Data protection & privacy laws in United States (2026)

President Trump signed an executive order directing federal agencies to identify and challenge state AI laws deemed inconsistent with national policy, launching a push to centralize data-governance and AI regulation at the federal level. A March 2026 White House blueprint followed, urging Congress to adopt a unified framework covering children's online safety and AI-driven data harms.

The FTC's first major COPPA Rule overhaul since 2013 — finalized January 16, 2025 by a 5-0 vote — became enforceable, prohibiting platforms from sharing or monetizing data on children under 13 without active parental opt-in and imposing strict data-retention limits. It is the most consequential update to children's online privacy law in over a decade.

Acting under Executive Order 14117 (February 2024), the Justice Department's Data Security Program imposed restrictions on bulk transfers of Americans' genomic, biometric, health, financial, and geolocation data to China, Russia, and other 'countries of concern,' creating a national-security-driven export-control regime for personal data. Full audit and due-diligence obligations became enforceable October 6, 2025.

Bipartisan sponsors introduced H.R. 8818, the most advanced attempt at comprehensive federal privacy legislation, which would have established nationwide data-minimization rules, rights to access and delete personal data, opt-out of targeted advertising, and a private right of action. The bill expired in January 2025 at the end of the 118th Congress without a floor vote, leaving the U.S. without a federal omnibus privacy law.

Following a successful industry legal challenge that delayed enforcement of the California Privacy Rights Act regulations, the California Privacy Protection Agency (CPPA) began full enforcement in February 2024. California's rules on sensitive-data handling, data minimization, and opt-out rights effectively function as a national baseline for companies operating across the U.S.

The FTC settled with data broker X-Mode Social (rebranded Outlogic), permanently barring it from selling precise location data and requiring deletion of previously collected datasets. The action launched a sustained FTC campaign against the data-broker industry, followed in 2024–2025 by similar orders against InMarket Media, Mobilewalla, and Gravy Analytics.

California's CPRA amendments to the CCPA took effect alongside Virginia's Consumer Data Protection Act, formally inaugurating the era of multi-state comprehensive privacy regulation. By end of 2023 a total of 13 states — including Colorado, Connecticut, Texas, Montana, and Oregon — had enacted their own comprehensive privacy statutes, creating a nationwide patchwork binding tens of thousands of businesses.

The CCPA became enforceable as the first comprehensive consumer data privacy law in U.S. history, granting Californians rights to know what personal information businesses collect, to request deletion, and to opt out of the sale of their data. Its scope—covering any business meeting size thresholds that handle Californians' data—made it an effective national standard and accelerated state-by-state legislative activity.

Governor Jerry Brown signed AB 375, enacting the CCPA — the broadest consumer data privacy statute in U.S. history at the time. Passed to forestall a more stringent ballot initiative, it was modeled partly on GDPR principles and set off a wave of state legislative activity across the country.

President Clinton signed the GLBA into law, establishing the foundational federal privacy and data-security framework for financial institutions. It requires disclosure of customer data-sharing practices, mandates consumer opt-out rights for third-party sharing, and requires a written information security program — still the primary federal data-protection law for the financial sector.

Congress enacted COPPA (Pub. L. 105-277), the first federal law specifically regulating online collection of personal data from children under 13, requiring verifiable parental consent before data collection. It gave the FTC rulemaking and enforcement authority and remains the cornerstone of children's online privacy law, substantially strengthened by the 2025 rule amendments.

Congress enacted HIPAA (Pub. L. 104-191), directing HHS to establish standards for the privacy and security of individually identifiable health information. The resulting Privacy Rule (effective 2003) and Security Rule (effective 2005) created the principal federal data-protection regime for healthcare, binding covered entities and their business associates to strict use-and-disclosure limits and breach-notification obligations.

Congress enacted ECPA (Pub. L. 99-508), extending federal wiretapping prohibitions to electronic communications and creating the Stored Communications Act (SCA) — which governs government access to emails and cloud data. ECPA established the original digital-era privacy framework for government surveillance of electronic communications and remains in force, though widely criticized as outdated for modern cloud and mobile data.