The Gap That Keeps Growing
The United States has no comprehensive federal privacy law. That sentence should be remarkable in 2026. It is not. It has been true for decades, and the political machinery that keeps it true is operating exactly as designed.
This is not an oversight. The European Union passed the General Data Protection Regulation, which took full effect in 2018. Brazil enacted the Lei Geral de Proteção de Dados in 2020. Canada has been reforming PIPEDA toward a modern framework. The US has HIPAA for health data, COPPA for children's data, FERPA for education records, and a balkanized collection of state laws that no compliance team can navigate consistently.
The result is a federal privacy law vacuum that data brokers, advertising platforms, and data aggregators have monetized aggressively. Understanding why that vacuum persists requires examining the specific legislative failure of the American Data Privacy and Protection Act, the lobbying infrastructure behind its collapse, and what the state-level response actually accomplishes.
What the ADPPA Actually Said
The American Data Privacy and Protection Act was the most serious attempt at comprehensive federal privacy legislation in US history. It passed out of the House Energy and Commerce Committee in 2022 with a 53-2 vote, a bipartisan margin that seemed genuinely historic.
The bill proposed a national data minimization standard, requiring covered entities to collect only data that is reasonably necessary for a defined purpose. It would have established data subject rights modeled loosely on GDPR: the right to access, correct, delete, and port personal data. It included a private right of action after a four-year delayed implementation window. And it placed loyalty duties on covered entities, a novel legal construct that would have prohibited using data in ways that harm the individual who provided it.
For technologists, the substance was serious. The bill defined "sensitive covered data" to include precise geolocation, biometric information, genetic data, health data and private communications. It required data minimization at the category level, not just at the aggregate. That is architecturally meaningful because it limits what can be collected at intake rather than relying entirely on downstream consent management.
The bill died in the House without a floor vote. It was never brought to the Senate. The reasons are instructive.
The Preemption Fight That Killed the Bill
Federal preemption is the legal doctrine under which federal law supersedes conflicting state law under the Supremacy Clause of the Constitution. In privacy policy, preemption is not a technical detail. It is the entire ideological battlefield.
California opposed the ADPPA primarily because its preemption provisions would have overridden the California Consumer Privacy Act and the California Privacy Rights Act in several material respects. The CPRA, amended and strengthened through voter initiative, created the California Privacy Protection Agency as an independent enforcement body with rulemaking authority. California's position was that federal floor-setting should not strip states of the ability to exceed that floor.
The ADPPA included some carve-outs for stronger state protections in specific categories. Civil rights protections, certain employee data provisions and a handful of sector-specific rules were preserved. But the core consumer rights framework would have been federally preempted, and California's legislative delegation refused to accept that outcome.
This is a genuine structural tension, not just California protecting its turf. If federal law sets a ceiling rather than a floor, the political economy tilts toward the regulated industry, which has far more concentrated lobbying power at the federal level than consumer advocates have at any level. States like California, Colorado and Virginia have demonstrated that they can move faster and with more specificity than Congress. Locking in federal standards that lag current best practices locks in weakness by design.
The counter-argument, made sincerely by some privacy scholars, is that a patchwork of 50 state frameworks creates genuine compliance impossibility for smaller covered entities and ultimately harms innovation in ways that hurt consumers too. That argument has merit. It does not resolve the preemption impasse, but it is not cynical.
Industry Lobbying and the Legislative Graveyard
The preemption debate was real. The lobbying campaign layered on top of it was decisive.
The advertising technology sector has a structural interest in federal preemption at a weak standard because it collapses the compliance surface to a single, lobbyist-friendly federal framework. The data broker industry, which generates billions annually from the resale of personal information, has an obvious interest in blocking any framework that includes meaningful data minimization or a private right of action.
The private right of action provision in the ADPPA drew the most intense industry opposition. The US Chamber of Commerce, major tech industry trade associations and individual large-cap technology companies lobbied extensively against it. Their stated concern was litigation exposure from frivolous suits. The structural reality is that a private right of action is the enforcement mechanism that makes data subject rights real. Without it, enforcement depends entirely on underfunded federal and state agencies.
The Federal Trade Commission, which would have had primary enforcement authority under the ADPPA, has a relatively modest budget relative to the entities it would regulate. The FTC has brought significant privacy enforcement actions under Section 5 of the FTC Act's prohibition on unfair or deceptive practices, but its authority is bounded and its resources are finite. Removing the private right of action from a comprehensive privacy bill means removing the mechanism that scales enforcement beyond what any agency budget can accomplish.
As a nonprofit working on personal data ownership infrastructure, Own Your Data Inc. tracks this legislative environment closely because the absence of a federal privacy law directly affects whether individuals can assert meaningful ownership rights over their own information. The PDAOS white paper published at mydatakey.org outlines why proof-of-ownership architecture has to operate independent of legislative outcomes.
What States Are Building Instead
In the absence of federal action, states have been legislating at an accelerating pace. As of 2026, more than a dozen states have enacted comprehensive consumer privacy laws. Virginia's Consumer Data Protection Act, Colorado's Privacy Act, Connecticut's Data Privacy Act, Texas's Data Privacy and Security Act and others have created a framework landscape that is genuinely complex to navigate.
