The Regional Court of Leipzig in Germany ruled Friday that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR). Dutch officials called the data sharing “undesirable,” but they’re stuck with the same American tech giants they’re trying to regulate. It’s like having a Swiss bank account that Switzerland can’t actually protect from foreign governments. It does not capture Attorney General guidance, regulatory interpretations, or case law that may affect how these statutes are applied in practice.
Information Security Trainer, The New York Times
Under HIPAA guidelines, covered entities must comply with an individual’s right to see their health information, correct their health information and covered entities cannot use or share health information without the individual’s written consent. Other institutions not considered covered entities that handle health information, like schools and employers, are not subject to HIPAA regulation but may be regulated by other laws. • Publish clear privacy policies.• Limit https://californianetdaily.com/the-best-windows-10-antivirus-software/ data collection to necessary information.• Implement reasonable security measures.• Comply with legal obligations when processing personal data.• Process consumer requests within deadlines.• Verify identities to prevent fraud.
Which Modern U.S. State Privacy Laws Are Considered Comprehensive?
A federal bill would have to resolve whether it would preempt state laws or include a private right of action, which would allow individuals and organizations to sue over violations, even in the absence of regulatory enforcement, Levine said. In 2025, for the first time in five years, the United States saw a leveling out of state comprehensive privacy laws. While laws in eight states took effect in 2025 and laws in three more states took effect on January 1, 2026, state legislatures failed to enact any new comprehensive privacy legislation. Despite there not being any net-new laws on the immediate horizon, businesses should still take note – states now turn their focus to refining and enforcing existing laws.
The Future of US Privacy Regulation
Any major changes to the functionality of an AI system necessitate a renewed PIA or DPIA. For a country whose courts have long recognised privacy as a fundamental right as shown in the Lahore High Court in M.D. Tahir v State Bank of Pakistan held that unauthorised collection of personal data was an “extraordinary invasion” of liberty.
AML Identity Verification: How It Works and Why Compliance Depends on It
As founder and director, Kevin draws on his 25 years of law enforcement, military, cyber and national security, privacy law, business, higher education, and teaching experience to deliver a world-class program in Cybersecurity, Risk, and Governance. The CLOUD Act permits U.S. authorities to compel the production of data that is within the “possession, custody or control” of a covered entity. A covered entity includes U.S. based companies and foreign companies subject to U.S. jurisdiction. A covered entity may also be a foreign subsidiary of a U.S. parent company, where the parent exercises substantial control over the subsidiary’s operations and retains sufficient possession, custody, or control over the data. In a nutshell, a U.S. company, or a foreign subsidiary operating under U.S. control, may be compelled to produce data even if that data is stored in Canada. Each new state law arrives with its own definitions, consumer rights, and enforcement mechanisms, and privacy teams have spent years reconciling them.
Business
These acts, including the Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, are significant in shaping the evolving US privacy landscape and establishing new standards for data protection compliance. • Knowing what personal information is collected.• Deleting personal information.• Correcting inaccurate data.• Opting out of the sale or sharing of personal data. Comprehensive legal information about recording laws, consent requirements, and various state and federal laws across the United States and internationally. Our students have a local chapter of ISACA, which connects students with opportunities in cybersecurity, information systems and technology, and business management.
- Washington HB 1493 covers biometric identifiers except facial geometry and is enforced under the Consumer Protection Act.
- Meanwhile, every smartphone app is quietly sharing location data, health metrics, and browsing history with dozens of third parties.
- The Minnesota Consumer Data Privacy Act went into effect on July 1, 2025, and addresses how consumers can access, correct and delete their data, opt out of targeted advertising, and obtain information about which third parties their data has been sold to.
- “We would recommend taking those actions and advocating to your state and federal representatives to pass strong consumer privacy laws,” she added, “as this is just the first example of a company like this with tremendous amounts of sensitive data being bought or sold.”
- It does not capture Attorney General guidance, regulatory interpretations, or case law that may affect how these statutes are applied in practice.
Vice President & Cyber Risk Analyst, Morgan Stanley
Texas CUBI (Bus. & Com. Code Ch. 503) carries penalties up to $25,000 per violation but is enforced only by the attorney general. The Texas AG secured a $1.4 billion settlement with Meta for biometric data violations in 2024. Washington HB 1493 covers biometric identifiers except facial geometry and is enforced under the Consumer Protection Act. The American Privacy Rights Act (APRA) was the most recent attempt at a comprehensive federal privacy law. It passed a House subcommittee in May 2024 but was never brought to a full committee vote.
The Nebraska Data Privacy Act (NDPA) comes into effect less than nine months after being signed into law by the governor, for example. Let’s look at a comparison of the U.S. data privacy laws at the state level and what they mean for businesses and consumers. Businesses should prepare flexible privacy programs to meet evolving requirements and maintain consumer trust. Online services, in particular, have obligations to comply with both US and international privacy standards when handling personal data across borders.
