National Privacy Legislation: Current Outlook and Proposals

The United States lacks a single, comprehensive federal privacy statute, creating a fragmented compliance landscape across sector-specific laws, state frameworks, and pending congressional proposals. This page maps the structural architecture of US privacy legislation — federal and state — and identifies the key regulatory bodies, legislative proposals, and classification distinctions that shape how privacy obligations are assigned and enforced. Privacy professionals, compliance officers, and policy researchers use this landscape to orient service selection and jurisdictional analysis. For an overview of the provider network's scope and coverage framework, see the Privacy Provider Network Purpose and Scope page.

Definition and scope

National privacy legislation, in the US context, refers to the body of law — enacted and proposed — that governs the collection, use, storage, transfer, and deletion of personal information by private entities, government agencies, or both. No single omnibus federal law currently fills this role. Instead, the framework is built from sector-specific statutes administered by distinct federal agencies:

• HIPAA (Health Insurance Portability and Accountability Act, 45 C.F.R. Parts 160 and 164) — administered by the HHS Office for Civil Rights, covering protected health information held by covered entities and business associates.
• GLBA (Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.) — administered by the Federal Trade Commission and financial regulators, covering nonpublic personal financial information.
• COPPA (Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.) — administered by the FTC, covering online collection of personal data from children under 13.
• FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) — administered by the US Department of Education, covering student education records.

The scope gap between these statutes — covering health, finance, children, and education — leaves broad categories of commercial data collection without direct federal oversight, which is the primary driver of both state legislation and federal legislative proposals.

How it works

The US privacy regulatory structure operates through a layered enforcement model. Federal sectoral laws set minimum floors; state laws may exceed those floors in their own jurisdictions. The FTC holds general authority under Section 5 of the FTC Act (15 U.S.C. § 45) to pursue unfair or deceptive practices in data handling, functioning as a de facto enforcement backstop where no sectoral statute applies.

The legislative process for a federal comprehensive privacy law — often referred to generically as a "US federal privacy law" or, in reference to specific proposals, the American Data Privacy and Protection Act (ADPPA) — has followed this structural sequence in Congress:

1. Committee markup — draft bill language reviewed and amended in the House Energy and Commerce Committee or Senate Commerce Committee.
2. Preemption debate — determination of whether federal law would preempt (override) state laws such as the California Consumer Privacy Act (CCPA) or its amendment, the CPRA.
3. Enforcement mechanism — allocation of enforcement authority between the FTC, state attorneys general, and private right of action provisions.
4. Scope definition — determining which entities are covered, what categories of data are regulated, and whether small businesses receive exemptions.
5. Floor-versus-ceiling structure — deciding whether states retain authority to enact stricter standards.

The ADPPA, which advanced out of the House Energy and Commerce Committee in 2022 with a 47-to-2 vote but did not reach a full chamber vote, represents the most advanced federal omnibus proposal in the modern legislative cycle. Its preemption clause — which would have limited California's ability to maintain the CPRA — became the primary sticking point.

Common scenarios

Privacy legislation intersects with operational reality across three recurring compliance contexts:

State law compliance gaps. As of 2024, at least 20 US states had enacted comprehensive consumer privacy statutes, according to tracking by the International Association of Privacy Professionals (IAPP). Organizations operating nationally must map data flows against each active state law — Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, Texas's TDPSA, and others — in the absence of a single federal standard.

Cross-sector data handling. Entities that handle health data, financial records, and general consumer behavioral data simultaneously (common in insurance technology and health-adjacent fintech) face overlapping HIPAA, GLBA, and state law obligations without a unified reconciliation framework.

Federal agency rulemaking. The FTC initiated rulemaking on commercial surveillance and data security under its Magnuson-Moss authority in 2022 (FTC Commercial Surveillance ANPR), signaling that regulatory expansion can occur through agency action even absent new legislation.

Professionals navigating these scenarios can explore active service providers through the Privacy Providers provider network.

Decision boundaries

The critical classification question for any organization is which legal regime — or combination of regimes — governs its data practices. The following distinctions determine that answer:

Federal sectoral law vs. state omnibus law. HIPAA-covered entities follow federal preemption for health data but remain subject to state law for non-health data collected in the same transaction.

Controller vs. processor. State laws modeled on the GDPR framework (Virginia, Colorado, Connecticut) distinguish data controllers (those who determine purpose and means) from processors (those who act on behalf of controllers). This distinction changes obligation allocation materially — controllers carry notice, consent, and rights-response duties; processors carry contractual and security duties.

Sensitive data vs. general personal data. All active US state privacy statutes create a heightened protection tier for sensitive data categories — precise geolocation, biometric data, health data, financial data, and sexual orientation. The specific category lists vary by state, requiring classification mapping at the data-element level.

Private right of action. Only California (under the CPRA, administered by the California Privacy Protection Agency) and Illinois (under the Biometric Information Privacy Act, 740 ILCS 14) provide private rights of action that expose organizations to class litigation without prior agency enforcement. This distinction separates high-litigation-risk jurisdictions from enforcement-only regimes. For guidance on how this provider network structures its coverage of the privacy service sector, see How to Use This Privacy Resource.