National Privacy Authority
The National Privacy Authority serves as a structured reference directory for the United States privacy regulatory landscape, covering federal statutes, state-level frameworks, sector-specific compliance obligations, and the professional roles that operate within this space. This reference draws on 46 published pages spanning privacy law, cybersecurity obligations, data governance, and compliance program design. The breadth of that content — from sector-specific rules under HIPAA and GLBA to emerging state frameworks and cross-border transfer requirements — reflects the complexity of privacy as an operational and legal discipline in the United States. This page orients readers to the scope, structure, and regulatory logic of that reference system.
- Boundaries and exclusions
- The regulatory footprint
- What qualifies and what does not
- Primary applications and contexts
- How this connects to the broader framework
- Scope and definition
- Why this matters operationally
- What the system includes
Boundaries and exclusions
Privacy law in the United States does not operate as a single unified regime. No omnibus federal consumer privacy statute with universal application exists as of 2024. Instead, the regulatory terrain is defined by a patchwork of sector-specific federal statutes, an expanding set of state comprehensive privacy laws, and agency enforcement authority that varies significantly by industry and data type.
The boundaries of what this reference covers reflect that complexity. The scope extends to:
- Federal sector-specific statutes: the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Children's Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act (FERPA)
- State comprehensive privacy laws, including California's CCPA and CPRA, Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, and frameworks in at least 13 additional states that have enacted comparable legislation
- FTC enforcement authority under Section 5 of the FTC Act as it applies to unfair or deceptive data practices
- Cross-sector standards from NIST, including NIST Privacy Framework Version 1.0
This reference does not extend to international privacy law — the EU's General Data Protection Regulation (GDPR), Canada's PIPEDA, or similar foreign frameworks — except where cross-border data transfers create direct compliance obligations for US-based entities under those regimes. It also does not function as legal counsel, compliance advisory output, or regulatory opinion.
The regulatory footprint
The US privacy regulatory footprint is distributed across multiple federal agencies, none of which holds singular jurisdiction over all personal data. The Federal Trade Commission holds the broadest cross-sector authority through unfair and deceptive practice enforcement (FTC Act, 15 U.S.C. § 45). The Department of Health and Human Services Office for Civil Rights (HHS OCR) administers HIPAA, with civil monetary penalties reaching $1.9 million per violation category per year (HHS HIPAA Enforcement). The Consumer Financial Protection Bureau (CFPB) holds authority over financial data practices under the Gramm-Leach-Bliley Act. The Federal Communications Commission (FCC) retains jurisdiction over telecommunications customer proprietary network information.
At the state level, enforcement authority for comprehensive privacy statutes is primarily lodged with state attorneys general. California's enforcement apparatus is notable for including the California Privacy Protection Agency (CPPA), a dedicated regulatory body established under the CPRA with independent rulemaking and enforcement power.
The result is a fragmented enforcement environment. A single data incident can trigger concurrent investigations by HHS OCR, the FTC, and one or more state attorneys general depending on the data types involved, the industries affected, and the states of residence of affected individuals. The data breach notification requirements framework illustrates this directly — 50 states, the District of Columbia, and several territories each maintain distinct notification timelines, covered entity definitions, and threshold tests.
What qualifies and what does not
Not all information handling constitutes "personal data" subject to privacy regulatory obligations. Classification depends on statute, context, and jurisdiction.
| Data Category | Federal Coverage | State Law Coverage | Notes |
|---|---|---|---|
| Protected Health Information (PHI) | HIPAA (covered entities + BAs) | Some state health privacy laws | Defined at 45 C.F.R. § 160.103 |
| Financial account data | GLBA (financial institutions) | CCPA/CPRA, state breach laws | GLBA applies to NPI |
| Children's data (under 13) | COPPA (FTC) | CCPA minor provisions | Verifiable parental consent required |
| Student education records | FERPA (ED) | Limited state overlap | Applies to federally funded institutions |
| Biometric identifiers | No federal omnibus | Illinois BIPA, TX, WA statutes | BIPA carries $1,000–$5,000 per violation |
| De-identified data | Generally excluded | CCPA has specific re-identification rules | De-identification standards vary |
| Aggregate/anonymous data | Generally excluded | Context-dependent | Not excluded if re-identification is possible |
| Employee HR data | FLSA, ADA, partial CCPA | Some state employee privacy laws | CCPA B2B/employee exemptions sunset |
The personal data classification framework on this site maps these categories in greater operational detail. Notably, de-identification does not create a blanket exemption under all frameworks — the CCPA, for example, imposes specific technical and administrative standards before the de-identification exclusion applies.
Primary applications and contexts
Privacy compliance obligations attach to organizations across four primary operational contexts:
1. Data collection and consent
Regulatory frameworks impose disclosure obligations at or before the point of data collection. COPPA requires verifiable parental consent before collecting data from children under 13. CCPA/CPRA requires disclosure of data categories collected and the right to opt out of sale or sharing. The consent management frameworks reference details the mechanism-level requirements for each major statute.
2. Data use and retention
Statutes including HIPAA's minimum necessary standard and CCPA's data minimization provisions restrict use of personal data to disclosed purposes. NIST Privacy Framework Core Function "Control" addresses data retention as a distinct governance requirement. The data minimization practices and data retention and deletion policies pages map these obligations by framework.
