On June 21, the American Data Privacy and Protection Act, a federal comprehensive data privacy bill, was introduced in the House by Reps. Frank Pallone, D-N.J., Cathy McMorris Rodgers, R-Wash., Janice Schakowsky, D-Ill., and Gus Bilirakis, R-Fla. The legislation was voted out of the House Energy and Commerce Committee on July 20.

The current draft bill divides covered organizations into categories that determine their compliance obligations. Depending on their size, “covered entities” may have enhanced (“large data holders”) or relaxed (“small businesses”) compliance requirements. The bill also specifies requirements based on an organization’s relationship to covered data, such as whether it was a “third party,” “third-party collecting entity,” or “service provider.”

As the bill continues its way through the legislative process, tracking how the bill applies to different types of organizations helps us understand how policymakers are thinking about the privacy landscape.

This IAPP table aims to present a high-level breakdown of the bill’s structure and a snapshot of how various types of covered entities are mentioned in each section of the bill. A check mark indicates explicit coverage for the entity type. A plus or minus sign indicates additions or subtractions in prescribed requirements compared with other entity types. “X” indicates an explicit exemption. An empty cell indicates the entity type is likely to be required to comply with the section’s requirements (as a “covered entity,” in general).

The IAPP Resource Center also includes the "US Federal Privacy Legislation Tracker."