United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of May 11, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impact.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections. Key provisions include:

  • The right to correct personal information held by businesses.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

The CPRA's practical impact is significant, as it requires businesses to reassess their data collection and processing practices to ensure compliance with the new regulations.

Children's Online Privacy Protection Act (COPPA) Updates

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA), which regulates the collection of personal information from children under 13. The proposed amendments aim to:

  • Strengthen parental consent requirements.
  • Expand the definition of personal information to include voice recordings and biometric data.
  • Increase penalties for non-compliance.

These updates, if finalized, will have a substantial impact on businesses targeting children, requiring them to implement stricter privacy measures and obtain robust parental consent.

Health Insurance Portability and Accountability Act (HIPAA) Updates

In 2022, the Department of Health and Human Services (HHS) proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA) to address emerging privacy and security concerns. Key provisions include:

  • Strengthening individual rights to access their health information.
  • Enhancing the security requirements for health information systems.
  • Updating the enforcement process to better protect patient privacy.

These updates, once finalized, will impact healthcare providers, insurers, and other entities covered by HIPAA, requiring them to review and update their privacy and security practices.

State-Level Privacy Acts

Several states have enacted or proposed comprehensive privacy laws, following California's lead. Notable examples include:

  • Virginia's Consumer Data Protection Act (CDPA), effective January 1, 2023.
  • Colorado's Privacy Act (CPA), effective July 1, 2023.
  • Washington's Privacy Act (WPA), effective effective date pending.

These state-level laws share similarities with the CCPA and CPRA, such as granting individuals the right to access, delete, and opt-out of the sale of their personal information. However, each law has unique provisions and requirements, necessitating tailored compliance strategies for businesses operating in these states.

Conclusion

The United States is witnessing a surge in data privacy and personal information protection legislation, with significant developments at both the federal and state levels. Businesses must stay informed of these changes and adapt their practices to ensure compliance, protecting both their customers' privacy and their own reputation. As these laws continue to evolve, privacy professionals and business leaders must remain vigilant in navigating this complex landscape.

Back to all articles