state privacy laws like the CCPA/CPRA?

Partially. APRA includes a targeted preemption provision that would override most state comprehensive privacy laws but preserve several key carve-outs: California CPRA provisions on employee data, Illinois BIPA (biometric data), state consumer protection laws, state data breach notification laws, and state laws governing specific sectors like health data and student records. This means California would retain some of its unique protections, and Illinois would keep its powerful private right of action for biometric data. The preemption question remains the single biggest political obstacle to the bill.

What would APRA mean for small businesses?

APRA includes a small business exemption for companies with annual revenue below 40 million dollars, that process the data of fewer than 200,000 individuals, and that do not derive revenue from transferring personal data to third parties. Companies meeting all three criteria would be exempt from most APRA obligations. However, the data minimization and security requirements would still apply to all covered entities regardless of size. Businesses near the threshold should prepare for compliance because revenue growth or data volume increases could push them into full applicability.

How does APRA compare to GDPR?

APRA borrows several GDPR concepts — data minimization, purpose limitation, algorithmic impact assessments, and individual rights — but differs in key ways. APRA uses an opt-out model for data processing rather than GDPR consent, does not require a lawful basis for processing, and focuses on FTC enforcement rather than independent data protection authorities. APRA would not impose GDPR-level requirements for cross-border data transfers or data protection officer appointments. The compliance overlap is significant though: businesses already GDPR-compliant would meet most APRA requirements with minimal additional work.

Should businesses wait for APRA to pass before investing in privacy compliance?

Absolutely not. With 20 state privacy laws already in effect and enforcement accelerating, waiting for federal legislation is a risky strategy. More importantly, the core concepts in APRA — data minimization, consumer rights, algorithmic accountability, and enhanced security — already appear in existing state laws. Building a comprehensive privacy program today satisfies current state obligations and positions you for any federal law that eventually passes. The framework will be transferable regardless of the final statutory language.

The American Privacy Rights Act: What Businesses Need to Prepare For

For over two decades, Congress debated and failed to pass comprehensive federal privacy legislation while the European Union enacted GDPR, and US states built their own patchwork of privacy laws. The American Privacy Rights Act (APRA), introduced in April 2024, represented the closest Congress has come to creating a unified national privacy standard. Backed by bipartisan leadership and incorporating lessons from both GDPR and existing US state laws, APRA proposed a framework that would establish nationwide consumer rights, impose data minimization obligations, create algorithmic accountability requirements, and grant the FTC expanded enforcement authority.

As of mid-2026, APRA has not been enacted into law. But its framework remains the most likely template for eventual federal privacy legislation, and its core requirements — data minimization, consumer rights, opt-out mechanisms, and algorithmic impact assessments — already reflect the direction that state laws are moving. Understanding APRA is not just an academic exercise. It is advance preparation for what comes next.

Why APRA Matters Even Without Passage

You might reasonably ask: why study a bill that has not become law? Three reasons:

It defines the floor — APRA represents the minimum set of privacy obligations that both parties in Congress have agreed upon. Any future federal privacy bill will likely include the same core elements: consumer rights, data minimization, FTC enforcement, and some level of preemption. Understanding APRA means understanding what is coming
State laws are converging toward it — many of APRA's provisions already exist in state laws. Data minimization (California CPRA, Maryland MODPA), algorithmic accountability (California CPPA regulations, Minnesota MCDPA), and universal opt-out mechanisms (13+ states) are live requirements today. APRA would codify what is already becoming the national standard
Private right of action debate shapes enforcement — whether consumers can sue directly (as in APRA's proposal) or only regulators can enforce (as in most state laws) fundamentally changes the risk calculus for businesses. The outcome of this debate in federal legislation will determine the litigation landscape for decades

Core Provisions of APRA

Here is what APRA would require, organized by major compliance area.

