How to Use This Privacy Resource

This page describes how the National Privacy Authority reference directory is structured, what it covers, and how its content relates to other authoritative sources in the privacy and cybersecurity compliance landscape. The directory addresses the US privacy regulatory environment — including federal statutes, state-level frameworks, and the professional service sector that serves organizations navigating these obligations. Understanding the scope and verification standards applied here helps professionals, researchers, and service seekers extract maximum value from the content.

Limitations and scope

The National Privacy Authority directory operates as a reference resource covering the US privacy and data protection service sector. It does not provide legal advice, constitute professional counsel, or substitute for consultation with licensed attorneys, certified privacy professionals, or compliance officers.

Content scope is bounded by the following parameters:

  1. Geographic jurisdiction: Coverage is limited to the United States national regulatory environment, including federal frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) (administered by HHS Office for Civil Rights), the Gramm-Leach-Bliley Act (FTC enforcement), the Children's Online Privacy Protection Act (COPPA) (16 C.F.R. Part 312), and the Federal Trade Commission Act Section 5 unfair or deceptive practices standard.
  2. State framework coverage: State comprehensive privacy laws — including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) as administered by the California Privacy Protection Agency, the Virginia Consumer Data Protection Act (CDPA), and analogous statutes in Colorado, Connecticut, and Texas — are referenced for classification and framing purposes only, not as legal interpretation.
  3. Sector scope: The directory maps the professional service landscape: privacy law firms, data protection officers, compliance consultancies, cybersecurity auditors, and credentialed privacy practitioners holding designations such as the IAPP's Certified Information Privacy Professional (CIPP/US) or ISACA's Certified Information Security Manager (CISM).
  4. Regulatory body references: Named enforcement agencies — the FTC, HHS OCR, state attorneys general, and the Consumer Financial Protection Bureau (CFPB) — are cited as structural facts based on their published statutory mandates, not as real-time enforcement status indicators.

The directory does not track active enforcement actions, pending rulemaking, or litigation outcomes. Regulatory landscapes change; any compliance decision requires verification against primary sources.

How to find specific topics

The directory is organized along two primary axes: regulatory framework and service category. A reader researching HIPAA compliance vendors will find those listings under a different classification than a researcher mapping state privacy law counsel.

The Privacy Listings section catalogs service providers and professionals by specialty area, with classification markers distinguishing between legal service providers, technical consultancies, and credentialing bodies. Cross-referencing that section against the regulatory framing content allows researchers to match service provider categories to the specific compliance frameworks their organization faces.

For readers establishing baseline context about what this directory covers and does not cover, the Privacy Directory Purpose and Scope page defines the structural parameters in greater depth — including how the Federal Trade Commission's broad unfair-and-deceptive-practices authority differs from sector-specific regimes like HIPAA's covered-entity framework or the GLBA's Safeguards Rule (16 C.F.R. Part 314).

Topic navigation follows this decision sequence:

  1. Identify the governing statute or regulatory body — HIPAA/HHS, GLBA/FTC, COPPA/FTC, state AG enforcement, or sector-specific (financial, health, education under FERPA).
  2. Identify the service need — legal representation, technical audit, policy development, staff training, or third-party vendor assessment.
  3. Cross-reference the listings against those two axes to identify relevant professional categories and provider types.

How content is verified

Content published in this directory is grounded in named public sources: federal statutes available through the U.S. Code at the Office of the Law Revision Counsel, agency regulations published in the Code of Federal Regulations via eCFR, guidance documents from HHS, FTC, and NIST, and published standards from recognized bodies including the National Institute of Standards and Technology (NIST) Privacy Framework and NIST Special Publication 800-53.

Factual claims about penalty structures, regulatory thresholds, and jurisdictional scope are traced to statute or promulgated regulation — not to secondary summaries. Where penalty figures appear, they reference the authorizing code section. For example, HIPAA civil monetary penalties are tiered across 4 penalty tiers reaching up to $1,993,581 per violation category per calendar year (HHS HIPAA Enforcement Rule, 45 C.F.R. Part 160), with figures adjusted periodically under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

No fabricated statistics, projected figures, or synthesized "industry average" claims appear without attribution to a named, publicly accessible report or dataset. Where exact figures cannot be verified against a primary document, claims are reframed as structural descriptions of the regulatory mechanism.

How to use alongside other sources

This directory functions as a navigational and structural reference — a map of the service landscape, not a compliance manual. Three source categories complement it:

Primary legal sources: The full text of HIPAA (42 U.S.C. §§ 1320d–1320d-9), COPPA (15 U.S.C. § 6501 et seq.), GLBA (15 U.S.C. § 6801 et seq.), and applicable state statutes should be consulted directly for any compliance determination. The IAPP maintains a US State Privacy Legislation Tracker that catalogs enacted and pending state laws — a current-status resource this directory does not replicate.

Agency guidance: The FTC's published business guidance, HHS OCR's FAQ library, and NIST's cybersecurity and privacy framework publications provide interpretive depth that statutory text alone does not supply. NIST SP 800-122 addresses protection of personally identifiable information (PII) and provides technical framing distinct from legal compliance requirements.

Credentialing bodies: The International Association of Privacy Professionals (IAPP) and ISACA publish practitioner standards, certification requirements, and professional ethics codes that define the qualification landscape for privacy professionals listed in the Privacy Listings section.

The contrast between this directory and those sources is functional: the IAPP tracks legislation and certifies practitioners; HHS OCR enforces HIPAA; the FTC enforces GLBA and COPPA. This directory maps the professional service sector that operates within those enforcement boundaries — connecting researchers and organizations to the qualified providers and frameworks relevant to their compliance context. Questions about specific directory structure or coverage can be directed through the contact page.

📜 13 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Privacy Listings This directory indexes organizational entries across that landscape, covering providers whose work intersects with data... Privacy Directory: Purpose and Scope This page defines the scope of those listings, explains how directory content is structured and maintained, and establishes... Cybersecurity Directory: Purpose and Scope This reference covers the structure of the directory, the criteria governing which entities appear, the geographic parameters...