These laws share a common architecture drawn loosely from the GDPR: controllers and processors, data subject rights, purpose limitation, sensitive data categories requiring opt-in consent. But they differ on enforcement mechanisms, threshold definitions, exemptions and the specific categories of sensitive data covered. Virginia has no private right of action. Colorado's Attorney General has enforcement authority with a cure period. California's CPPA can levy fines per-violation.
For a mid-size company operating nationally, compliance with this patchwork is a genuine operational burden. For a large platform with dedicated legal and engineering resources, it is a manageable cost of business. For a small startup, it can be disorienting. This asymmetry is one of the more honest arguments for federal preemption at a high standard, though it has been used cynically to argue for federal preemption at a weak standard.
The state laws also have meaningful gaps. Data brokers are addressed unevenly. California and Vermont have specific data broker registration requirements. Most states do not. The secondary and tertiary markets for personal data, where aggregated profiles are assembled from dozens of source datasets, operate largely outside the scope of laws designed around the controller-subject relationship.
How the US Compares to GDPR Architecturally
The GDPR is a rights-based framework grounded in the Charter of Fundamental Rights of the European Union, which treats data protection as a fundamental right. That constitutional grounding matters enormously because it establishes the baseline interpretive posture: data protection restrictions on commercial activity are presumptively valid, and the burden falls on data controllers to justify their processing.
US privacy law inverts this. The default is that data collection and use is permissible absent a specific prohibition. Consent in most US frameworks is opt-out rather than opt-in. The ADPPA included opt-in consent requirements for sensitive data, which was a genuine departure from the US default, but the general data minimization standard would still have been weaker than GDPR's lawful basis requirements.
GDPR's accountability architecture also differs materially. Data protection officers are mandatory for certain processing activities. Data protection impact assessments are required for high-risk processing. Records of processing activities must be maintained and can be inspected. These are engineering and governance requirements, not just legal commitments. The US state frameworks impose some analogous requirements but with far less specificity and less developed regulatory guidance from supervisory authorities.
The technical community working on privacy-preserving infrastructure, differential privacy implementations, federated learning deployments and cryptographic consent mechanisms has largely had to design around regulatory ambiguity rather than toward regulatory clarity. GDPR created a compliance target that drove engineering investment. The US patchwork creates a compliance landscape that favors legal minimalism over technical excellence.
Why Treating Data as Property Changes the Calculus
Most privacy law frameworks are rights-based rather than property-based. They establish what you can require controllers to do with your data, not what rights you hold in the data itself. That distinction is not semantic.
A property framework for personal data would establish that data about you originates with you as an asset. Controllers who process it without authorization are not merely violating a regulatory obligation. They are using an asset they do not own. The remedies, enforcement mechanisms and standing doctrines that follow from a property theory differ materially from those that follow from a rights-only framework.
The PDAOS model developed by Own Your Data Inc. is built on this premise. The Personal Data Asset Origination System creates cryptographically verifiable, timestamped certificates that establish when an individual first generated or submitted a specific piece of personal information. This is provenance documentation for data, not security for data. The distinction matters: MyDataKey™ is not a vault. It is a chain-of-custody record that proves ownership originated with you.
In a legal landscape where property rights in personal data are not recognized by federal statute, these certificates function as evidentiary infrastructure for future claims and as a practical assertion of ownership independent of any regulatory framework. You can learn more about how the system works at mydatakey.org/geeking/.
What You Can Do While Congress Stalls
Waiting for federal legislation is not a privacy strategy. The political dynamics described above are structural, not incidental. The preemption fight will recur with any serious federal bill. Industry opposition to a private right of action will recur. The asymmetry between concentrated industry lobbying power and diffuse consumer interests does not resolve itself.
Practically, this means building personal data infrastructure that operates independently of the legislative calendar. Your state law rights are real and exercisable now. If you are in a state with a comprehensive privacy law, you have the right to access, correct and delete data held by covered entities. Exercising those rights requires knowing who holds your data.
Data broker opt-out is a starting point. The opt-out tools at mydatakey.org are built for people who want to reduce the secondary market footprint of their personal information. That is distinct from, but complementary to, establishing ownership documentation through MyDataKey™ certificates.
The longer-term bet is on a legal environment where provable data provenance matters. Whether that comes through federal property rights legislation, expanded state protections or litigation establishing novel standing theories, the individuals who have documented their data ownership history will be better positioned than those who did not. Establishing that documentation now, at mydatakey.org/signup/, costs nothing to start and creates a record that cannot be retroactively established.
The US will have a federal privacy law eventually. The question is whether it will be designed to protect individuals or to protect the industry infrastructure built on the absence of one. That outcome is not yet determined. The state-level activity, the ADPPA's near-passage and the growing body of international regulatory pressure all suggest the window is narrowing for the current data economy to operate unchanged. The people best positioned for that shift are the ones who treated their data as an asset before the law required anyone else to.