The Evolving Landscape of Data Privacy and Personal Information Protection in the United States

As of April 4, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impact.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by introducing new rights for California residents, including the right to correct personal information, the right to limit the use of sensitive personal information, and the right to opt-out of sharing personal information. The CPRA also establishes a new California Privacy Protection Agency to enforce privacy laws and regulations.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021, and is set to become effective on January 1, 2023. The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents and meet certain revenue or data processing thresholds. Key provisions include requirements for businesses to provide notice to consumers about the collection and processing of personal data, obtain consent for processing sensitive data, and allow consumers to access, correct, and delete their personal data.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and is set to become effective on July 1, 2023. The CPA applies to businesses that conduct business in Colorado or produce products or services targeted to Colorado residents and meet certain revenue or data processing thresholds. The CPA requires businesses to provide notice to consumers about the collection and processing of personal data, obtain consent for processing sensitive data, and allow consumers to access, correct, and delete their personal data.

Children's Online Privacy Protection Act (COPPA) Updates

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's privacy in the digital age. The proposed updates include expanding the definition of personal information, increasing penalties for violations, and requiring parental consent for the collection of personal information from children under 13. The final rule is expected to be published in 2023.

Health Insurance Portability and Accountability Act (HIPAA) Updates

In 2022, the Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) to enhance privacy protections for individuals' health information. The proposed updates include expanding the definition of protected health information, increasing penalties for violations, and requiring covered entities to provide individuals with more transparent access to their health information. The final rule is expected to be published in 2024.

Practical Impact

These legislative developments have significant practical implications for businesses operating in the United States. Companies must now navigate a complex patchwork of state and federal privacy laws, each with its own requirements and enforcement mechanisms. Compliance with these laws will require businesses to invest in robust data privacy programs, including data mapping, risk assessments, and employee training. Failure to comply with these laws can result in significant financial penalties and damage to a company's reputation.