Consumer Rights

APRA proposed a comprehensive set of individual rights that largely mirrors the strongest state laws:

Right to access — consumers can request and receive a copy of all personal data a covered entity has collected about them, in a portable, machine-readable format
Right to correct — consumers can request correction of inaccurate personal data
Right to delete — consumers can request deletion of their personal data, with exceptions for legal obligations, security, and certain internal operations
Right to data portability — consumers can request transfer of their data to another entity in a structured, commonly used format
Right to opt out of targeted advertising — consumers can opt out of the use of their personal data for targeted advertising purposes
Right to opt out of data transfers — consumers can opt out of the transfer of their personal data to third parties beyond what is necessary to provide the requested service
Right to opt out of algorithmic decision-making — consumers can opt out of the use of their data in algorithmic systems that make consequential decisions about them

These rights closely align with CPRA's seven consumer rights, with the addition of explicit data portability requirements and stronger algorithmic opt-out provisions. For businesses already compliant with CPRA, the rights framework would require minimal additional infrastructure.

Most APRA-proposed rights already exist in multiple state laws, meaning businesses compliant with the strictest states would largely satisfy APRA requirements.

Data Minimization

APRA's data minimization provision is one of its most impactful requirements. Covered entities would only be permitted to collect, process, retain, and transfer personal data that is "reasonably necessary and proportionate" to provide or maintain a specific product or service requested by the individual, or for one of a limited list of "permissible purposes."

The permissible purposes include:

Providing the requested product or service — the core function the consumer signed up for
Authentication and fraud prevention — verifying identity and preventing unauthorized access
Security — detecting, preventing, and responding to security incidents
Legal compliance — meeting obligations under federal, state, or local law
First-party advertising — advertising based only on the context of the current interaction (not cross-context behavioral targeting)
System maintenance and debugging — keeping systems operational
Product improvement — but only using aggregated or de-identified data

What is explicitly excluded: collecting data for targeted advertising based on cross-context behavioral profiling is not a permissible purpose. This would effectively make targeted advertising an opt-in activity — businesses could not collect data for targeted ads by default and would need consumer consent.

This data minimization framework is stricter than California's CPRA (which requires proportionality but allows broader disclosed purposes) and aligns more closely with Maryland's MODPA (which limits collection to what is "strictly necessary"). For businesses accustomed to collecting data speculatively and finding uses later, this would represent a fundamental shift in data strategy.

Sensitive Data Protections

APRA defines "sensitive covered data" and prohibits its collection unless the individual provides affirmative express consent (opt-in). The sensitive data categories include:

Government-issued identifiers (SSN, passport, driver's license)
Financial account information with credentials
Biometric information
Genetic information
Precise geolocation data (within 1,850 feet)
Health information including reproductive health
Sexual orientation or sexual behavior
Information about a known child under 17
Private communications content
Login credentials (username/password combinations)
Information revealing race, ethnicity, national origin, religion, or union membership
Calendar, address book, phone/text log, photos, or recordings from a personal device
Browsing history, search history, or other online activity information linked to an individual

The inclusion of online browsing and search history as sensitive data is a significant departure from most state laws (which treat browsing data as regular PI). If enacted, this would force businesses to obtain opt-in consent before tracking website behavior — effectively ending default behavioral tracking without consent for businesses covered by APRA.

Algorithmic Accountability

APRA includes algorithmic accountability provisions that would require covered entities to:

Conduct impact assessments — perform evaluations of algorithms and automated decision-making systems that pose a "consequential risk" to individuals, covering housing, employment, credit, insurance, education, healthcare, and access to essential services
Provide explanations — give consumers meaningful information about how algorithmic systems make decisions that significantly affect them
Offer opt-out rights — allow consumers to opt out of consequential algorithmic decision-making and receive human review of decisions
Evaluate for discrimination — assess whether algorithms produce disparate impacts on protected groups and take corrective action

These requirements mirror what California's CPPA has already begun implementing through its ADMT regulations and what Minnesota's MCDPA requires through its profiling transparency rights. The trend toward algorithmic accountability is accelerating regardless of whether APRA specifically passes.

The Preemption Debate

No APRA provision generated more political friction than preemption — the question of whether a federal law would override existing state privacy laws. This is the issue that has killed every previous federal privacy bill, and it remains the central obstacle today.

What APRA Would Preempt

Under the bill as drafted, APRA would preempt most state comprehensive privacy laws. This means laws like the CCPA/CPRA (most provisions), Virginia VCDPA, Colorado CPA, and the 17 other state privacy laws would be superseded by the federal standard. The intent is to eliminate the patchwork compliance burden of managing 20+ different state regimes.

