United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of May 18, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with additional rights and protections. Key provisions include:

  • The right to correct personal information held by businesses.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act, enacted in March 2021, is set to take effect on January 1, 2023. This law applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents. The VCDPA requires businesses to:

  • Provide a clear privacy notice detailing data collection, processing, and sharing practices.
  • Obtain consent for processing sensitive data.
  • Allow consumers to access, correct, and delete their personal information.

Colorado Privacy Act (CPA)

The Colorado Privacy Act, passed in July 2021, is scheduled to become effective on July 1, 2023. The CPA applies to businesses that either have annual revenues of $25 million or more or control or process personal data of at least 100,000 consumers. Key provisions include:

  • The requirement for businesses to provide a privacy notice detailing data collection, use, and sharing practices.
  • The right for consumers to access, correct, and delete their personal information.
  • The obligation for businesses to conduct data protection assessments for high-risk processing activities.

Updates to the Children's Online Privacy Protection Act (COPPA)

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's data. The proposed amendments aim to:

  • Expand the definition of personal information to include voice recordings and biometric data.
  • Require parental consent for the collection of personal information from children under 13.
  • Increase penalties for non-compliance.

HIPAA Updates

The Health Insurance Portability and Accountability Act (HIPAA) has seen updates to its Privacy and Security Rules in recent years. These updates focus on:

  • Enhancing patient access to their health information.
  • Strengthening the security of electronic health information.
  • Allowing for greater flexibility in sharing information during public health emergencies.

Practical Impact

These legislative developments have significant practical impacts on businesses operating in the United States. Companies must now comply with a patchwork of state-level privacy laws, each with its own set of requirements. This necessitates a comprehensive approach to data privacy and personal information protection, with businesses needing to invest in robust privacy programs and technologies to ensure compliance.

In conclusion, the United States has seen a surge in data privacy and personal information protection laws, with several key pieces of legislation set to take effect in the coming years. Businesses must stay informed and adapt their practices to meet these evolving requirements.

Back to all articles