A coalition of 18 state governors filed a formal legal challenge against proposed federal data privacy regulations, arguing the rules would preempt stronger state privacy laws already protecting millions of Americans. The coalition, led by the governors of California, Colorado, Connecticut, and Virginia, states with existing comprehensive privacy statutes, contends the federal proposal creates a weaker privacy floor while eliminating states’ ability to set higher standards. If you use the internet, share personal data with companies, or live in a state with existing privacy protections, this legal battle will determine whether your privacy rights are set by Washington or your state legislature. Here is what the federal proposal contains, why governors are pushing back, and what the outcome means for your data privacy.

The Federal Proposal at a Glance

  • The American Data Privacy and Protection Act (ADPPA) establishes national standards for how companies collect, use, and share personal data.
  • The law would preempt state privacy laws, replacing California’s CCPA/CPRA, Virginia’s CDPA, Colorado’s CPA, and 14 other state statutes with a single federal standard.
  • Consumer rights under the federal law include data access, correction, deletion, and portability, with opt-out rights for targeted advertising.
  • The proposal does not include a private right of action, meaning individuals cannot sue companies directly for privacy violations. Enforcement rests with the FTC and state attorneys general.
  • Compliance thresholds exempt businesses with fewer than $25 million in annual revenue or those processing data from fewer than 50,000 individuals.

Why Governors Are Fighting Back

The core dispute is preemption. The federal ADPPA explicitly overrides all state privacy laws upon enactment. The governors’ coalition argues this creates a race to the bottom: the federal standard is weaker than existing state laws in several critical areas. California’s CPRA, the strongest state privacy law, includes provisions absent from the federal proposal: a private right of action for data breaches, restrictions on “dark patterns” (deceptive design practices compelling consent), a dedicated privacy enforcement agency (the California Privacy Protection Agency), and stricter rules on sensitive data categories including precise geolocation, biometric information, and children’s data.

The governors’ legal challenge argues the Constitution’s Tenth Amendment reserves to states the authority to set consumer protection standards above federal minimums. Their brief cites historical precedent in environmental law, food safety, and financial regulation, where federal standards establish a floor but states retain authority to impose stricter requirements.

The Industry Perspective

Technology companies and business advocacy groups strongly support federal preemption. Companies operating nationally must currently comply with up to 17 different state privacy laws, each with distinct definitions, consent requirements, and enforcement mechanisms. The compliance cost for a mid-size technology company averages $1.8 million annually for multi-state privacy law compliance, according to the Information Technology Industry Council. A single federal standard reduces compliance complexity and cost.

“A company serving customers in 50 states should not need 17 different privacy compliance programs. Federal preemption is not about weakening privacy. It is about creating consistent, enforceable standards every American recognizes and every company follows uniformly.” , Victoria Espinel, CEO, BSA | The Software Alliance

Where the Federal Law Falls Short of State Standards

The governors’ filing identifies four areas where the federal proposal provides weaker protection than existing state laws. First, the absence of a private right of action means consumers harmed by privacy violations must rely on the FTC or state attorneys general to pursue enforcement. The FTC’s enforcement capacity is limited: the agency employs approximately 300 staff in its privacy and data security division, responsible for overseeing privacy compliance by millions of companies. California’s CPRA allows consumers to sue companies directly for data breaches without waiting for government enforcement action.

Second, the federal proposal’s definition of “sensitive data” is narrower than California’s and Colorado’s definitions. The federal law covers Social Security numbers, financial account data, health information, and biometric identifiers. California’s CPRA additionally covers precise geolocation data, mail contents, genetic data, and union membership. Colorado covers any data revealing racial, ethnic, or religious characteristics.

Enforcement and Penalties

Third, the federal penalty structure is weaker than several state laws. The ADPPA imposes fines of up to $46,517 per violation through FTC enforcement. California’s CPRA allows fines of $7,500 per intentional violation with no cap on total penalties, and the private right of action allows statutory damages of $100 to $750 per consumer per incident in data breach cases. For a breach affecting one million consumers, the California exposure exceeds $100 million. The federal exposure for the same breach, pursued by the FTC, would likely result in a settlement significantly below that figure based on FTC enforcement history.

Fourth, the federal law exempts small businesses below $25 million in revenue or 50,000 data subjects. State laws use lower thresholds: California’s CPRA applies to businesses processing data from 100,000 or more consumers, with no revenue exemption for the data processing threshold. The higher federal exemption leaves millions of consumers’ data unprotected by companies falling between state and federal thresholds.

The governors’ challenge rests on three constitutional grounds. First, the Tenth Amendment reserves to states powers not delegated to the federal government, and consumer privacy regulation has historically been a state function. Second, the Commerce Clause, while granting Congress broad authority over interstate commerce, does not authorize Congress to weaken existing state-level consumer protections. Third, the preemption clause in the ADPPA is overly broad, preempting not just direct privacy regulations but related state laws on data breach notification, consumer protection, and unfair business practices.

The federal government counters that the Commerce Clause provides clear authority for national data privacy standards because personal data flows across state borders continuously through internet commerce. The government argues a patchwork of state laws creates compliance burdens constituting barriers to interstate commerce, justifying federal preemption under established Supreme Court precedent.

What Happens Next

The legal challenge will proceed through federal district court with a preliminary hearing scheduled within 90 days. The case is likely to reach a federal appeals court and potentially the Supreme Court, given the constitutional questions involved. The timeline for a final resolution spans two to four years.

Meanwhile, the ADPPA remains in congressional committee. Passage requires resolving the preemption dispute, with three possible outcomes. First, Congress passes the bill with full preemption, triggering immediate legal challenges and years of litigation. Second, Congress modifies the bill to allow states to maintain privacy protections exceeding the federal standard, satisfying the governors’ coalition but reducing the compliance simplification sought by industry. Third, Congress fails to pass any federal privacy legislation, and the state-by-state approach continues expanding as more states adopt comprehensive privacy laws.

What This Means for Your Privacy

If you live in California, Colorado, Connecticut, Virginia, or another state with comprehensive privacy laws, the federal proposal would reduce your current protections unless the governors’ challenge succeeds or Congress modifies the preemption provision. If you live in a state without a privacy law, the federal proposal would provide new protections you currently lack.

Regardless of the legal outcome, the debate is pushing privacy rights to the center of American policy discussion. Whether your privacy is protected by your state, the federal government, or both, the volume of personal data companies collect about you grows every year. Understanding what data companies hold, exercising your existing opt-out rights, and supporting the privacy standard you believe best protects your interests are actions available to you now, before the courts and Congress reach their conclusions.