U.S. data privacy protection laws: 2026 guide

What are data privacy laws and regulations?

Consider how much data is generated every hour and how much of that data contains PII and personal health information (PHI). It is essential to secure data with these unique characteristics from unauthorized access and keep it from the general public. To that end, it is vital to protect the confidentiality, integrity and availability of data.

As a result, dozens of laws and regulations have been developed -- and continue to be developed -- to govern how data is collected, processed and stored. These statutes are meant to do the following:

• Prohibit unauthorized access to personal and private data.
• Protect against activities that might alter data without the owner's knowledge or approval.
• Establish access processes that prevent access to personal data other than by the owner(s).
• Ensure data owners can access and examine their data.
• Provide permissions for personal data to be collected.
• Prevent the selling or release of data to outside third parties without owner consent.
• Ensure owners can review their data to validate that it is correct.
• Permit owners to delete data about them.
• Ensure owners are notified if a security breach has compromised their data.

Complying with these guidelines helps companies minimize the risk of being sued or fined and mitigate the effects of negative customer fallout and reputational damage.

U.S. privacy legislation

While the U.S. currently doesn't have a national data privacy law, three initiatives have been developed:

1. American Data Privacy and Protection Act. ADPPA was introduced during the 117th Congress (2021-2022). While it was passed by the House Committee on Energy and Commerce in 2022, it never received a full House vote. Some of its provisions could become law in future legislation (see APRA).
2. Executive order on protecting Americans' sensitive personal data. Issued by President Joe Biden on Feb. 28, 2024, the order authorizes the U.S. attorney general to prevent the large-scale transfer of sensitive American data to countries of concern.
3. American Privacy Rights Act. APRA was proposed in 2024 by Sen. Maria Cantwell (D-Wash.) and Rep. Cathy McMorris Rodgers (R-Wash.). It was built upon prior legislation, including ADPPA, to provide a framework for national data privacy rights that could be used by states and federal agencies. It also provided an update to the Children's Online Privacy Protection Act (COPPA) of 1998. While the legislation attempted to establish a nationwide law for data privacy, it has faced many challenges and has not been passed into law.

The Federal Trade Commission is a key regulator responsible for assessing compliance with laws that affect data privacy. Its enforcement actions protect consumers from unfair or deceptive practices and impose federal privacy and data protection regulations.

Additional agencies that exercise authority on privacy issues include the Office of the Comptroller of the Currency, Department of Health and Human Services, Federal Communications Commission, Securities and Exchange Commission, Consumer Financial Protection Bureau and Department of Commerce.

U.S. statutes that cover privacy issues include the following:

• Privacy Act of 1974. This law established a code of fair information practices to govern the collection, processing, management, dissemination and destruction of PII.
• Health Insurance Portability and Accountability Act. Enacted in 1996, HIPAA has two key sections: the Security Rule and Privacy Rule. These rules give protected health information providers and processors flexibility in how they protect user data. In addition, it's an important audit document. Compliance with the law and its many provisions is essential to avoid penalties and fines.
• Gramm-Leach-Bliley Act. Enacted in 1999, GLBA modernized compliance requirements for financial services and addressed concerns related to consumer financial privacy by requiring financial institutions to explain their information-sharing practices to customers and safeguard sensitive data.
• Children's Online Privacy Protection Act. COPPA aims to protect the privacy and PII of children under the age of 13 who use online services.
• Driver's Privacy Protection Act. DPPA governs the privacy and disclosure of personal information gathered by state-level motor vehicle departments.
• Video Privacy Protection Act. VPPA restricts the disclosure of rental or sale records of videos or similar audiovisual materials, including online streaming.
• Cable Communications Policy Act of 1984. This includes provisions dedicated to protecting subscriber privacy.
• Fair Credit Reporting Act. FCRA restricts the use of information that addresses an individual's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living as part of efforts to determine eligibility for credit, employment or insurance.
• Telephone Consumer Protection Act. TCPA regulates calls and text messages sent to mobile phones, as well as calls made to residential phones using automated dialing systems for marketing purposes.
• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. The CAN-SPAM Act establishes guidelines for sending commercial emails, including provisions that allow recipients to opt out of further messages.
• Family Educational Rights and Privacy Act. FERPA lets students inspect and revise their student records for accuracy. It also prohibits disclosure of student records or other student PII without the student's or parent's consent.

State-level privacy legislation

While no national legislation exists, many U.S. states have enacted their own data privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia. In addition, more than half of U.S. states have proposed or passed some form of targeted legislation citing the use of AI in political campaigns, schooling, crime data, sexual offenses and deepfakes.

California

California has been the leader in data privacy legislation, enacting more laws than any other state.

The California Consumer Privacy Act (CCPA) has been in effect since 2020. It specifies that residents can ask businesses to disclose the type of information they collect, why they're collecting the information and the source of the data.

The California Privacy Rights Act, in effect since 2023, amends and builds on CCPA by giving residents the ability to prevent businesses from sharing their personal data, request that personal data inaccuracies be corrected, and prevent companies from using sensitive PII, such as race and sexual preference.

California's legislature has passed several AI-related bills, defining AI and regulating the largest AI models, generative AI training data transparency, algorithmic discrimination and deepfakes in election campaigns.

