Data Privacy • US Regulatory Policy • March 2026
In This Article
01. The Problem: America’s Privacy Patchwork
02. The Current Legal Landscape
03. The American Privacy Rights Act: So Close, Yet So Far
04. The Global Context: How the World Has Moved On
05. The AI Dimension: Why Reform Is Now Urgent
The Problem: America’s Privacy Patchwork
In March 2026, the United States remains the only major advanced economy without a comprehensive federal data protection law. While the European Union has its GDPR, India has enacted the DPDPA 2023, and jurisdictions from Brazil to Japan to South Korea have adopted unified privacy frameworks, America continues to rely on a fragmented patchwork of sector-specific statutes, overlapping state laws, and an enforcement regime that even its own regulators acknowledge is inadequate.
This is not a new observation. In January 2018, the Council on Foreign Relations published a landmark report by Nuala O’Connor titled “Reforming the U.S. Approach to Data Protection and Privacy” that called for Congress to create a single legislative data-protection mandate. Eight years later, that call remains unanswered — and the stakes have only grown higher with the explosion of artificial intelligence, large-scale data breaches, and the global trade implications of America’s privacy gap.
The Current Legal Landscape
The United States governs personal data through a collection of sector-specific federal laws, each covering a narrow slice of the data ecosystem:
| Law | What It Covers | What It Misses |
|---|---|---|
| HIPAA | Health information held by “covered entities” | Health data in fitness apps, wearables, consumer platforms |
| GLBA | Financial data held by banks and insurers | Fintech apps, cryptocurrency platforms, payment processors |
| FERPA | Student education records | EdTech platforms, online tutoring, learning analytics |
| COPPA | Online data of children under 13 | Teenagers 13–17, the demographic most active online |
| FTC Act §5 | “Unfair and deceptive” data practices | No affirmative privacy rights; limited jurisdiction; companies pushing back on FTC authority |
Layered on top of this are state-level privacy laws that have proliferated in the absence of federal action. As of March 2026, over a dozen states have enacted comprehensive privacy statutes, led by California’s CCPA/CPRA, followed by Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, and Delaware. Each has different definitions, thresholds, rights, and enforcement mechanisms. A company operating in all 50 states faces a compliance maze that is expensive, contradictory, and practically unnavigable for small and medium-sized businesses.
The Scale of the Problem
As of January 2026, 741 AI-related bills have been introduced across 30 US state legislatures. Combined with existing privacy laws, data breach notification statutes in 48 states, and sector-specific federal regulations, American businesses face an unprecedented regulatory patchwork with no unified framework to rationalise it.
The American Privacy Rights Act: So Close, Yet So Far
The most significant attempt to resolve this patchwork was the American Privacy Rights Act (APRA), a bipartisan bill introduced in April 2024 by Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA). The APRA was widely described as the best chance Congress had ever had to pass comprehensive privacy legislation.
The bill proposed to establish uniform privacy rights for all Americans, including the rights to access, correct, delete, and port personal data; opt out of targeted advertising and data sales; require data minimisation; mandate algorithmic transparency for “consequential decisions” (employment, credit, housing, insurance); create a private right of action allowing individuals to sue companies for privacy violations; and be enforced by the FTC, state attorneys general, and individual citizens.
However, the bill ran into the same obstacles that have killed every prior attempt at comprehensive US privacy legislation. Republicans objected to the private right of action, fearing a wave of litigation. California resisted preemption of its stronger CCPA protections. Industry lobbied against data minimisation requirements. After a controversial June 2024 revision that removed civil rights protections, many privacy advocacy organisations withdrew their support, and the markup session was cancelled.
The APRA expired in January 2025 at the end of the 118th Congress and has not been reintroduced as of March 2026. America’s best chance at comprehensive privacy legislation is, for now, dead.
The Core Sticking Points
Three issues have blocked every US federal privacy bill: preemption (whether the federal law overrides stronger state laws like California’s CCPA), private right of action (whether individuals can sue companies directly), and enforcement resources (whether the FTC has sufficient capacity to police the entire data economy). Until Congress resolves these three structural disagreements, comprehensive federal privacy legislation will remain elusive.
