What the ADPPA means for your marketing measurement strategy

Every building code that's ever been written was drafted after someone built something that shouldn't have been. The same logic applies to data privacy regulation. The rules take shape slowly, then all at once, and the brands that waited to pour a new foundation are the ones scrambling when inspectors show up.

The American Data Privacy and Protection Act—better known as the ADPPA—hasn't been signed into law yet. But it represents the clearest federal signal the US has ever sent about where data collection is headed. For marketing teams, that signal isn't just about compliance. It's about which measurement tools are still going to work when the regulatory ground shifts beneath them. Brands that treat this as a legal problem to hand off to their lawyers are missing the bigger picture: the ADPPA is a measurement problem first, and the time to address it is before it becomes a mandate.

Key takeaways

• The ADPPA is a proposed federal privacy law designed to establish foundational data privacy rights for US consumers and create strong oversight mechanisms and meaningful enforcement across every state
• The bill passed the House Energy and Commerce Committee 53–2 in July 2022 but hasn't advanced to a full House vote; as of early 2026, the US still lacks a comprehensive federal data privacy law
• The ADPPA would restrict how covered entities collect, process, and transfer covered data, including the individual-level tracking most digital attribution tools depend on
• Multi-touch attribution and pixel-based measurement are most exposed to the ADPPA's data minimization and targeted advertising provisions because they require individual user tracking to function
• Marketing mix modeling (MMM) works with aggregated, compliant first-party data rather than individual user tracking, making it structurally compatible with privacy-forward regulation
• The ADPPA explicitly carves out an exception for ad performance measurement data; brands will still be allowed to measure how their advertising performs, just not through tools that rely on prohibited data collection methods
• The state-level privacy patchwork is already degrading attribution data today; the ADPPA would formalize and nationalize that reality, not introduce something new

What is the ADPPA?

The United States has never had a comprehensive federal data privacy law. Instead, data privacy and protection has been left to individual states, which have each approached it differently. California led with the CCPA, and as of early 2025, more than 20 states have enacted their own consumer privacy laws. The result is an increasingly complex patchwork of state laws that covered entities have to navigate simultaneously, each with slightly different definitions, rights, and enforcement mechanisms.

The ADPPA was introduced to change that. It's a bipartisan, bicameral proposal designed to establish a single national framework for how organizations collect, process, and transfer covered data. At its core, the bill aims to give consumers foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement, all backed by the Federal Trade Commission and state attorneys general.

Key provisions brands should know about

The ADPPA's reach is broader than most marketing teams realize. Unlike state-level laws that often exempt small businesses or nonprofits, the ADPPA applies to most covered entities, including nonprofit organizations and companies of all sizes. Here's what the bill's main provisions actually mean in practice:

Data minimization is the ADPPA's organizing principle. Covered entities would only be allowed to collect, process, and transfer data that is "reasonably necessary, proportionate, and limited" to delivering a service the consumer actually requested. Crucially, advertising and marketing are not themselves a permitted reason to collect data, meaning companies couldn't collect personal information for the purpose of targeting ads. They could only use covered data previously collected for other permitted purposes.

Targeted advertising would face significant new restrictions. The bill limits how covered entities can use personal data for ad targeting, prohibits targeted advertising to users under 17, and restricts data transfers to third-party collecting entities for targeting purposes. Contextual advertising—ads based on content rather than individual user profiles—would be largely unaffected, and some analysts expect it to gain ground as targeted advertising faces tighter constraints.

Individual rights are central to the bill. Consumers would have the right to access, correct, delete, and export their covered data. They'd also gain a right to opt out of targeted advertising and data transfers to third parties. Data brokers would face additional obligations, including registration requirements and compliance with a "Do Not Collect" registry similar to the existing Do Not Call list.

Sensitive data—including health information, precise geolocation, biometrics, and financial data—would receive heightened protections requiring affirmative express consent before it could be shared with any third party.

Enforcement would sit primarily with the Federal Trade Commission Act, though state attorneys general and, in California's case, the California Privacy Protection Agency would also have authority to act. A private right of action would take effect two years after the law's enactment, allowing individuals to sue covered entities for data security violations and other breaches.

Preemption is one of the ADPPA's most consequential provisions for businesses operating nationally. The bill would generally override existing state laws governing privacy, creating a single federal standard. That would end the current compliance scramble, but it's also one of the reasons the bill has faced political resistance from states like California that have invested heavily in their own privacy frameworks.

