Lawmakers seek to override state data privacy laws with new bill

While most companies can appoint either a privacy or data officer, large data holders must designate both along with following additional requirements such as filing with the FTC annually. Companies are not required to create a standalone position but can add these responsibilities to an existing role. The Act would limit collection to what is “adequate, relevant, and reasonably necessary in relation to each purpose for which the data is processed as disclosed to the consumer,” curbing excessive collection and unanticipated secondary uses. Iowa, Tennessee, and Utah’s data privacy laws are considered the most business-friendly.

Co-founder Anne Wojcicki also has stepped down as CEO, and said in a post on X she hopes to purchase the company herself. The board rejected an offer she made earlier this month, according to a press release. Since our 2023 article, Beijing has issued a rapid cadence of Q&As, sector‑specific guidelines, and enforcement notices. The timeline below distils those headline changes and highlights who gets hit hardest and why. Such a lawsuit could conceivably include all German visitors to any site using Meta pixels or other tracking technologies without user consent, he said.

What does the California Privacy Rights Act protect?

Because of COPPA’s limits on data collection for children, some companies—notably, social media sites like Facebook and Twitter—require their users to verify they are 13 years of age or older when signing up. There is a growing trend toward enacting data privacy laws at the state level, with legislation granting consumers rights over their personal data and setting requirements for how organisations process consumer data. • Transparency about data collection.• Data security requirements.• Consumer rights requests.• Opt-in consent for sensitive personal data.• Data protection assessments for high-risk processing.

SECURE Data Act: U.S. House Introduces New National Privacy Framework

• Specific entities are excluded from the legislation, including small businesses, governments, entities working on behalf of governments and the National Center for Missing and Exploited Children (NCMEC).
• Note pursuant to the NYS Information Security Policy NYS-P03-002, state entities are also required to notify non-residents if their private information was exposed.
• Only California provides a private right of action under its data privacy law, and it is limited to data breach situations (not general privacy violations).
• Such a lawsuit could conceivably include all German visitors to any site using Meta pixels or other tracking technologies without user consent, he said.
• The map tracks the status of statutes and bills that are enacted or in the legislative process.
• The SECURE Data Act 2026 and GUARD Financial Data Act were introduced on April 22, 2026.

By contrast, if a Canadian subsidiary operates under the direct control of a U.S. parent company, such as via integrated systems or shared management, U.S. lawful access requirements may still apply, regardless of the physical location of the data. This BLG Insight examines the legal and practical dimensions of data sovereignty, including the impact of U.S. lawful access laws, and offers guidance on how Canadian organizations can assess and manage these risks. While often framed as a question of where data is stored, data sovereignty is better understood as a question of control, which is shaped by legal jurisdiction, corporate structure, and service provider relationships. As reliance on cloud computing and AI services grows, and as tensions between Canada and the United States sharpen policy debates around cross-border data flows, organizations are being forced to reassess long-standing assumptions about data residency, risk, and compliance. The Trump administration hasn’t indicated it wants new security requirements specific to data centers—meaning tech giants would continue to shape security best practices. “We would recommend taking those actions and advocating to your state and federal representatives to pass strong consumer privacy laws,” she added, “as this is just the first example of a company like this with tremendous amounts of sensitive data being bought or sold.”

• Bari, who previously worked on health IT issues at the CMS’ Innovation Center, said federal agencies often announce enforcement priorities, but fail to follow through.
• Nine of the states listed above with existing comprehensive privacy laws on the books amended their laws in 2025 to include different and additional provisions.
• Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting.
• But heightened risks should prompt them to ramp up their training and pressure-test their disaster management plans if data centers were to go down, industry insiders said.
• In January 2027, the California Opt Me Out Act will go into effect, enabling consumers to easily tell websites not to sell or share their personal information.

Footer Menu Legal Links

AI operators should inform individuals about data collection and their rights in a clear, concise and easily accessible manner. At a high level, the purposes of processing, retention periods and people with whom personal information will be shared are the minimum categories of privacy-related information that should be disclosed. As the CNIL notes in its guidance, individuals should also be made aware when they are interacting with a machine. In Europe or North America, data breaches of this scale would prompt heavy fines, mandatory notifications and immediate consumer remedies. As one commentator concluded, “Data protection is not a luxury, it is a necessity.

Who Is the Enforcement Authority in U.S. States with Data Privacy Laws?

In the continued absence of a comprehensive federal statute on privacy, states are advancing their own approaches to govern the collection and use of consumer personal data. The result is a growing patchwork of state privacy laws across the United States that vary in scope, enforcement, and legal standard. The Biden administration attempted to expand some oversight over health information by requiring vendors of personal health records and related entities to notify consumers of data breaches involving unsecured information. In 2023, GoodRx was the first company fined by the Federal Trade Commission for failing to notify users after sharing sensitive health data with platforms like Facebook and Google for advertising. On 21 April 2026, House Republicans released the SECURE Data Act (H.R. 8413) (the Act), the most comprehensive attempt yet to create a national data privacy standard. Paired with the GUARD Financial Data Act (H.R. 8398), which covers financial https://payusainvest.com/the-us-authorities-demanded-that-twitter-report-on-the-protection-of-users-personal-data.html institutions under the Gramm-Leach-Bliley Act, the two bills aim to eliminate gaps and overlaps in consumer data protection across the entire economy.

Health Insurance Portability And Accountability Act (hipaa)

Opt-in consent means that in most cases a business or other organization must obtain informed, valid consent from users and customers (data subjects) before collecting or processing their personal data. Opt out consent means that in most cases a business can collect and use data subjects’ personal data without requiring consent. Even if penalties and fines are manageable in the wake of a breach, customer trust once lost is nearly impossible to regain, with reputational harm exceeding legal liability. That’s why organizations handling data should consider adopting a culture of compliance.

Explore the interactive dashboard above or download the full report to see complete responses for each state, including links to official code sections and the latest legislative amending instruments. 20 states (39%) specify numeric deadlines for consumer notification, ranging from 30 to 60 days. The remaining 31 states use qualitative language such as “without unreasonable delay.”

If a bill does not appear, it does not qualify due to its scope, coverage or rights. Industry-specific, information-specific and narrowly scoped bills, e.g., data https://www.softcourier.com/50504/download-visoco-data-protection-master.html security bills, are not included. The IAPP published an article outlining its current stance concerning which state privacy laws are considered comprehensive.

Media Services

The answer depends on your circumstances, but privacy reform is generally moving toward covering more businesses and increasing expectations for everyone who handles personal information. Regulators and customers increasingly expect you to take practical steps to protect data – and to show you’ve done it. It’s to make sure your business is collecting and using information in a way that is fair, secure, and properly disclosed.

Risk Scenarios for the US’s Strategic Pivot

GDPR requires a lawful basis for all data processing and applies to all organizations, while CCPA applies only to for-profit businesses meeting revenue or data volume thresholds. GDPR grants a broader right to erasure and requires Data Protection Officers, while CCPA uniquely provides an opt-out of the “sale” and “sharing” of personal information. GDPR penalties reach up to 4% of global revenue; CCPA penalties top out at roughly $7,988 per violation.