What Would Be Preserved

APRA includes specific carve-outs that preserve:

California CPRA employee and B2B data provisions — California's unique protections for employee personal information would survive
Illinois BIPA — the Biometric Information Privacy Act's private right of action and specific biometric consent requirements would remain intact
State consumer protection laws — state AG authority to bring actions under general consumer protection statutes (unfair and deceptive practices) would continue
State data breach notification laws — all 50 states' breach notification requirements would remain in effect
Sector-specific state laws — state laws governing health data (like Washington's My Health My Data Act), student records, financial data, and similar sector-specific statutes would be preserved

Why This Stalled the Bill

California's congressional delegation argued that preemption would weaken protections for California consumers, who currently benefit from the CCPA/CPRA's dedicated enforcement agency (CPPA), detailed rulemaking on ADMT and cybersecurity audits, and the "sharing" concept for cross-context behavioral advertising — none of which appear in APRA's framework. Industry groups, meanwhile, argued that without meaningful preemption, a federal law would just add another compliance layer on top of existing state requirements, defeating the purpose of a national standard.

The compromise attempted in APRA — targeted preemption with carve-outs — satisfied neither side completely. California wanted broader preservation of its law, and industry wanted broader preemption. This dynamic has not changed and will continue to shape any future federal privacy bill.

The Private Right of Action

APRA proposed allowing individuals to bring private lawsuits against businesses that violate their rights under the law, subject to certain conditions:

Delayed implementation — the private right of action would not take effect until two years after APRA's enactment, giving businesses time to build compliance programs
Statutory damages — individuals could recover between 100 and 750 dollars per violation, or actual damages, whichever is greater (matching California's existing breach private right of action range)
Injunctive relief — courts could order businesses to stop violating privacy rights
Attorney fees — prevailing plaintiffs could recover reasonable attorney fees and costs
Scope — the PRA would cover all APRA violations, not just data breaches (broader than California's current PRA, which is limited to breach scenarios)

If enacted, this would create the broadest privacy-related private right of action in the United States. Currently, only California (limited to breaches), Vermont (effective 2026), and Maryland (effective 2027) offer any form of privacy PRA. A federal PRA covering all privacy violations would fundamentally change the risk landscape — it would create a plaintiffs' bar specializing in privacy litigation, similar to what happened with the ADA, TCPA, and Illinois BIPA.

The business community's primary objection is the potential for abusive class action litigation. Consumer advocates counter that without a PRA, enforcement depends entirely on under-resourced government agencies that cannot investigate every violation. This remains one of the two dealbreaker issues (alongside preemption) in federal privacy negotiations.

FTC Enforcement Under APRA

Regardless of the private right of action, APRA would significantly expand the Federal Trade Commission's privacy enforcement authority:

Direct enforcement power — the FTC would gain the authority to enforce APRA provisions directly, including the ability to seek civil penalties for violations (the FTC's current authority under Section 5 is limited to unfair or deceptive practices and does not allow first-time penalties)
Rulemaking authority — the FTC would issue implementing regulations, similar to the CPPA's role in California. This would allow the FTC to adapt requirements to new technologies (AI systems, IoT devices, etc.) without congressional action
New Bureau — APRA proposed creating a new Bureau of Privacy within the FTC, dedicated to privacy enforcement, rulemaking, and compliance assistance
State AG concurrent authority — state Attorneys General would retain the right to enforce APRA in their states, creating a dual enforcement model similar to California's CPPA + AG structure

The penalty structure under APRA would allow the FTC to impose civil penalties of up to approximately 50,000 dollars per violation (using the existing FTC Act civil penalty authority), with the per-violation multiplier applying across affected consumers. For a data practice affecting millions of consumers, this could translate to penalties in the hundreds of millions or billions of dollars.

APRA's three-layer enforcement model would create accountability at both the regulatory and individual consumer level.

Who Would Be Covered

APRA defines a "covered entity" broadly as any entity or person that determines the purposes and means of collecting, processing, retaining, or transferring covered data and is subject to the Federal Trade Commission Act. This includes most businesses, nonprofit organizations, and common carriers.

