The United States remains one of the only major democracies without a comprehensive federal privacy law. The American Privacy Rights Act (APRA) was the most serious attempt to change that — a bipartisan bill that advanced further through Congress than any previous effort before stalling in 2024. Understanding what APRA proposed, why it failed, and what comes next matters for anyone who cares about digital privacy.
What Is the American Privacy Rights Act?
The American Privacy Rights Act (APRA) was a bipartisan federal privacy bill introduced in April 2024 by Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA). Its goal was ambitious: to create a single, comprehensive federal framework for data privacy that would establish baseline protections for every American, regardless of which state they live in.
APRA cleared the House Energy and Commerce Committee in a bipartisan vote — a milestone that no previous comprehensive federal privacy bill had achieved. However, the bill never reached a full floor vote in either chamber. It expired in January 2025 at the close of the 118th Congress and has not been reintroduced as of mid-2026.
Key Provisions of APRA
Though APRA did not become law, its provisions represent the high-water mark of federal privacy legislation in the U.S. and will likely serve as the starting point for any future federal privacy bill.
Data Minimization
APRA would have required companies to collect and process only personal data that is necessary, proportionate, and limited to providing or maintaining a specific product or service requested by the user. This is a fundamental shift from the current approach, where most companies collect as much data as they can and figure out how to monetize it later.
Consumer Rights
The bill would have granted Americans a suite of privacy rights similar to those enjoyed by Europeans under the GDPR:
- Right to access: See what personal data a company holds about you
- Right to correct: Fix inaccurate personal information
- Right to delete: Request that a company remove your personal data
- Right to portability: Export your data in a usable format
- Right to opt out: Decline targeted advertising and data sales to third parties
Data Broker Registration and Opt-Out
APRA would have required data brokers to register with the Federal Trade Commission (FTC) and maintain a centralized mechanism for consumers to opt out of data collection and sales. This provision was particularly significant — it would have given Americans a single place to stop data brokers from selling their personal information, rather than requiring individual opt-out requests to hundreds of separate brokers.
Algorithmic Decision-Making Protections
If a company uses an algorithm to make a "consequential decision" — such as determining access to housing, employment, healthcare, insurance, or education — APRA would have given individuals the right to opt out of automated processing and request human review.
Protections for Sensitive Data
The bill created heightened protections for categories of sensitive data including biometric information, precise geolocation data, health information, financial data, data about minors, and private communications. Companies would have needed affirmative consent before collecting or processing sensitive data.
Private Right of Action
APRA included a private right of action — meaning ordinary people could sue companies directly for privacy violations, not just rely on government regulators. For claims involving minors or substantial privacy harm, the bill would have made pre-dispute arbitration agreements unenforceable, allowing individuals to pursue their cases in federal court.
Why a Private Right of Action Matters
Without a private right of action, enforcement depends entirely on government agencies like the FTC, which have limited resources. A private right of action lets individuals hold companies accountable directly in court, creating a much stronger incentive for businesses to respect privacy rights. This was one of the most debated provisions of APRA — industry groups lobbied heavily against it.
How APRA Compares to Existing Laws
APRA vs. State Privacy Laws (CCPA, etc.)
As of mid-2026, twenty U.S. states have comprehensive privacy laws in effect, with California's CCPA/CPRA being the strongest. APRA aimed to replace this patchwork with a single federal standard.
This is where the bill's most controversial provision came in: federal preemption. APRA would have superseded most state privacy laws, including core provisions of California's CCPA. The bill included exceptions for data breach notification laws, employee privacy statutes, health data rules, and general consumer protection laws — but it would have overridden the CCPA's most distinctive protections.
The California Privacy Protection Agency (CPPA) publicly opposed the bill, arguing that Congress should set a privacy "floor" (minimum standard) rather than a "ceiling" (maximum standard) — allowing states to provide stronger protections if they choose. This preemption dispute was one of the key factors that prevented APRA from advancing.
APRA vs. the GDPR
APRA drew heavily from the EU's General Data Protection Regulation in its approach to consumer rights and data minimization. Key differences: the GDPR requires opt-in consent while APRA relied on opt-out; the GDPR empowers data protection authorities in every member state while APRA would have relied on the FTC plus a private right of action; and GDPR fines can reach 4% of global annual revenue, far exceeding APRA's penalty structure. Still, APRA would have been a massive improvement over the current U.S. landscape, where most Americans have no meaningful federal privacy rights.
The Cost of Inaction
Without a federal privacy law, Americans' protections depend entirely on which state they live in. Residents of California, Colorado, Connecticut, and other states with privacy laws have basic data rights. Residents of the remaining states have almost none. Data brokers continue to collect and sell personal information — including home addresses, financial records, and browsing history — with virtually no federal regulation. Until Congress acts, services like PrivacyOn remain one of the few practical tools for taking back control of your personal data.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
See where you're exposed — free 60-second scanWhy APRA Failed
Despite historic bipartisan support, APRA stalled for several interconnected reasons:
- The preemption fight: California and its allies in the privacy advocacy community refused to accept a federal law that would weaken their existing protections. Industry groups, meanwhile, insisted on preemption to avoid complying with a patchwork of state laws.
- Private right of action opposition: Business lobbies pushed back hard against allowing individuals to sue companies directly, arguing it would create a litigation flood. Consumer advocates considered it non-negotiable.
- Political timing: The bill advanced during an election year, and legislative attention shifted to other priorities as the 2024 campaign intensified.
- Industry lobbying: Tech companies and data brokers invested heavily in lobbying against the bill's strongest provisions, particularly data minimization requirements and the private right of action.
What Happens Next?
As of mid-2026, comprehensive federal privacy legislation has not been reintroduced, and the current administration has not signaled it as a priority. In the absence of federal action, two trends are accelerating:
State Laws Continue to Expand
States are not waiting for Congress. Twenty states now have comprehensive privacy laws in effect, and more are actively considering legislation. However, this state-by-state approach creates an uneven patchwork — your privacy rights literally change depending on where you live.
Executive Action on Data Security
The federal government has taken targeted action through the Department of Justice's Data Security Program (DSP), which restricts cross-border transfers of bulk sensitive personal data to "countries of concern." This addresses the national security dimension of data brokerage but does nothing for everyday consumer privacy.
What This Means for You
The failure of APRA underscores a difficult reality: meaningful federal privacy protection is not coming soon. In the meantime, your personal data remains available for sale on hundreds of data broker sites, and your rights to control it depend entirely on your state of residence.
Here is what you can do right now to protect yourself:
- Use a data removal service: Services like PrivacyOn actively monitor and remove your personal information from 100+ data broker sites — doing automatically what APRA's data broker registry would have made easier
- Exercise your state rights: If you live in a state with a privacy law (California, Colorado, Connecticut, Virginia, and others), use your right to request data deletion from companies
- Enable Global Privacy Control (GPC): This browser setting automatically signals websites to stop selling your data — recognized in California and several other states
- Opt out of data sales manually: Major data brokers like Spokeo, WhitePages, BeenVerified, and others have opt-out pages, though the process is time-consuming and temporary
- Support privacy legislation: Contact your congressional representatives and let them know federal privacy protection matters to you
The Bottom Line
The American Privacy Rights Act represented the closest the United States has ever come to comprehensive federal privacy legislation. Its failure leaves Americans relying on an inconsistent patchwork of state laws while data brokers operate with minimal federal oversight. Until Congress acts, individuals must take privacy into their own hands — through state-level rights, browser tools like Global Privacy Control, and data removal services that scrub your information from the broker ecosystem.