2. Private right of action

An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS*
*CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)

Result of comparison ADPPA California Privacy laws CCPA/CPRA
The right of action as set out by CCPA has a narrower application compared with the ADPPA right of action.
  • Delayed private right of action, which would go into effect two years after the ADPPA will be enacted. ADPPA will grant the right to seek compensatory damages, injunctive or declaratory relief for certain violations of the Act in federal court.
  • Individuals would be required to notify the FTC and state AGs of their intent to bring action. The FTC or state AGs would have 60 days to decide whether to intervene in the suit. Prior to filing suit against small data holders or for injunctive relief, an individual must provide the covered entity with 45 days’ written notice identifying the alleged violations. Covered entities would be provided with 45 days to cure the alleged violation.
  • Individuals would not be permitted to bring an action against a covered entity that: has less than $25 million in annual revenue; collects, processes, or transfers the covered data of fewer than 50,000 individuals; or derives less than 50% of its revenue from transferring covered data.
  • Individuals may exercise a private right of action only in case of data breaches caused by businesses. ADPPA does not preempt the above mentioned right.