Federal Privacy Law Reaches 'Tipping Point'
Media analysis suggests 2026 will be a pivotal year for US data privacy, with momentum from state-level laws creating pressure for a federal framework. Experts in a recent panel noted a "potential tipping point" for comprehensive legislation. Anticipated focus areas for new rules include children's privacy, sensitive data categories like biometrics, and new enforcement mechanisms.
- The leading bipartisan proposal is the American Privacy Rights Act (APRA), introduced by former House Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Commerce Chair Maria Cantwell (D-WA) in April 2024. While it has not passed, it serves as a framework, building on a previous attempt from 2022, the American Data Privacy and Protection Act (ADPPA). - A primary driver for federal action is the growing "patchwork" of state-level laws; at least 19 states now have their own comprehensive privacy laws, creating compliance challenges for businesses operating nationwide. These state laws have notable differences in scope, applicability thresholds, and consumer rights. - Federal preemption of state laws remains a major sticking point in negotiations. Industry groups favor a single national standard, but states like California are resistant to a federal law that would weaken the stronger protections established by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). - The Federal Trade Commission (FTC) is positioned as the primary enforcer in most federal proposals, with plans to establish a new bureau dedicated to privacy. A significant point of debate is whether to grant individuals a "private right of action" to sue companies for violations, a provision included in the APRA draft that mirrors California's approach for data breaches. - On children's privacy, the FTC issued a final rule updating the Children’s Online Privacy Protection Act (COPPA) in 2025, with a compliance deadline of April 22, 2026. The updates expand the definition of personal information to include biometric identifiers and prohibit indefinite data retention. - Proposed federal legislation and existing state laws are expanding the definition of "sensitive personal information" to require explicit consumer consent for collection and processing. Categories often include biometric and genetic data, precise geolocation, and health information, with some states also including data related to an individual's reproductive health. - A key provision in the proposed American Privacy Rights Act is the creation of a national registry for data brokers, which would require them to publicly identify themselves and provide a "do not collect" mechanism for consumers. - Beyond legislative efforts, the executive branch has also taken action. A February 2024 executive order authorized the Attorney General to restrict large-scale transfers of Americans' sensitive personal data, including genomic and biometric data, to "countries of concern."
