Recent Developments in U.S. Data Privacy and Personal Information Protection Laws
As of April 4, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections. Key provisions include:
- The right to correct personal information held by businesses.
- The right to limit the use of sensitive personal information.
- The establishment of a California Privacy Protection Agency to enforce privacy laws.
Colorado Privacy Act (CPA)
The Colorado Privacy Act, signed into law in July 2021, is set to take effect on July 1, 2023. The CPA grants Colorado residents the right to access, delete, and correct their personal information. It also requires businesses to provide a privacy notice and obtain consent for the sale of personal data. The law applies to businesses that conduct business in Colorado or target their products or services to Colorado residents.
Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act, enacted in March 2021, is scheduled to become effective on January 1, 2023. The VCDPA grants Virginia residents the right to access, delete, and correct their personal information. It also requires businesses to provide a privacy notice and obtain consent for the sale of personal data. The law applies to businesses that conduct business in Virginia or target their products or services to Virginia residents.
Updates to the Children's Online Privacy Protection Act (COPPA)
In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's personal information. The proposed amendments aim to:
- Expand the definition of personal information to include voice recordings and biometric data.
- Require parental consent for the collection of personal information from children under 13.
- Increase penalties for non-compliance.
Updates to the Health Insurance Portability and Accountability Act (HIPAA)
In 2022, the Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) to enhance data privacy and security protections for individuals' health information. The proposed amendments aim to:
- Strengthen the security requirements for health information.
- Expand the definition of protected health information to include additional types of data.
- Increase penalties for non-compliance.
Practical Impact
These recent legislative developments have significant practical implications for businesses operating in the United States. Companies must now comply with a patchwork of state-level privacy laws, each with its own set of requirements and enforcement mechanisms. This necessitates a comprehensive approach to data privacy and personal information protection, with businesses needing to invest in robust privacy programs and technologies to ensure compliance.
In conclusion, the United States has seen a surge in data privacy and personal information protection laws, with several new state-level privacy acts and updates to existing federal laws. Businesses must stay informed of these developments and adapt their privacy practices accordingly to maintain compliance and protect their customers' personal information.