The Evolving Landscape of Data Privacy and Personal Information Protection in the United States

As of May 16, 2026, the United States has seen significant legislative developments in the realm of data privacy and personal information protection. This article will provide an overview of the most recent laws and regulations, focusing on their jurisdiction, key provisions, effective dates, and practical impacts.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA), was passed in November 2020 and is set to become effective on January 1, 2023. The CPRA expands upon the CCPA by introducing new rights for California residents, including the right to correct personal information, the right to limit the use of sensitive personal information, and the right to opt-out of sharing personal information. The CPRA also establishes a new California Privacy Protection Agency to enforce privacy laws and regulations.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) was signed into law on March 2, 2021, and is set to become effective on January 1, 2023. The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents and meet certain revenue or data processing thresholds. Key provisions include requirements for businesses to provide notice to consumers about their data collection practices, obtain consent for processing sensitive data, and allow consumers to access, correct, or delete their personal information.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) was signed into law on July 7, 2021, and is set to become effective on July 1, 2023. The CPA applies to businesses that conduct business in Colorado or produce products or services targeted to Colorado residents and meet certain revenue or data processing thresholds. The CPA requires businesses to provide notice to consumers about their data collection practices, obtain consent for processing sensitive data, and allow consumers to access, correct, or delete their personal information.

Children's Online Privacy Protection Act (COPPA) Updates

In 2021, the Federal Trade Commission (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA) to strengthen protections for children's personal information. The proposed updates include expanding the definition of personal information, requiring parental consent for the collection of personal information from children under 13, and increasing penalties for non-compliance.

Health Insurance Portability and Accountability Act (HIPAA) Updates

In 2022, the Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) to enhance the privacy and security of protected health information (PHI). The proposed updates include strengthening the requirements for the use and disclosure of PHI, improving the security of electronic PHI, and increasing penalties for non-compliance.

Practical Impact

These legislative developments have significant practical impacts on businesses operating in the United States. Companies must now navigate a complex patchwork of state-level privacy laws, each with its own requirements and enforcement mechanisms. Additionally, businesses must ensure compliance with federal privacy laws, such as COPPA and HIPAA, which continue to evolve in response to changing technology and privacy concerns.

In conclusion, the United States is experiencing a rapid expansion of data privacy and personal information protection laws. Businesses must stay informed of these developments and adapt their practices to ensure compliance with the ever-changing legal landscape.