Where the ADPPA currently stands

Despite strong bipartisan momentum in committee, the ADPPA has not been enacted into law. The bill passed the House Energy and Commerce Commerce Committee 53–2 in July 2022—the furthest any comprehensive federal data privacy law has ever advanced in Congress—but it hasn't received a full House vote. Key objections centered on preemption and enforcement, and a successor bill, the American Privacy Rights Act of 2024 (APRA), also stalled before reaching a vote.

As of early 2026, the US federal data privacy landscape remains fragmented. That said, the regulatory direction this bill represents hasn't wavered: more than 20 states have enacted comprehensive consumer privacy laws, and that number continues to grow. The ADPPA would create a unified ceiling; in its absence, brands are navigating an expanding floor of state-by-state requirements.

Why this matters for marketing measurement

The practical challenge is both legal compliance and that the data collection practices most digital measurement tools depend on are exactly what the ADPPA targets. Brands that recognize this now have a window to build measurement infrastructure that doesn't need to be rebuilt the next time a law passes or a platform changes its data-sharing policies.

The measurement tools most at risk

Multi-touch attribution works by tracking individual users across touchpoints—across sessions, devices, and third-party websites—and assigning credit for conversions based on those tracked interactions. That individual-level tracking is precisely what the ADPPA's data minimization and targeted advertising provisions are designed to restrict. The personal data the ADPPA covers specifically includes "unique persistent identifiers," a category that encompasses the cookies, device IDs, and pixel-based tracking mechanisms that MTA tools rely on.

The ADPPA does carve out an explicit exception for ad performance measurement data. Brands are still permitted to measure the performance of their advertisements through tracking views, clicks, and cost-effectiveness calculations. But there's a meaningful distinction between that kind of aggregate performance reporting and the granular, user-level data pipelines that sophisticated attribution vendors use to reconstruct individual customer journeys. The former would likely survive the ADPPA's restrictions. Much of the latter wouldn't.

The fragmented state landscape is already creating pressure

Brands don't need to wait for federal legislation to feel the impact of what the ADPPA represents. The state-level patchwork of privacy laws is already degrading the quality of attribution data. CCPA gave California consumers the right to opt out of data collection and sale. Similar laws in other states have added to the opt-out pool. iOS privacy changes have reduced the signal available to pixel-based tools. Ad blockers are now used by a significant and growing share of US consumers.

The result is that MTA data is already less complete than it was three years ago, and that trend isn't reversing. The ADPPA would formalize these constraints at a national level, but brands looking at their match rates and wondering why attribution data feels increasingly unreliable are already experiencing the preview. This is a current problem, and the ADPPA would codify it.

Why MMM is structurally compatible with privacy regulation

Not all measurement tools have the same exposure to privacy restrictions. The critical difference comes down to what kind of data each tool actually requires to function.

Marketing mix modeling works at an aggregate level. Instead of tracking what individual users do, it looks at statistical relationships between your marketing inputs—spend, impressions, channel activity—and your realized revenue outcomes over time. There are no cookies involved, no device identifiers, no reconstruction of individual customer journeys. The model works with the kind of compliant first-party data that covered entities can legitimately use under even the strictest reading of the ADPPA's data minimization requirements.

This isn't a workaround or a patch applied to an old approach. It's a fundamentally different methodology. MMM's statistical foundation means that the privacy changes that make life harder for pixel-based tools—opt-outs, tracking prevention, data broker restrictions—simply don't affect how the model works. That's what it means for a measurement approach to be structurally compatible with data privacy regulation: not that it's been adapted to survive the rules, but that it doesn't depend on the data collection the rules restrict.

The ADPPA's explicit carve-out for ad performance measurement data is also worth noting here. The bill's drafters recognized that brands need to be able to measure how their advertising performs. MMM is designed exactly for this purpose: understanding the revenue impact of your marketing mix without requiring individual user tracking to do it.

What "privacy-resilient" actually means in practice

"Future-proof" is a phrase that gets used loosely in marketing technology, but it's worth being specific about what it means in a measurement context.

Some measurement tools are responding to privacy regulation reactively, building consent frameworks, exploring probabilistic ID resolution, seeking ways to maintain individual tracking under changing rules. These adaptations can extend a tool's useful life, but they're fundamentally chasing a receding horizon. Each new state law, platform policy change, or browser update requires another round of adaptation.

