United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of May 12, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections. Key provisions include:

  • The right to correct personal information held by businesses.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

The CPRA's practical impact is significant, as it requires businesses to reassess their data collection and processing practices to ensure compliance with the new regulations.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act, enacted in March 2021, is the first comprehensive privacy law in the United States outside of California. The VCDPA will become effective on January 1, 2023. Key provisions include:

  • The requirement for businesses to provide a clear and conspicuous privacy notice to consumers.
  • The right for consumers to access and delete their personal data.
  • The obligation for businesses to conduct data protection assessments for high-risk processing activities.

The VCDPA's practical impact is substantial, as it sets a precedent for other states to follow and requires businesses to implement robust data protection measures.

Colorado Privacy Act (CPA)

The Colorado Privacy Act, passed in July 2021, is set to become effective on July 1, 2023. The CPA is similar to the VCDPA and CPRA, with key provisions including:

  • The requirement for businesses to provide a privacy notice to consumers.
  • The right for consumers to access, delete, and correct their personal data.
  • The obligation for businesses to conduct data protection assessments for certain high-risk processing activities.

The CPA's practical impact is notable, as it further expands the scope of privacy regulations across the United States and requires businesses to adapt their data practices accordingly.

Updates to Existing Laws

In addition to these new state-level privacy acts, existing laws such as the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA) have seen updates to address emerging privacy concerns. For instance, COPPA has been updated to include new provisions for the protection of children's data on online platforms, while HIPAA has been amended to strengthen the security and privacy of health information.

Conclusion

The recent legislative developments in the United States demonstrate a growing emphasis on data privacy and personal information protection. Businesses operating in the U.S. must stay informed of these changes and adapt their practices to ensure compliance with the evolving legal landscape. As more states enact comprehensive privacy laws, the practical impact on businesses will continue to grow, necessitating a proactive approach to data protection and privacy.

Back to all articles