American Data Privacy and Protection Act This bill establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual. Specifically, the bill requires most companies to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service and to other specified circumstances. It also generally prohibits companies from transferring individuals' personal data without their affirmative express consent. The bill establishes consumer data protections, including the right to access, correct, and delete personal data. Prior to engaging in targeted advertising, the bill requires companies to provide individuals with a means to opt out of such advertising. The bill also provides additional protections with respect to personal data of individuals under the age of 17. It further prohibits companies from using personal data to discriminate based on specified protected characteristics. Additionally, companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement. The bill provides for enforcement of these requirements by the FTC and state attorneys general. Beginning two years after the bill takes effect, individuals may, subject to certain notification requirements, bring civil actions for violations of the bill. Finally, the bill preempts state laws that are covered by the provisions of the bill except for certain categories of state laws and specified laws in Illinois and California.