A bipartisan group of legislators in Washington, D.C., recently released a discussion draft of a federal privacy bill — the American Data Privacy and Protection Act (ADPPA). This draft bill reaches compromise positions on two key issues that have been the largest obstacles to passing such legislation: state preemption and a private right of action. This discussion draft preempts most comprehensive state privacy laws and includes a narrow and limited private right of action. The compromises on these issues in the bill, however, are likely to draw criticism from both Democrats and Republicans, along with industry and privacy advocates.
With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.