United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of April 4, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections. Key provisions include:

  • The right to correct personal information held by businesses.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act, enacted in March 2021, is the first comprehensive privacy law in the United States to be passed by a state legislature. It will become effective on January 1, 2023. The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents. Key provisions include:

  • The requirement for businesses to provide a privacy notice detailing their data collection, processing, and sharing practices.
  • The right for consumers to access, correct, and delete their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Colorado Privacy Act (CPA)

The Colorado Privacy Act, signed into law in July 2021, is set to take effect on July 1, 2023. The CPA applies to businesses that either have annual revenues of $25 million or more or control or process the personal data of at least 100,000 consumers. Key provisions include:

  • The requirement for businesses to provide a privacy notice detailing their data collection, processing, and sharing practices.
  • The right for consumers to access, correct, and delete their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Updates to Existing Laws

In addition to these new state-level privacy acts, existing laws have also seen updates. The Children's Online Privacy Protection Act (COPPA) has been updated to strengthen protections for children's data, while the Health Insurance Portability and Accountability Act (HIPAA) continues to evolve to address new privacy and security challenges in healthcare.

Practical Impact

These legislative developments have significant practical impacts for businesses operating in the United States. Companies must now navigate a complex patchwork of state and federal privacy laws, each with its own set of requirements and penalties for non-compliance. It is crucial for businesses to stay informed about these developments and ensure their data privacy practices are in line with the latest legal requirements.

In conclusion, the United States has seen a surge in data privacy and personal information protection laws, with new state-level acts and updates to existing legislation. Businesses must adapt to these changes to maintain compliance and protect consumer data.

Back to all articles