The Global Context: How the World Has Moved On
While the US debates, the rest of the world has acted. The divergence between America’s patchwork approach and the comprehensive frameworks adopted elsewhere is now a structural disadvantage for US businesses and citizens alike.
| Jurisdiction | Framework | Key Feature |
|---|---|---|
| European Union | GDPR (2018) | Fines up to 4% of global revenue; right to erasure; DPO requirement |
| India | DPDPA 2023 | Consent-based; data fiduciary obligations; cross-border transfer rules; up to £250 crore penalty |
| Brazil | LGPD (2020) | GDPR-inspired; dedicated data protection authority (ANPD) |
| United Kingdom | UK DPA 2018 + Data (Use and Access) Act 2025 | Post-Brexit reform maintaining GDPR adequacy while adding flexibility |
| United States | No comprehensive federal law | Patchwork of HIPAA, GLBA, FERPA, COPPA, FTC Act + 12+ state laws |
This puts the US at a disadvantage in international data flows. The EU has repeatedly questioned whether US data protection is “adequate” for transatlantic transfers, leading to the collapse of Safe Harbor, the invalidation of Privacy Shield, and the current EU-US Data Privacy Framework that many experts believe is vulnerable to legal challenge. Countries like Canada, Japan, and South Korea have aligned their frameworks with the GDPR model rather than the American patchwork, further isolating the US.
The AI Dimension: Why Reform Is Now Urgent
The CFR report was published in 2018, before the current AI revolution. Since then, the case for comprehensive reform has become dramatically more urgent. Large language models are trained on billions of data points about individuals. Algorithmic decision-making now determines who gets hired, who receives credit, who is flagged by law enforcement, and who sees which news. Data brokers operate in a regulatory vacuum, compiling and selling detailed profiles on hundreds of millions of Americans with virtually no federal oversight.
None of the existing sector-specific laws were designed for this reality. HIPAA does not cover health data in fitness apps. FERPA does not cover AI tutoring platforms. COPPA does not cover teenagers. The FTC’s “unfair practices” authority was not designed to regulate algorithmic bias or AI training data. Without comprehensive legislation, the AI revolution is proceeding on a foundation of inadequate data governance — a structural risk that grows with every passing month.
Implications for International Businesses
For companies operating in the US: The absence of a federal standard means compliance with a growing maze of state laws, each with different requirements. Businesses must track legislative developments in every state where they have customers — an operational burden that disproportionately affects smaller firms.
For companies transferring data to/from the US: The EU-US Data Privacy Framework currently enables transatlantic data flows, but its legal foundation remains contested. Companies relying on this framework should have contingency plans for an alternative transfer mechanism.
For Indian companies with US operations: Indian IT services firms, SaaS providers, and BPO companies processing US-origin personal data must navigate both India’s DPDPA 2023 and the relevant US state laws — a dual compliance burden that will only be resolved when Congress acts.
Juris Altus Insight
The convergence of AI regulation and data privacy is creating a new category of legal risk that sits at the intersection of technology law, constitutional rights, and international trade. Organisations that invest now in cross-jurisdictional compliance frameworks will be better positioned when — not if — the US eventually adopts comprehensive legislation.
How Juris Altus Can Help
We advise multinational corporations, technology companies, and professional services firms on navigating the intersection of US, EU, Indian, and UK data protection requirements.
|
• US state privacy law compliance • GDPR & DPDPA 2023 advisory • Cross-border data transfer frameworks |
• AI governance & algorithmic compliance • Data breach response • Privacy policy & DPA drafting |
Ravinder Singh Dhull
Advocate, Punjab & Haryana High Court (Bar No. P-991/2003) | Founding Partner, M & D Law Associates LLP | Former Additional Advocate General of Haryana | Architect of the LexPatra and Juris Altus legal technology platforms.
APRA
Data Protection
GDPR
DPDPA 2023
CCPA
AI Governance
Federal Privacy
Cross-Border Data
International Practice
This article is for informational purposes only and does not constitute legal advice. The CFR report referenced herein is available at cfr.org. For specific guidance on US data privacy compliance, consult qualified regulatory counsel in the relevant jurisdiction.