Small Business Exemption

APRA exempts "small businesses" meeting all three criteria:

Annual gross revenue not exceeding 40 million dollars in the most recent three-year period
Did not collect, process, or transfer the covered data of more than 200,000 individuals in the preceding calendar year (excluding data collected solely to complete a transaction)
Did not derive revenue from transferring covered data to third parties

The 40 million dollar threshold is higher than California's 25 million dollars, potentially exempting more businesses. However, the 200,000-individual cap and the data-transfer-revenue exclusion narrow the exemption significantly — a small e-commerce company that shares customer data with advertising partners would not qualify regardless of revenue.

Large Data Holders

APRA creates additional obligations for "large data holders" — entities with annual revenue exceeding 250 million dollars or those that process the data of more than 5 million individuals (or 15 million devices). Large data holders would face:

Mandatory privacy officer appointment
Annual privacy impact assessments
Algorithmic impact assessments for high-risk decision systems
Biannual transparency reports describing data practices, consumer rights requests received, and compliance metrics
Shortened response timelines for consumer rights requests

These additional requirements target the companies that process the most consumer data — primarily large tech companies, financial institutions, health systems, and retailers — creating a tiered compliance framework similar to GDPR's concept of data protection officers for large-scale processors.

Data Broker Registry

APRA would create a national data broker registry maintained by the FTC. Data brokers — defined as entities that collect and sell or share personal data of individuals with whom they have no direct relationship — would be required to:

Register with the FTC annually
Provide a clear and conspicuous mechanism for consumers to opt out of data collection and transfer
Submit annual reports describing their data practices, categories of data collected, and categories of third parties to whom data is sold or shared
Honor universal opt-out mechanisms like GPC

Several states including California, Vermont, Oregon, and Texas already have data broker registration requirements. A federal registry would consolidate these into a single system, reducing administrative burden for data brokers while creating nationwide transparency into the data brokerage industry.

How APRA Compares to Existing Standards

Understanding APRA's positioning relative to existing frameworks helps assess the practical compliance gap:

Provision	APRA	CCPA/CPRA	GDPR
Data Minimization	Strong (reasonably necessary and proportionate)	Moderate (proportionate to purpose)	Strong (adequate, relevant, limited)
Lawful Basis Required	No (permissible purposes list)	No	Yes (6 bases including consent and legitimate interest)
Sensitive Data	Opt-in consent (broad definition including browsing history)	Opt-out limitation (narrower definition)	Opt-in consent (Article 9 special categories)
Targeted Ad Opt-Out	Explicit right	Part of opt-out of sale/sharing	Consent required for profiling in most contexts
Algorithmic Accountability	Impact assessments + consumer opt-out	ADMT regs (CPPA rulemaking)	DPIA + right not to be subject to automated decisions
Enforcement	FTC + state AGs + private right of action	CPPA + AG + limited breach PRA	DPAs + courts + broad PRA
Preemption	Partial (most state laws, with carve-outs)	N/A (state law)	Supersedes member state laws (with exceptions)
Small Business Exemption	Under 40M revenue + under 200K individuals	Under 25M revenue threshold	No blanket exemption (limited ROPA exception)
Cross-Border Transfers	Not addressed in detail	Not addressed	Extensive (SCCs, adequacy, BCRs, DPF)

What Stalled APRA — And What Keeps Stalling Federal Privacy

Understanding why APRA stalled helps predict what future bills will look like and which compromises might eventually break the logjam:

Preemption Scope

California's delegation argued APRA would weaken consumer protections by overriding the CPPA's rulemaking authority, the CCPA/CPRA's "sharing" concept, and California-specific provisions on cybersecurity audits, data retention disclosures, and automated decision-making. Industry argued that without meaningful preemption, the federal law would add a compliance layer without simplifying the landscape. Neither side moved enough to reach agreement.

Private Right of Action Scope

Business lobbies argued that allowing private lawsuits for any APRA violation (not just breaches) would create an explosion of privacy class action litigation, citing the experience with Illinois BIPA where thousands of lawsuits have been filed and settlements have reached billions of dollars cumulatively. Consumer groups argued that without private enforcement, an understaffed FTC could not meaningfully police the entire economy. The two-year delay compromise was insufficient for the business community.