3. Individual rights fulfillment
State comprehensive privacy laws — California, Virginia, Colorado, Connecticut, and others — grant consumers rights including access, correction, deletion, portability, and opt-out of profiling. Data subject access requests have defined response timelines: 45 days under CCPA/CPRA (extendable once by 45 additional days), and 30 days under the Virginia CDPA. The right to deletion requirements reference covers the scope and exceptions of deletion obligations across frameworks.
4. Incident response and breach notification
HIPAA requires notification to HHS and affected individuals within 60 days of breach discovery for incidents affecting 500 or more individuals. State breach notification laws impose timelines ranging from 30 to 90 days depending on jurisdiction. The privacy incident response reference structures the operational phases of breach response against these regulatory timelines.
How this connects to the broader framework
National Privacy Authority operates within a network of reference properties coordinated through authorityindustries.com, which functions as the broader industry authority hub. The parent domain in the cybersecurity vertical is nationalcyberauthority.com, which addresses the intersection of cybersecurity standards and regulatory obligations more broadly — including NIST Cybersecurity Framework, incident response infrastructure, and vendor risk management.
Within this site, the federal privacy framework reference maps the statutory and agency relationships at the federal level, while the state privacy laws comparison provides the horizontal view of state-by-state legislative divergence. These two references together define the primary axis of the US privacy regulatory structure.
The US privacy laws and regulations reference functions as the foundational index for statutory coverage, cross-referencing each major federal and state statute against the data types, covered entities, and enforcement mechanisms it governs.
Scope and definition
"Privacy" as a regulatory concept in US law does not reduce to a single definition. Three distinct operational frameworks coexist:
- Information privacy: The right to control how personal information is collected, used, and disclosed. This is the primary framework of HIPAA, CCPA, GLBA, and state comprehensive privacy laws.
- Data security as privacy obligation: Requirements to implement safeguards protecting personal data from unauthorized access. HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), GLBA Safeguards Rule (16 C.F.R. Part 314), and FTC breach enforcement all treat security as a component of privacy compliance.
- Contextual integrity: The principle, associated with philosopher Helen Nissenbaum's scholarship and referenced in NIST Privacy Framework documentation, that information flows appropriately when they match the norms of the context in which the information was originally shared. This concept influences regulatory interpretation of secondary use restrictions.
The privacy by design principles reference addresses how these frameworks translate into system architecture and product development obligations under frameworks such as GDPR Article 25 and California Privacy Protection Agency rulemaking guidance.
Why this matters operationally
Privacy compliance failures carry concrete financial and operational consequences. The IBM Cost of a Data Breach Report 2023 (IBM) placed the average cost of a data breach in the United States at $9.48 million — the highest of any country measured in that study. HHS OCR has imposed HIPAA settlements exceeding $5 million in single enforcement actions. Illinois Biometric Information Privacy Act litigation has produced class action settlements in the hundreds of millions of dollars, including a $650 million settlement with Facebook (Meta) in 2021.
Operational exposure extends beyond financial penalties. State attorneys general enforcement actions have resulted in mandatory compliance programs, independent assessments, and multi-year injunctive relief requirements. The privacy audit and compliance reviews reference addresses how organizations structure internal assessment processes against these enforcement benchmarks.
The chief privacy officer role has expanded in parallel with regulatory complexity. CPO appointments are now standard practice among entities subject to HIPAA, CCPA, and GLBA, and are increasingly expected by regulators as evidence of good-faith compliance infrastructure.
What the system includes
This reference directory spans 46 published pages organized across the following thematic clusters:
Statutory and regulatory references: Deep-coverage pages on HIPAA, CCPA/CPRA, COPPA, FERPA, and GLBA, each addressing scope, covered entities, key definitions, enforcement mechanisms, and penalty structures. The HIPAA privacy rule and CCPA/CPRA compliance pages are among the most structurally detailed.
State-level frameworks: The state privacy laws comparison and individual state-adjacent references covering notification requirements, consumer rights timelines, and enforcement agency contacts across the full US legislative landscape.
Data governance operations: References on vendor privacy management, third-party data sharing rules, privacy impact assessments, privacy program governance, and cross-border data transfers — covering the operational mechanics of privacy compliance in enterprise and mid-market contexts.
Emerging and sector-specific issues: References covering AI and automated decision privacy, biometric data privacy laws, IoT device privacy standards, health data privacy beyond HIPAA, and social media data privacy — addressing the regulatory frontiers where statutory frameworks are actively developing.
Professional and program infrastructure: Pages covering the CPO role, privacy training and awareness programs, privacy by design, and sensitive data handling standards — structured as professional reference material for practitioners building or auditing compliance programs.
The directory also includes cost estimation tools for data breach response, security compliance, and related services, alongside a cybersecurity listings index for service provider navigation.
References
- Federal Trade Commission Act, 15 U.S.C. § 45 — FTC Legal Library
- HIPAA Administrative Simplification Regulations, 45 C.F.R. Parts 160 and 164 — HHS
- HHS HIPAA Enforcement — Office for Civil Rights
- Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801–6809 — FTC
- GLBA Safeguards Rule, 16 C.F.R. Part 314 — FTC
- Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506 — FTC
- Family Educational Rights and Privacy Act (FERPA) — U.S. Department of Education
- California Consumer Privacy Act (CCPA) as amended by CPRA — California Attorney General
- NIST Privacy Framework, Version 1.0 — NIST
- NIST SP 800-53, Rev. 5 — Security and Privacy Controls for Information Systems — CSRC
- IBM Cost of a Data Breach Report 2023
- California Privacy Protection Agency — CPPA
- Virginia Consumer Data Protection Act (CDPA) — Virginia Attorney General