United States Laws & Regulations

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

Recent Developments in U.S. Data Privacy and Personal Information Protection Laws

As of May 19, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by providing California residents with more control over their personal information. Key provisions include:

  • The right to correct personal information held by businesses.
  • The right to limit the use of sensitive personal information.
  • The establishment of a California Privacy Protection Agency to enforce privacy laws.

Virginia Consumer Data Protection Act (CDPA)

The Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, and is set to become effective on January 1, 2023. The CDPA is the second comprehensive privacy law in the U.S., following the CCPA. Key provisions include:

  • The requirement for businesses to provide a clear and conspicuous privacy notice to consumers.
  • The right for consumers to access and delete their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and is set to become effective on July 1, 2023. The CPA is similar to the CDPA and CCPA, with key provisions including:

  • The requirement for businesses to provide a privacy notice to consumers.
  • The right for consumers to access, delete, and correct their personal data.
  • The obligation for businesses to conduct data protection assessments when processing sensitive data.

Children's Online Privacy Protection Act (COPPA) Updates

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's privacy in the digital age. The proposed updates include:

  • Expanding the definition of personal information to include voice recordings and biometric information.
  • Requiring parental consent for the collection of personal information from children under 13.
  • Strengthening enforcement mechanisms for violations of COPPA.

Health Insurance Portability and Accountability Act (HIPAA) Updates

In 2022, the Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) to enhance data privacy and security in the healthcare sector. Key provisions include:

  • Strengthening the security requirements for protected health information (PHI).
  • Expanding the definition of PHI to include additional types of health-related data.
  • Enhancing penalties for HIPAA violations.

Practical Impact

These recent legislative developments have significant practical impacts for businesses operating in the United States. Companies must now comply with multiple state-level privacy laws, each with its own set of requirements and enforcement mechanisms. Additionally, updates to existing laws like COPPA and HIPAA require businesses to reevaluate their data privacy and security practices to ensure compliance.

In conclusion, the United States has seen a surge in data privacy and personal information protection laws in recent years. Businesses must stay informed of these developments and adapt their practices accordingly to maintain compliance and protect consumer privacy.

Back to all articles