Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of April 4, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impact.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections regarding their personal information. Key provisions include:

• The right to correct personal information held by businesses.
• The right to limit the use of sensitive personal information.
• The establishment of a California Privacy Protection Agency to enforce privacy laws.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act, enacted in March 2021, is the first comprehensive privacy law in the United States outside of California. It applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents. The VCDPA is set to become effective on January 1, 2023, with enforcement beginning on January 1, 2024. Key provisions include:

• The requirement for businesses to provide a privacy notice detailing their data collection, processing, and sharing practices.
• The right for consumers to access, correct, and delete their personal information.
• The obligation for businesses to conduct data protection assessments when processing sensitive data.

Colorado Privacy Act (CPA)

The Colorado Privacy Act, signed into law in July 2021, is another state-level privacy law that aims to protect consumer data. It applies to businesses that either have annual gross revenues of $25 million or more and process the personal data of 100,000 or more consumers, or process the personal data of 25,000 or more consumers and derive over half of their annual revenue from selling personal data. The CPA is set to become effective on July 1, 2023. Key provisions include:

• The requirement for businesses to provide a privacy notice detailing their data collection, processing, and sharing practices.
• The right for consumers to access, correct, and delete their personal information.
• The obligation for businesses to conduct data protection assessments when processing sensitive data.

Updates to Existing Laws

In addition to these new state-level privacy acts, existing laws such as the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA) have seen updates to address emerging privacy concerns. For instance, COPPA has been updated to include new provisions for protecting children's privacy in the digital age, while HIPAA has been amended to strengthen the security and privacy of health information.

Practical Impact

These legislative developments have significant practical implications for businesses operating in the United States. Companies must now navigate a complex web of state and federal privacy laws, each with its own set of requirements and enforcement mechanisms. Compliance with these laws is crucial to avoid hefty fines and damage to a company's reputation. As a result, businesses are increasingly investing in privacy professionals and technologies to ensure they are in line with the latest data privacy and personal information protection regulations.