United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of May 17, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with more control over their personal information. Key provisions include:

  • The right to correct inaccuracies in personal information.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, and is set to become effective on January 1, 2023. The CDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents. Key provisions include:

  • The requirement for businesses to provide a clear and conspicuous notice of data collection and processing practices.
  • The right for consumers to access and delete their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and is set to become effective on July 1, 2023. The CPA applies to businesses that conduct business in Colorado or produce products or services targeted to Colorado residents. Key provisions include:

  • The requirement for businesses to provide a clear and conspicuous notice of data collection and processing practices.
  • The right for consumers to access and delete their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Updates to the Children's Online Privacy Protection Act (COPPA)

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's data. The proposed updates include:

  • Expanding the definition of personal information to include voice recordings and biometric information.
  • Requiring parental consent for the collection of personal information from children under 13.
  • Strengthening enforcement mechanisms for violations of COPPA.

Updates to the Health Insurance Portability and Accountability Act (HIPAA)

In 2022, the Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) to enhance data privacy and security protections for health information. The proposed updates include:

  • Strengthening the requirements for breach notification.
  • Enhancing the security standards for electronic protected health information.
  • Expanding the scope of entities subject to HIPAA regulations.

These recent legislative developments have significant practical impacts on businesses operating in the United States. Companies must now comply with a patchwork of state-level privacy laws, each with its own set of requirements and enforcement mechanisms. As a result, businesses must invest in robust data privacy and security measures to protect consumer data and avoid potential penalties.

Back to all articles