FTC Authority Concerns

Some lawmakers expressed concern about expanding FTC authority significantly during a period of political turnover, worried that a change in administration could lead to either over-aggressive or under-aggressive enforcement depending on political priorities. The bipartisan nature of APRA's introduction did not fully resolve concerns about executive branch enforcement discretion.

Timing and Legislative Priorities

APRA was introduced in an election year (2024), reducing the legislative window for complex negotiations. National security, economic policy, and other priorities consumed congressional bandwidth. The bill advanced through committee but did not receive floor time in either chamber before the session ended.

What Comes Next for Federal Privacy

APRA's framework will likely serve as the starting point for future federal privacy bills. Several scenarios are possible:

APRA revival — the bill or a close variant gets reintroduced with enough modifications to address preemption and PRA concerns. This requires California agreeing to some level of preemption and business groups accepting some form of private enforcement
Narrower federal bill — Congress passes a targeted federal law covering specific areas (children's privacy, AI accountability, data brokers) without attempting comprehensive coverage. This approach has more bipartisan support but would not simplify the state patchwork
Executive action — the administration uses existing FTC authority and executive orders to impose privacy requirements on federal contractors and regulated industries without new legislation. This has limited scope but requires no congressional action
Continued state-level expansion — without federal action, additional states continue enacting privacy laws. If New York, Pennsylvania, and other large states pass comprehensive laws, the compliance burden may eventually create enough business pressure to force a federal compromise

What Businesses Should Do Now

Even without APRA becoming law, the preparation steps align directly with current state law obligations and likely future requirements:

Data Minimization Audit

Review every data collection point and ask: is this data element reasonably necessary to provide the product or service the consumer requested? If the answer is no, stop collecting it. This satisfies California CPRA and Maryland MODPA today and prepares you for any federal data minimization mandate.

Algorithmic Impact Assessment

If you use automated systems that make consequential decisions (credit, employment, insurance, housing, healthcare access), conduct an impact assessment now. Document what data feeds the system, what decisions it makes, how it was tested for bias, and what human review process exists. California's CPPA already requires this; Minnesota's MCDPA requires transparency about profiling; and any federal law will include similar requirements.

Universal Rights Infrastructure

Build consumer rights fulfillment for the full seven-right menu: access, correct, delete, portability, opt-out of sale, opt-out of targeted ads, and opt-out of algorithmic decisions. This covers every existing state law and matches APRA's proposed rights framework.

Sensitive Data Inventory

Map all data elements against the broadest definitions of sensitive data — including APRA's proposed inclusion of browsing history and search history. If you are collecting browsing behavior without explicit consent, consider whether your data strategy can withstand a shift to opt-in requirements.

Data Broker Assessment

Determine whether any part of your business qualifies as data brokerage — collecting and selling or sharing data about individuals with whom you have no direct relationship. If so, register under applicable state data broker laws now and prepare for a potential federal registry.

PRA Risk Assessment

Evaluate your exposure to private litigation. If a federal PRA is enacted, which of your data practices could generate per-violation claims? Focus on high-volume, consumer-facing data practices where a single failure could affect millions of individuals. The statutory damages of 100 to 750 dollars per violation, multiplied across affected consumers, can produce nine-figure exposure rapidly.

The Bottom Line

The American Privacy Rights Act may not have become law yet, but its framework is not hypothetical — it reflects where US privacy regulation is heading. Every core APRA requirement already exists in at least one state law. Data minimization is live in California and Maryland. Algorithmic accountability is live in California and Minnesota. Universal opt-out is required in 13+ states. And the private right of action exists in California (for breaches), Vermont, and Maryland.

Businesses that wait for federal legislation before building their privacy programs are making a strategic mistake. The state-level requirements are here today, enforcement is escalating, and the gap between current state law and any future federal standard is narrow. Build for APRA's requirements now, and you are building for whatever comes next — whether that is APRA itself, a variant, or simply the continued expansion of state privacy laws toward the same destination.