Consumer Data Rights in the United States

Consumer data rights in the United States define the legal entitlements individuals hold over personal information collected, processed, and shared by private and public entities. This page covers the regulatory framework governing those rights, the mechanisms through which they are exercised, the scenarios in which they most commonly arise, and the boundaries that determine which rules apply to a given situation. The absence of a single federal omnibus privacy statute means that enforcement responsibility is distributed across sector-specific laws, state-level frameworks, and multiple agencies — a structure that shapes how privacy professionals and researchers must navigate compliance obligations.

Definition and scope

Consumer data rights are legally enforceable claims that allow individuals to access, correct, delete, port, or restrict the processing of personal information held by a covered entity. In the United States, these rights are not unified under one statute. Instead, they emerge from a patchwork of laws calibrated by sector, data type, and geography.

At the federal level, sector-specific statutes define data rights for discrete contexts:

• Health information: The Health Insurance Portability and Accountability Act (HIPAA), administered by the U.S. Department of Health and Human Services (HHS), grants patients a right of access to protected health information under 45 C.F.R. § 164.524.
• Financial data: The Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) govern consumer financial information, with the Federal Trade Commission (FTC) enforcing FCRA dispute and access rights.
• Children's data: The Children's Online Privacy Protection Act (COPPA) restricts collection from children under 13 and grants parents rights to review and delete that information.
• Education records: The Family Educational Rights and Privacy Act (FERPA) gives parents and eligible students rights to inspect and amend education records held by institutions receiving federal funding.

At the state level, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive framework. Enforced by the California Privacy Protection Agency (CPPA), it grants California residents rights to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information. Colorado, Connecticut, Virginia, and Texas have enacted broadly similar omnibus statutes with overlapping but non-identical right structures.

How it works

The exercise of consumer data rights follows a defined procedural sequence governed by the applicable statute. The general structure across most frameworks includes the following phases:

1. Verification: The covered entity must verify the identity of the requestor before acting on access, deletion, or correction requests — a requirement designed to prevent unauthorized disclosure.
2. Acknowledgment: Upon receipt of a verifiable request, the entity must acknowledge receipt within a statutory window. Under the CCPA, that window is 10 business days (California Civil Code § 1798.130).
3. Response: The substantive response — disclosure, deletion confirmation, or denial with reason — must be delivered within a second statutory period, typically 45 calendar days under CCPA, with a 45-day extension available if circumstances require.
4. Appeals: Under state omnibus frameworks in Colorado, Connecticut, and Virginia, consumers have a right to appeal a denial, requiring a secondary internal review before external enforcement action becomes available.
5. Enforcement: Regulators including the FTC, state attorneys general, and specialized bodies like the CPPA investigate violations and may impose civil penalties. California's CPRA sets a penalty ceiling of $7,500 per intentional violation (Cal. Civil Code § 1798.155).

The purpose and scope of privacy directories reflect this procedural complexity — professionals using such resources typically need to locate service providers with specific compliance competencies across these phases.

Common scenarios

Consumer data rights are invoked most frequently in four operational contexts:

Data access requests arise when a consumer asks a business to disclose what categories of personal information it holds and how that information is used. This is the most common request type under both HIPAA and CCPA frameworks.

Deletion requests are filed when a consumer seeks removal of personal data from a business's systems. Statutory exemptions — for fraud prevention, legal obligation compliance, or completing a transaction — mean not all deletion requests result in full erasure.

Opt-out of data sales is a right specific to state omnibus laws. California, Colorado, and Connecticut require covered businesses to honor opt-out requests transmitted via browser-based Global Privacy Control (GPC) signals, a requirement enforced by the CPPA.

Dispute and correction rights under the FCRA allow consumers to challenge inaccurate information in consumer reports. Credit reporting agencies must investigate disputes within 30 days under 15 U.S.C. § 1681i.

Decision boundaries

Determining which rights framework applies to a given data relationship requires resolving three threshold questions:

Jurisdiction: State omnibus laws apply only to residents of that state and only to businesses meeting threshold criteria. California's CPRA applies to businesses that earn over $25 million in annual gross revenue, handle personal information of 100,000 or more consumers or households, or derive 50% or more of annual revenue from selling personal information (Cal. Civil Code § 1798.140(d)).

Sector preemption: Federal sector-specific statutes may preempt or supplement state law. Health data covered by HIPAA is exempted from California's CCPA under § 1798.145(c). Financial data covered by GLBA's privacy provisions receives parallel treatment under § 1798.145(e).

Entity type contrast — controller vs. processor: State omnibus laws distinguish between controllers (entities that determine the purpose and means of processing) and processors (entities that process data on a controller's behalf). Processors bear obligations defined by contract with the controller, not direct statutory rights obligations to consumers. This distinction mirrors the approach established in the EU General Data Protection Regulation (GDPR) and has been adopted across the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).

Researchers and compliance professionals navigating these boundaries can reference the how to use this privacy resource page for guidance on locating relevant service providers.