U S. Data Privacy Protection Laws: A Comprehensive Guide
In April 2025, the Federal Trade Commission (FTC) issued its final updates to the Children’s Online Privacy Protection Act (COPPA) rules, which became effective on 23 June 2025. On 19 December 2025, the New York Governor signed the Responsible AI Safety and Education Act (the “RAISE Act”) into law, amending the version that was originally passed by the state legislature in June. For example, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) establishes new obligations for organisations that develop or deploy artificial intelligence systems in Texas, including private entities and government bodies.
In addition, many of these regulators are seeking more onerous operational penalties on organisations, restricting types of data they can collect and what they can do with certain data that exceed the statutory requirements. However, recently, state level enforcement, beginning with California, and reaching new highs in Texas, has significantly increased the breadth and scope of enforcement in the US. However, privacy laws are usually civil in nature, and thus these actions usually align with the local procedural rules. This guidance often provides “safe harbour” rules in terms of which, if followed, the regulator will not pursue any actions.
- The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.
- The General Data Protection Regulation, or GDPR, defines the data subject as a natural person in the EU.
- California Consumer Privacy Act (CCPA) Similar 45-day deadlines appear in most state privacy laws, though the extension rules vary.
- 3.2 Do the data protection laws in your jurisdiction carve out certain processing activities from their material scope?
- Plaintiffs’ attorneys argue that chatbots are essentially serving the function of a “secret” wiretap that allows third parties to listen in on conversations without users’ consent.
The majority reasoned that law enforcement officials had not conducted a “search” for purposes of the Fourth Amendment because Chatrie could not reasonably expect two hours’ worth of location data, which he had voluntarily allowed Google to have, to be kept private. He made off with nearly $200,000, but law enforcement officials did not have any leads until they served Google with a geofence warrant, which directed the tech https://8wsm.com/news/snapchat-video-downloader-preserving-your-digital-memories/ company to provide location data for cellphone users who were near the bank at the time of the robbery. Writing for the majority, Justice Elena Kagan emphasized that “an individual has a reasonable expectation of privacy in records about his cell phone’s location, and police intrude on that constitutionally protected interest when they demand the information—even though for only a limited time, and from a third-party tech company.”
- The settlement also prohibits the company from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition, effectively banning the company from engaging in these types of data transmissions.
- Illinois BIPA is the most significant, providing a private right of action with damages of $1,000 to $5,000 per violation.
- In December 2024, the Texas Attorney General (which, in a press release, described Texas as leading the nation in privacy enforcement) brought suits against 14 organisations for alleged violations of the Texas Data Privacy and Security Act (TDPSA) and the Texas Securing Children Online Through Parental Involvement (SCOPE) Act, among other laws.
- The consequences of noncompliance with GDPR are administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
What are data privacy laws and regulations?
In practice, the CNY 10 million cap is reserved for CIIOs where violations cause particularly serious harm. For standard violations by non-CIIO network operators, the previous ceiling of CNY 100,000 rose to CNY 500,000 for general violations and CNY 2 million for serious violations. For network operators that fail to fulfill cybersecurity obligations where violations cause “particularly serious consequences,” the maximum fine increases to CNY 10 million for the organization and CNY 1 million for directly responsible individuals. The CAC issues implementing regulations, conducts investigations, levies fines, and has the authority to order the suspension or shutdown of non-compliant applications and services. It establishes legal bases for processing, individual rights, consent requirements, cross-border transfer rules, and the compliance audit framework.
California’s Privacy Protection Agency has proposed rules that would require businesses to provide opt-out mechanisms for automated decision-making in contexts like job applicant screening, student evaluation, and behavioral advertising. As businesses increasingly use algorithms and artificial intelligence to make decisions about people, privacy law is starting to catch up. Data brokers are businesses that collect and sell personal information about people with whom they have no direct relationship. Hoarding data “just in case” is exactly the pattern these laws are designed to discourage, because every extra data point a company stores is another data point that can be stolen in a breach.
“This new privacy law will help protect consumers from imminent harm to their safety, autonomy, and finances https://bussinessfair.info/ensuring-compliance-through-rigorous-financial-auditing.html by making it harder to stalk people, steal their identity, or engage in hyper-targeted marketing for scams. SB 4 also provides some protections for other technologies, like facial recognition technology and license plate readers, by imposing new safeguards on their use. Beginning in July, the CTDPA’s applicability threshold will drop from 100,000 to 35,000 Connecticut consumers, and the law will also extend to businesses that process sensitive data or offer personal data for sale, regardless of size.
What are the new cookie rules under the DUAA 2025?
19.2 What guidance (if any) has/have the data protection authority(ies) issued in relation to the processing of personal data in connection with artificial intelligence? 18.2 What guidance has/have the data protection authority(ies) issued on disclosure of personal data to foreign law enforcement or governmental bodies? In addition, under the Clarifying Lawful Overseas User of Data Act, businesses may also receive requests for electronic communications, including personal data within its possession, custody or control directly from foreign governments and agencies that maintain agreements with the U.S., without regard to where the business stores such data.
Federal Data Privacy Laws
Second, based on that list of 19 accounts, the government asked for additional information about nine accounts that were in the area during a two-hour period. Like most consumer protection laws, a state’s privacy laws apply based on the residency of consumers whose data is collected, processed, or disclosed. During 2024, seven states passed comprehensive privacy laws, bringing the total number of states with comprehensive privacy laws to 20.1 That same year, lawsuits related to online privacy skyrocketed, with nearly 4,000 cases filed in 2024—up from just over 200 cases filed in 2023—alongside countless additional claims asserted through demand letters and arbitration. The regulations went into effect on 1 January 2026, however companies still have some additional time to comply with the new requirements. The DOJ Rule defines sensitive personal data broadly and sets relatively low volume thresholds, meaning that routine online or commercial data collection activities may fall within scope.
HIPAA Security Rule
• California’s $1.55 million settlement for CCPA violations, following enforcement action by the state attorney general. In addition to privacy requirements, effective compliance strategies must also address data security laws, which mandate specific security measures and breach notifications. Sensitive personal information, such as biometric data and health information, receives stronger protections. California enforces these laws through regulators and private rights of action in data breach cases. Each state privacy law contributes to a growing patchwork of requirements, with varying scopes, enforcement mechanisms, and rights for individuals.
COPPA seeks to protect children under 13 from online predation, and imposes strict rules on how the data of these children is handled. Even mobile health apps and cloud storage services need to comply with HIPAA if they store any identifiable data (like your date of birth). This is a far-reaching law that prevents your protected health information (PHI) from being shared by a medical institution without your consent. The GLBA states that all financial institutions must fully disclose how they handle and share the data of customers.
Other State Data Privacy Laws
USPTO Director Defines “Exceptional Circumstances” for Director Review—and Terminates Three IPRs Whether you need to assess how the bill’s provisions apply to your business, shape your organization’s position in the legislative process, or get ahead of compliance requirements before enactment, now is the time to act. Consumer advocates resist preemption that would lower existing state protections. State attorneys general would retain authority to enforce the federal standard, preserving existing enforcement infrastructure while eliminating the need for 50 separate compliance programs. The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests.