US Capitol building dome against blue sky

TL;DR: The United States is the only G20 country without a comprehensive federal privacy law. Congress has tried and failed repeatedly, ADPPA in 2022, APRA in 2024, always stalling on state preemption and enforcement disputes. Now a group of tech-minded citizens is writing their own draft bill on GitHub, using LLMs to test whether provisions work in real-world scenarios. The Federal Right to Privacy Act has 338 signatures and covers everything from data broker restrictions to drone surveillance. It's a long shot. But when Congress won't act, someone has to try.

Twenty Years of Nothing

The US has no comprehensive federal privacy law. None. While Europe has GDPR and even Brazil has LGPD, Americans rely on a patchwork of state laws and sector-specific regulations that leave massive gaps.

Congress got close in 2022. The American Data Privacy and Protection Act (ADPPA) passed the House Energy and Commerce Committee 53-2 with bipartisan support [1]. Then it died. California lawmakers objected that it would weaken the California Consumer Privacy Act. Senator Maria Cantwell wanted stronger private enforcement rights. The usual suspects.

The American Privacy Rights Act (APRA) followed in April 2024 [2]. Same story. Cantwell and Rep. Cathy McMorris Rodgers unveiled a bipartisan draft. It went nowhere.

Twenty-plus years of debate. Zero comprehensive federal legislation. That's the backdrop.

Citizens Write Their Own Bill

Enter the Federal Right to Privacy Act, a draft bill hosted on GitHub, built by privacy-minded citizens frustrated with congressional inaction. It trended on Hacker News in mid-March 2026 and has sustained attention since [3].

The approach is unusual: crowdsourced drafting with AI-powered testing. Contributors write provisions, then run them through large language models to check whether the law behaves as intended in real-world scenarios. Does the data broker restriction actually stop your location data from ending up with ICE? Does the opt-out requirement work for abuse victims trying to remove their likeness from databases?

The test suite lives in the project's GitHub repository. It's not perfect. But it's more scenario validation than most congressional bills get before markup.

What the Draft Covers

The Federal Right to Privacy Act addresses the full surveillance ecosystem:

Data Broker Restrictions

Limits on commercial surveillance and data brokerage. Companies couldn't sell your movements, habits, devices, and routines without explicit opt-in consent.

Sensitive Data Protections

Special categories for medical, biometric, genetic, and location data. These get stronger protections than general personal information.

Abuse Victim Provisions

Specific protections for people fleeing domestic violence, the right to remove your likeness and location data from databases that could expose you.

Government Surveillance Limits

Restrictions on drone surveillance and government purchase of data from private brokers. No more ICE buying your location from ad tech companies.

The draft also tackles license plate databases, automobile cellular connections, and searchable databases of personal expression. It includes both civil and criminal enforcement mechanisms.

In short: it's ambitious. Maybe too ambitious for Congress. But as a statement of what comprehensive privacy protection could look like, it's more detailed than either ADPPA or APRA.

Why AI Testing Matters

Here's what makes the project novel: LLM-based testing. Contributors write test scenarios describing real-world situations, then run the draft legislation through AI models to check for gaps, contradictions, and unintended consequences.

Example scenario: A domestic abuse survivor needs to remove her photo from a people-search database. Does the bill provide adequate mechanisms? What happens if the database operator claims exemption under journalism provisions?

Another scenario: A city police department buys location data from a data broker to track protesters. Does the government surveillance restriction actually cover this, or is there a private-sector loophole?

Traditional legislation doesn't get this kind of edge-case testing until it hits the courts, often years after passage. The GitHub project runs scenarios before the bill is even introduced.

It's an experiment. The LLMs aren't perfect interpreters of legal text. But catching obvious gaps early beats discovering them through failed prosecutions or denied civil suits later.

Will It Actually Pass?

Let's be honest: probably not. At least not as-is.

Congress isn't known for adopting legislation drafted on GitHub. The tech industry will lobby against anything with real teeth. State preemption fights killed ADPPA and will kill this too unless someone figures out how to satisfy both California and federal-regulation advocates.

The project knows this. The website explicitly encourages supporters to contact their representatives and senators, to build a constituency that shows Congress there's real demand for comprehensive privacy law [4].

The strategy isn't "pass this exact bill." It's "show what's possible and pressure elected officials to do something." That's different.

Meanwhile, States Keep Moving

While Congress stalls, states are acting. Twenty states now have comprehensive privacy laws in effect as of 2026, with Indiana, Kentucky, and Rhode Island joining this year [5].

California's CCPA remains the strongest. Virginia, Colorado, Connecticut, and others have variations. The result is a compliance nightmare for companies and uneven protection for consumers depending on where they live.

Federal legislation would create uniform rules. That's the promise. But it's also the threat to states with stronger protections, which is why California keeps blocking federal bills that would preempt the CCPA.

Where Civil Liberties Groups Stand

The EFF and ACLU both support comprehensive federal privacy legislation in principle. The EFF has argued that well-written privacy law is the best way to hold tech companies accountable [6].

The ACLU is backing the Fourth Amendment Is Not For Sale Act, which would require warrants before government agencies buy data from brokers [7]. That bill targets one piece of the surveillance problem, the one where ICE and CBP bypass the Constitution by purchasing what they'd need a warrant to collect directly.

Neither organization has endorsed the GitHub project specifically. But the Federal Right to Privacy Act's provisions align with what both groups have advocated for years.

What You Can Do

Sign the Petition

The project has 338 signatures. More signatures demonstrate constituent demand. Visit righttoprivacyact.github.io to add yours.

Contact Your Representatives

Call your senators and House rep. Ask them to support comprehensive privacy legislation, and specifically ask why they haven't passed one in 20 years.

Review the Draft

If you have legal or technical expertise, read the draft and suggest improvements. The whole point is crowdsourced development. Your edge-case scenario could identify a critical gap.

Spread the Word

Tell two people. That's the project's ask. Privacy law shouldn't be a niche interest when data brokers are selling your movements to whoever pays.

The Bottom Line

The Federal Right to Privacy Act is a long shot. Congress has proven it won't pass comprehensive privacy legislation without massive public pressure. Tech industry lobbying ensures that pressure rarely materializes.

But the project matters anyway. It proves that detailed, scenario-tested privacy legislation is possible. It provides a concrete alternative to the watered-down compromises that keep dying in committee. And it demonstrates that citizens are paying attention, enough to write their own damn laws when their representatives won't.

The US is the only G20 country without comprehensive data privacy protection. Companies scrape your movements, habits, devices, family connections, and routines into profiles more detailed than anything the Stasi could have dreamed of. Congress shrugs.

Maybe crowdsourced legislation isn't the answer. But at least someone's trying something.

References

  1. Harvard Journal of Law & Technology, American Data Privacy and Protection Act: Latest, Closest, Yet Still Fragile Attempt
  2. Congress.gov, The American Privacy Rights Act (CRS Report)
  3. Hacker News, Federal Right to Privacy Act Discussion
  4. Federal Right to Privacy Act, Project Website
  5. MultiState, 20 State Privacy Laws in Effect in 2026
  6. EFF, Is Your State's Child Safety Law Unconstitutional? Try Comprehensive Data Privacy Instead
  7. ACLU, The ACLU is Committed to Protecting Your Personal Information