Consumer Data Rights in the United States

Consumer data rights define the legal entitlements individuals hold over personal information collected, processed, or sold by businesses operating in the United States. These rights span access, correction, deletion, portability, and the ability to opt out of certain data uses — each governed by a patchwork of federal statutes and, increasingly, state-level comprehensive privacy laws. The absence of a single federal omnibus privacy statute means the operative rights, their scope, and their enforcement vary substantially depending on jurisdiction, industry sector, and the type of data involved.

Definition and scope

Consumer data rights are legal mechanisms that grant individuals control over how their personal information is handled by private entities and, in some contexts, government actors. At the federal level, sector-specific statutes define rights within bounded domains: the Health Insurance Portability and Accountability Act (HIPAA) governs protected health information, the Gramm-Leach-Bliley Act (GLBA) governs financial data held by covered institutions, and the Children's Online Privacy Protection Act (COPPA) establishes parental consent rights for data collected from children under 13.

State-level comprehensive laws extend rights beyond these sectoral silos. California's Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), is the most expansive — it grants California residents six enumerated rights over personal information (California Attorney General, CCPA). As of 2024, at least 20 states have enacted comprehensive consumer privacy legislation with overlapping but non-identical right structures (International Association of Privacy Professionals, State Privacy Legislation Tracker).

The scope of covered entities and covered data defines which rights apply in a given situation. Most state frameworks exclude nonprofits, government bodies, small businesses below defined revenue or data-volume thresholds, and data already governed by HIPAA or GLBA. Understanding these personal data classification frameworks is essential for determining which rights are operative.

How it works

Consumer data rights operate through a request-and-response mechanism that places affirmative obligations on data controllers — the businesses that determine the purposes and means of processing personal data.

The standard process follows this structure:

1. Identification of rights: The consumer determines which statutory rights apply based on their state of residence and the category of data at issue.
2. Submission of a Data Subject Access Request (DSAR): The consumer submits a verifiable request to the business through a designated channel. Most state laws require businesses to provide at least two methods of submission.
3. Identity verification: The business must verify the requestor's identity without collecting more information than necessary to complete the verification.
4. general timeframe: Under the CCPA/CPRA, businesses must respond within 45 days, with a single 45-day extension permitted when reasonably necessary (California Civil Code §1798.100). Virginia's Consumer Data Protection Act (CDPA) sets a 45-day initial general timeframe with a 45-day extension (Virginia Code §59.1-578).
5. Fulfillment or denial: The business fulfills the request, applies a lawful exemption, or denies with a stated reason — and must provide an appeals pathway under most state frameworks.
6. Appeal and enforcement: Denied requests may be appealed internally; unresolved disputes may be escalated to state attorneys general or, where authorized, through a private right of action.

The data subject access requests process varies by right type. Deletion requests carry additional complexity because they may trigger obligations to notify downstream processors and service providers. Portability requests require data to be delivered in a structured, commonly used, machine-readable format.

Common scenarios

Access requests: A consumer requests a copy of all personal information a retailer holds about them. The retailer must disclose the categories of data collected, the sources, the business purpose, and the third parties with whom data was shared.

Opt-out of sale or sharing: Under CCPA/CPRA, consumers may direct businesses not to sell or share their personal information with third parties for cross-context behavioral advertising. Businesses that receive opt-out signals — including browser-based Global Privacy Control (GPC) signals — are required to honor them (California Privacy Protection Agency, GPC Guidance).

Correction of inaccurate data: If a consumer identifies incorrect personal information, they may request correction. This right is present in the CPRA, Virginia CDPA, Colorado Privacy Act, and Connecticut Data Privacy Act, among others.

Right to deletion: A consumer requests that a business delete personal information collected about them. Certain exemptions apply — for example, data needed to complete a transaction, detect security incidents, or comply with a legal obligation. The mechanics of right-to-deletion requirements differ materially between state frameworks.

Opt-out of automated decision-making: Several state laws, including Colorado's and Connecticut's, provide rights to opt out of profiling used to make decisions with legal or similarly significant effects. This intersects directly with AI and automated decision privacy governance obligations.

Decision boundaries

Not all data rights apply uniformly, and professionals navigating this landscape must distinguish between framework types:

CCPA/CPRA vs. Virginia CDPA: California's framework applies to for-profit businesses meeting revenue or data-volume thresholds and includes a limited private right of action for data breaches. Virginia's CDPA covers controllers that process data of 100,000 or more consumers annually and assigns enforcement exclusively to the Attorney General — no private right of action exists.

Sensitive data categories: Rights over sensitive data handling standards — which include biometric identifiers, precise geolocation, health data outside HIPAA, and racial or ethnic origin — typically trigger heightened obligations, including opt-in consent rather than opt-out mechanisms.

Federal preemption boundaries: Sector-specific federal statutes preempt state consumer rights where the two conflict directly. A consumer whose health data is governed by HIPAA cannot invoke CCPA deletion rights for that same data in most circumstances — HIPAA's framework applies instead.

Enforcement authority: The Federal Trade Commission retains authority to pursue unfair or deceptive acts related to privacy under Section 5 of the FTC Act (FTC Privacy Enforcement), independent of state-level rights frameworks. The state privacy laws comparison across jurisdictions reflects the non-uniform enforcement posture that professionals and organizations must account for when building compliance programs.

References

• California Consumer Privacy Act (CCPA) — California Attorney General
• California Privacy Protection Agency (CPPA)
• California Civil Code §1798.100 — Leginfo.legislature.ca.gov
• Virginia Consumer Data Protection Act §59.1-578 — Virginia Legislative Information System
• HIPAA — U.S. Department of Health and Human Services
• Gramm-Leach-Bliley Act — Federal Trade Commission
• Children's Online Privacy Protection Act (COPPA) — FTC
• FTC Act Section 5 — Federal Trade Commission
• International Association of Privacy Professionals (IAPP) — State Privacy Legislation Tracker