Scope of the draft American Data Privacy and Protection Act

On June 21, 2022, the American Data Privacy and Protection Act, a federal comprehensive data privacy bill, was introduced in the House by Reps. Frank Pallone, D-N.J., Cathy McMorris Rodgers, R-Wash., Janice Schakowsky, D-Ill., and Gus Bilirakis, R-Fla. The legislation was voted out of the House Energy and Commerce Committee on July 20.

The draft bill divides covered organizations into categories that determine their compliance obligations. Depending on their size, “covered entities” may have enhanced (“large data holders”) or relaxed (“small businesses”) compliance requirements. The bill also specifies requirements based on an organization’s relationship to covered data, such as whether it was a “third party,” “third-party collecting entity,” or “service provider.”

Tracking how the bill applies to different types of organizations helps us understand how policymakers are thinking about the privacy landscape.

ADPPA legislative documents

• As introduced in the House on June 21, 2022
• As voted out of the House Energy and Commerce Committee on July 20, 2022
• Comparison showing changes between the June 21 and July 20 drafts

This IAPP table aims to present a high-level breakdown of the bill’s structure and a snapshot of how various types of covered entities are mentioned in each section of the bill. A check mark indicates explicit coverage for the entity type. A plus or minus sign indicates additions or subtractions in prescribed requirements compared with other entity types. “X” indicates an explicit exemption. An empty cell indicates the entity type is likely to be required to comply with the section’s requirements (as a “covered entity,” in general).

The IAPP Resource Center also includes the US Federal Privacy Legislation Tracker, which organizes privacy-related bills proposed in the U.S. Congress to keep our members informed of developments within the federal privacy landscape.