US Federal Privacy Law

The legislative process for passing the first federal Data Privacy and Protection Act in the US (ADPPA) has advanced rapidly in the country’s House of Representatives.

On June 23, the bill was formally introduced in the House, after a 3-hour session of expert discussions. The bill was presented by 3 Republican deputies and 2 Democrat deputies, showing interest from both parties in the subject. There is an expectation that the act will be voted on and enacted before the end of 2022.

The purpose of this new legislation is to ensure that, regardless of the state in which they reside, the consumer will have a uniform right to the protection, collection and use of their personal data. This represents a major step forward for data protection in the country, considering that only 5 US states have comprehensive legislation on the subject, the best known being the California CCPA.

The bill adopts the concept of covered data , similar to that present in the GDPR and LGPD, comprising “any information alone or in conjunction with other information that identifies or is linked to an individual or a device owned by that individual”. The Act even adopts the concept of sensitive covered data , such as government-issued identifiers, social security numbers, financial account numbers, precise geolocation, information about race and sexuality, consumer habits, online activities, private communication, information related to individuals under the age of 17, among others. However, the bill excludes employee data and publicly available data from coverage of the Act.

For GDPR, the legislation in force in Europe, the concept of “personal data” is very close to what is being proposed in the US, but the exceptions provided for in the American bill do not apply to European legislation. In the LGPD, Brazilian legislation, personal data is information related to an identified or identifiable individual, not encompassing the devices owned by it, and, similarly to the GPDR, there are no exceptions regarding employee data and publicly available information.

In addition, ADPPA will only ensure protection for American residents, while for GDPR and LGPD, data protection falls on residents of the countries in which they are in force and on all those who have their data collected and processed in their territories in force.  Another difference to be pointed out is regarding the covered entities, which, according to the ADPPA, must meet minimum requirements and do not include government bodies. In accordance with both the GDPR and the LGPD, its rules apply to any individual or legal entity that meets the requirements of the Act, including public bodies and public administration entities in general among the addressees of the rule and who, therefore, must also suit it.

If you are interested in delving into the subject of data protection from a comparative perspective, be sure to consult our CCPA – GDPR – LGPD Comparative Guide, which details the main similarities and differences between the legislation on the subject in force in California, in European Union and Brazil.

For more information, visit

Written by Fernando Borges and Luane Oliveira

Scroll to Top