In recent years, U.S. data privacy laws have undergone significant transformations, particularly in enhancing Data Subject Access Rights (DSARs) —to include the right of individuals to access, modify, or delete their personal data. However, these rights didn’t always exist as they do today. To better understand the current privacy landscape, it’s essential to explore the evolution of DSARs and their obligations on businesses and impact on consumers.

1995–2000: Early Foundations of U.S. Data Privacy Regulations

Between 1995 and 2000, the U.S. lacked comprehensive federal privacy laws, but a few sector-specific regulations laid the groundwork for DSARs:

• 1996 – Health Insurance Portability and Accountability Act (HIPAA): HIPAA gave patients the right to access and amend their medical records, setting a precedent for DSARs in the healthcare industry.
• 1998 – Children’s Online Privacy Protection Act (COPPA): COPPA required parental consent and granted parents the right to review or delete their child’s online information.
• 2003 –  Fair Credit Reporting Act (FCRA) Amendments: Updates to the FCRA reinforced consumers’ rights to access and dispute credit report data.

At this stage, DSARs were limited to healthcare, credit, and children’s data, with no broad consumer protections.

2000–2010: Increasing Awareness and Initial Consumer Rights

The early 2000s saw growing awareness of digital privacy but no overarching federal law addressing DSARs. However, a few significant developments occurred:

• 2003 – California’s Shine the Light Law: This law granted California residents the right to request information on how their personal data was shared with regard to  direct marketing.
• 2009 – Health Information Technology for Economic and Clinical Health Act (HITECH): HITECH expanded HIPAA’s provisions by allowing individuals to request digital copies of their health information.

While these laws increased access rights, they remained narrowly focused on specific industries or state jurisdictions.

2010–2018: Rise of Consumer Privacy and Transparency

This period marked a pivotal shift toward consumer privacy rights and enhanced transparency:

• 2014 – Expansion of Shine the Light Law: In 2014, California strengthened its consumer privacy laws by expanding the Shine the Light Law. The amendment required businesses that shared customer information with third parties for direct marketing to provide consumers with an opt-out mechanism, disclose the types of information shared, and identify the third parties involved. The expansion also mandated clearer privacy policies and increased enforcement, paving the way for more robust DSARs and influencing future legislation like the California Consumer Privacy Act (CCPA).
• 2016 – EU’s General Data Protection Regulation (GDPR): Although not a U.S. law, the extraterritorial scope of the GDPR influenced global U.S. companies by introducing  DSARs, including the right to access, modify, and delete personal data.
• 2018 – California Consumer Privacy Act (CCPA): Modeled after the GDPR, the CCPA granted California residents the right to know, delete, and opt out of the sale of their personal information.

By 2018, California emerged as  leading privacy legislation in the U.S. data privacy space, though most other states had yet to implement similar protections.

2018–Present: Expansion of State Privacy Laws and DSARs

Following the CCPA’s success, several states introduced their own privacy laws, creating a patchwork of regulations across the country:

• 2020 – California Privacy Rights Act (CPRA): The CPRA amended the CCPA by introducing correction rights and strengthening enforcement mechanisms.
• 2021 – Virginia Consumer Data Protection Act (VCDPA): The VCDPA gave Virginia residents rights to access, correct, delete, and opt out of data processing.
• 2023 – Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA): These laws mirrored the CCPA and VCDPA, expanding DSARs to residents in those states.
• 2023 – Utah Consumer Privacy Act (UCPA): UCPA granted basic DSARs such as the right to access and delete data, though with fewer provisions than other state laws.
• 2025 – Anticipated Developments: States like New Jersey, Oregon, and Montana are considering privacy laws that could further standardize DSARs nationwide.’

The Current Landscape: Fragmented Yet Evolving

Today, the U.S. operates under a fragmented data privacy framework where DSARs vary by state. While federal efforts such as the proposed American Data Privacy Protection Act (ADPPA) aimed to establish a nationwide standard, no comprehensive federal law has been enacted yet. Consequently, many companies apply CCPA/CPRA-like DSAR provisions nationwide to ensure compliance and maintain consumer trust.

As U.S. data privacy laws continue to evolve, businesses must stay proactive to navigate these changing regulations and protect consumer data effectively.

As of March  2025, the United States continues to evolve its data privacy landscape, with significant developments at both the federal and state levels, in relation to the data subject rights process. The U.S. data privacy framework remains fragmented, with businesses navigating a patchwork of state-specific regulations in the absence of a unified federal law. 

While efforts like the American Privacy Rights Act (APRA) aimed to establish nationwide privacy standards, its failure to pass has left businesses relying on state laws like the California Privacy Rights Act (CPRA) and the Connecticut Data Privacy Act (CTDPA). Additionally, proposed COPPA modifications highlight the increasing focus on consumer rights, including data access, correction, deletion, and opt-out mechanisms. 

With privacy regulations continuing to evolve, businesses must proactively assess their compliance strategies to mitigate legal risks and maintain consumer trust.

Federal Developments

• American Privacy Rights Act (APRA): Introduced in April 2024, APRA aimed to establish comprehensive federal data privacy standards, granting consumers rights to access, correct, delete, and transfer their personal data. It also provided the right to opt out of data sales, targeted advertising, and profiling, while prohibiting discrimination against those exercising their privacy rights. However, by June 2024, the bill faced opposition and was not enacted, leaving the U.S. without a unified federal data privacy law.

Looking Ahead

The U.S. is witnessing a fragmented approach to data privacy, with states enacting their own laws and regulations. Businesses must ask themselves: Are you providing consumers with the right to access, correct, and delete their personal data? Are you ensuring compliance with evolving privacy regulations? If you need consulting on whether your business meets these requirements, contact us today at info@curatedprivacy.com to ensure your business is fully compliant and avoid potential legal risks.