Colorado

The Colorado Privacy Act, in effect since 2023, grants consumers rights to manage their personal data and specifies how businesses must protect personal data.

Colorado was the first state to enact a broad-based regulation on AI usage, known as the Colorado Artificial Intelligence Act. Passed in 2024 and going into effect in 2026, it will require AI systems developers "to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system."

Connecticut

The Connecticut Data Privacy Act, also known as the Connecticut Personal Data Privacy and Online Monitoring Act, has been in effect since 2023. It specifies consumer rights related to personal data, online monitoring and data privacy.

Delaware

The Delaware Personal Data Privacy Act was signed in 2023 and took effect on Jan. 1, 2025. It outlines consumer rights and business requirements for protecting personal data.

Florida

The Florida Digital Bill of Rights, effective since 2024, applies to entities that generate more than $1 billion in gross revenue and either derive 50% or more of their global annual revenue from the sale of online advertisements, operate a consumer smart speaker with a cloud-based voice assistant, or run an app store with at least 250,000 apps.

Indiana

The Indiana Consumer Data Protection Act, which goes into effect Jan. 1, 2026, outlines consumer rights and requirements for data protection, including data access, correction and deletion, and the ability to opt out of targeted advertising.

Iowa

Signed into law in 2023, the Iowa Consumer Data Protection Act went into effect Jan. 1, 2025. It describes consumer rights and requirements for data protection.

Minnesota

The Minnesota Consumer Data Privacy Act went into effect on July 1, 2025, and addresses how consumers can access, correct and delete their data, opt out of targeted advertising, and obtain information about which third parties their data has been sold to.

Montana

The Montana Consumer Data Privacy Act, in effect since 2024 and amended in April 2025, applies to entities that conduct business in Montana or provide products or services to Montana residents.

Nebraska

The Nebraska Data Privacy Act, which went into effect on Jan. 1, 2025, addresses key aspects of data privacy and protection for businesses that do business in Nebraska or its residents, or process or sell personal data.

New Hampshire

The New Hampshire Privacy Act took effect on Jan. 1, 2025. It applies to entities that conduct business in New Hampshire or create products or services targeting New Hampshire residents. It includes provisions on consumer rights and opt-out options.

New Jersey

The New Jersey Data Protection Act took effect on Jan. 15, 2025. It applies to entities that conduct business in New Jersey or create products or services targeting New Jersey residents, and includes provisions on consumer rights and opt-out options, as well as controller and processor security requirements.

Oregon

The Oregon Consumer Privacy Act went into effect in 2024. It outlines consumer rights and rules for data protection, including business data safeguard requirements and consumer access, deletion and opt-out rights.

Tennessee

Signed in 2023, the Tennessee Information Protection Act took effect on July 1, 2025. It outlines consumer rights and governs data protection and data breach reporting requirements for businesses.

Texas

The Texas Data Privacy and Security Act went into effect in 2024. It describes consumer rights and data protection requirements for businesses, including privacy notices, opt-in consent and data impact assessments.

Utah

The Utah Consumer Privacy Act has been in effect since 2023. It provides consumer rights and describes business data protection assessments and security measures.

Virginia

The Virginia Consumer Data Protection Act has been in effect since 2023. It grants consumers the right to access, correct, delete and post their personal data; mandates that businesses comply with data protection rules; and affects both government and nongovernment organizations that annually process specific quantities of personal data.

International privacy regulations

Among the most significant international data privacy laws are the following:

• General Data Protection Regulation. GDPR, launched in 2018, was developed by the EU and the European Economic Area. Any organization -- regardless of its headquarters location -- that targets or collects data from people and businesses in EU member nations must comply with the law.
• U.K. Data (Use and Access) Act 2025. DUAA was approved in July 2025. It updates previous legislation, including the U.K. GDPR, the Data Protection Act of 2018 and the Privacy and Electronic Communications Regulations, but does not supersede or replace them.
• EU Data Act. This legislation took effect in 2024 and was updated in 2025 to address data sharing across technology platforms.

The EU AI Act went into effect in 2024 and was updated during its phased implementation process to more precisely regulate various kinds of AI-based systems, as well as provide greater clarity regarding AI practices, high-risk AI systems, and other AI systems and models.

More than 100 countries worldwide have enacted data privacy regulations. Each law addresses fundamental issues concerning data creation and processing, data ownership and other criteria. The requirements of each country might differ, as do compliance requirements, but the message is clear: Protecting personal data is critical.

Future of U.S. data privacy laws

Given the importance of data privacy and protection, expect more states to officially enact data privacy laws, most likely built on the foundation laid by California and other states that have been at the forefront of consumer protection. A notable trend to consider is that businesses operating in multiple states will encounter increased challenges in complying with each state's privacy laws.

While current privacy legislation at state and local levels has evolved into a patchwork of activity, this could well lead to a broad-based bipartisan U.S. national data privacy law that also regulates the development, deployment and application of AI.

Paul Kirvan is an independent consultant and technical writer. He has more than 35 years of experience in business continuity, disaster recovery, operational resilience, cybersecurity, governance, risk and compliance, networking and IT auditing.