MMM sits in a different category. It doesn't require individual user tracking, so it doesn't need to be adapted every time individual tracking becomes harder. When California passed the CCPA, when Apple rolled out App Tracking Transparency, when Google began restricting third-party cookies — none of those changes required Prescient's model to be rebuilt. The model was using aggregated data before those changes happened and continued using it after. That's the structural resilience that matters, and it's the kind of resilience the ADPPA would reward.

What brands should do now

Waiting for regulatory certainty before acting on measurement strategy is itself a decision, and there will be consequences. Every quarter a brand spends making budget decisions based on degraded attribution data is a quarter of compounding measurement error. Here's what forward-looking marketing teams should be doing now.

The first step is auditing which measurement tools depend on individual user tracking. MTA platforms, attribution vendors, and pixel-based dashboards should all be evaluated for how much their reported numbers depend on the kind of data collection the ADPPA targets. If those tools are already showing data gaps because of state laws and platform changes, that's a sign the exposure is real and current.

The second step is treating declining attribution signal as a structural problem, not a temporary one. Match rate erosion isn't a bug to fix; it's the direction the landscape is moving. Brands that are still relying primarily on MTA or platform-reported data to guide budget decisions should cross-validate those numbers against a measurement approach that doesn't depend on individual user tracking. The gap between what platforms report and what a model built on aggregated data shows is often significant, and that gap is the measurement risk.

The third step is building around the measurement methodology that doesn't need to be rebuilt. Brands that adopt MMM before a compliance deadline forces the transition will have months or years of historical model data before the moment when their pixel-based tools stop working well enough to rely on. The transition is smoother and the decisions are better informed when it's proactive rather than reactive.

Where Prescient comes in

Prescient's marketing mix model is built on compliant first-party data—your actual marketing spend, impressions, and revenue figures—rather than individual user tracking. That means its outputs aren't subject to the signal degradation that affects pixel-based tools, and the model doesn't need to be re-architected every time a new privacy regulation passes or a platform changes its data-sharing terms. Beyond structural compatibility with the privacy landscape, Prescient offers campaign-level granularity (rather than channel-level only) and daily model updates, so the measurement you're getting reflects what's happening in your marketing now, not what happened last week, month, or quarter.

For brands that want to understand where their measurement stack has real exposure—and what an MMM-based approach would actually show them—that conversation starts by booking a demo.

FAQs

What are the three requirements of the Data Protection Act?

In the UK, the Data Protection Act 2018 establishes requirements that broadly map onto three core obligations: lawfulness (data must be processed legally, fairly, and transparently), purpose limitation (data can only be collected for specified, explicit, and legitimate purposes), and accountability (organizations must be able to demonstrate compliance with these principles). US brands with customers in the UK are subject to these requirements under the UK GDPR framework, which operates in parallel with the DPA 2018. The ADPPA, if enacted, would establish similar foundational principles for US federal data privacy law—including data minimization, individual rights, and meaningful enforcement—creating a framework closer to the UK's than anything the US currently has at the federal level.

Has the ADPPA passed?

No. The American Data Privacy and Protection Act passed the House Energy and Commerce Committee 53–2 in July 2022, making it the furthest any comprehensive federal data privacy bill has advanced in Congress. However, it has not received a full House vote and has not been enacted into law. A successor effort, the American Privacy Rights Act of 2024, also failed to advance. As of early 2026, the United States still does not have a comprehensive federal data privacy law, and businesses operating across the country must navigate a growing patchwork of state-level privacy laws instead.

What are the 4 principles of the Data Protection Act?

The UK's Data Protection Act 2018 and the broader UK GDPR framework establish several core principles for handling personal data: lawfulness, fairness, and transparency (processing must have a valid legal basis and be communicated clearly); purpose limitation (data may only be collected for specified, explicit purposes); data minimization (only the data necessary for those purposes should be collected); and accuracy (data must be kept up to date). The ADPPA draws on similar principles—its data minimization requirement directly mirrors this framework—which is why legal teams at US-based brands with international operations often use UK/EU compliance standards as a baseline for evaluating US regulatory exposure as well.

Is GDPR mandatory in the US?

GDPR is not US law, but it does apply to US-based companies that collect or process personal data from individuals located in the European Union, regardless of where the company is headquartered. If you sell to EU customers, run advertising that targets EU users, or handle data from EU residents in any way, GDPR compliance is a legal requirement. The ADPPA is the US's most ambitious attempt to establish a GDPR-equivalent federal framework, though it has not yet been enacted. In the meantime, many compliance-forward brands treat GDPR as a useful benchmark for US privacy readiness; if your data handling practices meet GDPR standards, they're likely in a strong position as US federal legislation continues to develop.