The internet developed faster than the law could respond. In the early 1990s, when the commercial web emerged, no legal framework existed for digital privacy. Users and companies improvised norms without regulation. The results — massive data collection, no consent mechanisms, and rampant surveillance — prompted three decades of legislative attempts to catch up with technology. Here is a timeline of how internet privacy law evolved.
The First Wave: 1996–2003
The Electronic Communications Privacy Act (ECPA) of 1986 — predating the web — governed wiretapping. While technically applicable to internet communications, its 180-day rule (messages older than 180 days could be accessed without a warrant) became increasingly absurd as email volumes grew. The Children's Online Privacy Protection Act (COPPA, 1998) created the first meaningful online privacy protections, requiring verifiable parental consent before collecting data on children under 13. It established the template of consent-based data collection that later regulations would expand.
The Middle Period: 2003–2016
The CAN-SPAM Act (2003) targeted commercial email spam. The California Online Privacy Protection Act (CalOPPA, 2004) required websites with California users to post a privacy policy — the first US state privacy law. But federal legislation lagged. The FTC served as a primary privacy regulator, bringing enforcement actions under "unfair and deceptive practices" rather than specific privacy statutes. Between 2010 and 2016, the FTC brought over 100 privacy-related enforcement actions, mostly against companies that violated their own privacy policies rather than creating new rights.
GDPR: The Global Standard Setter
The General Data Protection Regulation (GDPR), effective May 25, 2018, transformed global privacy law. For the first time, a major jurisdiction created comprehensive rights for individuals — not just obligations for companies. The regulation's extraterritorial scope (applying to any company handling EU citizen data) gave it global reach. Total GDPR fines exceeded €4 billion by 2023, with Meta (€1.2 billion), Amazon (€746 million), and WhatsApp (€225 million) among the largest recipients.
The US State Privacy Patchwork
Without a federal US privacy law, states have enacted their own: California's CCPA (2020) and CPRA (2023), Virginia's VCDPA (2023), Colorado's CPA (2023), and over a dozen others. The result is a complex compliance landscape that favors large corporations capable of navigating multiple regulatory regimes over smaller privacy-first competitors. As of 2026, federal privacy legislation remains stalled in Congress — a reflection of the ongoing tension between industry lobbying and consumer protection interests.