Skip to content Skip to footer
Close
Data Protection Law

Recent data privacy laws in the USA

January 7, 2025
Overview of recent data privacy laws in the USA in 2025, including federal and state-level regulations
Key developments in data privacy laws across the USA, including federal and state-specific initiatives

Introduction

Recent Data Privacy Laws in the USA have sparked discussions around creating a unified framework for federal and state-level compliance. Presently, the United States does not have an all-encompassing national data privacy law in effect. Nevertheless, multiple state-specific regulations are in effect within their particular jurisdictions. Recent developments towards the realisation of a national data privacy law includes the introduction of the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA). Both are proposed bills in the United States, yet to attain legislative sanction. Another such pertinent development is the ‘Executive order on protecting Americans’ sensitive personal data from foreign adversaries’ issued in 2024 by erstwhile President Joe Biden. Apart from this, there are several sector-specific data protection regulations in place like the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information or the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), making significant efforts to enhance online safety and privacy protections for minors. 

Federal Laws and Regulations

The lacuna for uniform federal law in the sphere of data protection in the USA is an acknowledged reality and the efforts to compensate for the same have been taken in the recent times. 

  • American Privacy Rights Act (APRA): As of now, it remains a proposal yet to be enacted into law. The bill was introduced on June 2024. The legislative process is ongoing, and the bill’s future depends on further deliberations and potential modifications by Congress. The main objective of the Act would be to create a unified framework for data privacy across the United States. It would simplify the compliance measures required to be taken by businesses operating in multiple States of the country while enhancing consumer protection. If enforced, it would have pre-emptive effect over state provisions for data privacy. ADPRA would impose obligations on covered entities and service providers to minimize processing of covered data. Covered data would be information that identifies, links or is reasonably linked to an individual or device. A covered entity in this context would be that which fulfils any of these criteria:
    • Collects, processes or transfers covered dataSubject to jurisdiction of Federal Trade Commission Common carrier under the Communications Act Non-profit organization
    • Controls or is controlled by another covered entity

Along with the obligations the APRA would impose on covered entities and service providers, the APRA would impose additional obligations on high-impact social media companies and large data holders. It would also have implications for AI by restricting the data availability to develop AI models. Another significant impact envisioned by APRA would be on the enforceability of consumer arbitration agreements. Specifically, the APRA provides that arbitration agreements are not enforceable if an individual’s claims allege a violation involving a minor or substantial privacy harm. Substantial financial harm could be financial harm, physical or mental harm, offensive intrusion of privacy or even discrimination on basis of race, colour etc.  If any of these allegations are present, consumers would not be forced to arbitrate their issues and could instead pursue the claims through litigation. APRA proposes enforcement through the Federal Trade Commission (FTC) and state attorneys general. Furthermore, it includes private right of action and provides agency to the individuals to file suit for perceived violations. 

  • American Data Privacy and Protection Act (ADPPA): As of January 2025, the ADPPA remains one of the prominent proposals aimed at establishing a comprehensive federal framework for data privacy and protection in the United States. The main objective of the proposal is to establish a unified set of data privacy standards in the United States, resolving the dilemma created by the fragmented state-specific and sector-specific laws. The ADPPA mandates that covered entities limit the collection, processing, and transfer of personal data to what is reasonably necessary and proportionate to provide specific products or services requested by individuals. The act would also grant individuals rights to access, correct, delete, and transfer their personal data along with the right to opt out of targeted advertising and data transfers to third parties. Provisions to eliminate the risks associated with automated decision-making systems are also delved into. Similar to APRA, the enforcement mechanism involves the Federal Trade Commission (FTC) and state attorneys general. However, in ADPPA the private right of action for individuals is limited in some circumstances. 
  • Kids Online Safety Act (KOSA) and Children and Teens’ Online Privacy Protection Act (COPPA 2.0): The U.S senate passed these acts in 2024 to enhance online safety and privacy protections for minors. KOSA creates a duty of care for online platforms that are used by minors, requiring them to take reasonable measures in how they design their products to mitigate harmful effects, including online bullying, sexual exploitation, drug promotion, and eating disorders.  While KOSA aims at addressing online exploitation of minors, The Children’s Online Privacy Protection Act (COPPA 2.0) strengthens the already existing legal framework. COPPA originally gives parents control over what information websites can collect from their children who are under 13 years of age.  
  • Executive Order 14117, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”:

The order was issued by President Biden on February 2024. It addresses the threat posed by foreign adversaries exploiting vulnerabilities in information and communications technologies. The aim is to restrict access by countries of concern to Americans’ bulk sensitive personal data and specifically, U.S. government-related data which could possibly cause threat to national security. Certain countries are identified as threat by the order. 

  • Data Privacy Act of 2023: It was introduced in 2023, but is yet to be enacted as law. It aims to enhance the privacy and security of personal information held by financial institutions. It seeks to expand existing protections, grant individuals with greater control over their data, and establish nationwide data privacy standards.

State-level laws and regulation

In the absence of comprehensive federal legislation, several states have enacted their own data privacy laws. Some of the recent state-specific laws are as follows:

  • The Virginia Consumer Data Protection Act (VCDPA) which became enforceable on January 2023, affecting businesses that process personal data of Virginia residents. 
  • The Colorado Privacy Act (CPA), effective from July 2023.
  • The Utah Consumer Privacy Act (UCPA) which became effective on December 31, 2023. 
  • The California Consumer Privacy Act (CCPA) effective since 2020 and the California Privacy Rights Act (CPRA), which came into effect on January 2023 to bolster the protection further.

In total, 20 states have enacted comprehensive data privacy laws, with varying effective dates extending into 2026. 

Conclusion

Apart from these recent developments, certain sector specific data protection laws existed earlier on, like the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which regulates the use and disclosure of protected health information. Gramm-Leach-Bliley Act (GLBA) enacted on 1999 is another such law that requires financial institutions to disclose their information-sharing practices to their customers in order to safeguard sensitive customer data. Likewise, the Federal Trade Commission (FTC) has been an important organ with regard to data privacy, particularly since the Federal Trade Commission Act authorises it to prohibit unfair and deceptive trade practices, including the unfair and deceptive collection, use, or transfer of personal data. Furthermore, since the EU-U.S. Data Privacy Framework (DPF), the FTC has been tasked with  enforcement of the DPF Principles, and works with privacy authorities in the EU to protect consumer privacy on both sides. The framework mainly focusses on providing a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law. Hence, the data privacy landscape of the US is evolving at a fast pace and new developments are overlooked in the near future.

References

  1. https://www.ftc.gov/business-guidance/privacy-security#:~:text=Gramm%2DLeach%2DBliley%20Act.%20The%20Gramm%2DLeach%2DBliley%20Act%20requires%20financial,their%20customers%20and%20to%20safeguard%20sensitive%20data.
  2. https://www.congress.gov/bill/118th-congress/house-bill/1165
  3. https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
  4. https://www.morganlewis.com/pubs/2023/07/us-data-privacy-legislation-could-a-federal-law-be-on-the-horizon#:~:text=Data%20Privacy%20Act%20of%202023:%20This%20aims,application%20of%20current%20protections%2C%20provides%20individuals%20with

Tags:
0Likes

Leave a comment

You May Also Like

data-protection-law-india
Cyber Law, Data Protection Law
Online Privacy in 21st Century
Law related services
Arbitration, Cyber Law, Data Protection Law, Intellectual Property Law
Why you should outsource legal services to India?

Subscribe to the updates!

[mc4wp_form id="461" element_id="style-11"]