US Privacy Laws and Regulations

The United States privacy regulatory landscape is a complex, sector-specific patchwork of federal statutes, agency-enforced rules, and a rapidly expanding body of state legislation — with no single omnibus federal privacy law governing all personal data. This reference covers the structure, scope, enforcement mechanisms, and classification boundaries of US privacy law as it applies to organizations operating across health, finance, education, commercial, and digital sectors. Understanding where these frameworks intersect, conflict, and leave gaps is essential for compliance professionals, legal counsel, privacy officers, and researchers navigating this landscape.

Definition and scope

US privacy law, as a regulatory domain, encompasses the legal obligations imposed on entities that collect, process, store, share, or monetize personal information about identifiable individuals. Unlike the European Union's General Data Protection Regulation (GDPR), which sets a unified horizontal framework applicable across all sectors (European Commission, GDPR Overview), the US approach is vertical and sectoral — meaning that applicable obligations depend on the type of data involved, the industry of the entity handling it, and the state or states in which the data subjects reside.

Federal privacy law in the US derives from statutes including the Health Insurance Portability and Accountability Act of 1996 (HIPAA, 45 CFR Parts 160 and 164), the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §§ 6801–6827), the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506), and the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g). State-level frameworks — led by California's Consumer Privacy Act and its amendment, the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code §§ 1798.100–1798.199.100) — have created a multi-jurisdictional compliance environment that as of 2024 includes comprehensive state privacy laws in at least 19 states (IAPP State Privacy Legislation Tracker).

The scope of any given law is determined by data type, covered entity classification, and jurisdictional thresholds such as revenue, consumer volume, or sector classification. The personal data classification taxonomy used by a given framework determines which obligations attach to which categories of information.

Core mechanics or structure

Privacy frameworks in the US operate through four core structural components: notice requirements, consent mechanisms, access and correction rights, and enforcement authorities.

Notice obligations require covered entities to disclose how personal information is collected, used, shared, and retained — typically through a privacy notice or policy. HIPAA mandates a Notice of Privacy Practices for covered entities (HHS, Notice of Privacy Practices). The FTC enforces Section 5 of the FTC Act (15 U.S.C. § 45) against deceptive or unfair data practices, including misleading privacy notices.

Consent structures vary widely. COPPA requires verifiable parental consent before collecting personal data from children under 13 (FTC COPPA Rule, 16 CFR Part 312). The CCPA/CPRA establishes opt-out rights for the sale or sharing of personal information and opt-in consent for sensitive personal information. HIPAA uses an authorization model for uses beyond treatment, payment, and healthcare operations.

Individual rights provisions differ by framework. The CCPA/CPRA grants California residents rights to know, delete, correct, and opt out of sale or sharing. FERPA grants students and parents rights to inspect and amend educational records. The data-subject access requests framework and the right to deletion requirements are operationalized differently under each statute.

Enforcement is distributed across multiple agencies: the Federal Trade Commission enforces COPPA, GLBA's Safeguards Rule, and Section 5 unfair/deceptive practices broadly; the Department of Health and Human Services Office for Civil Rights enforces HIPAA; the Department of Education enforces FERPA; the Consumer Financial Protection Bureau holds additional authority over financial data; and the California Privacy Protection Agency (CPPA) enforces CPRA.

Causal relationships or drivers

The fragmented structure of US privacy law reflects identifiable legislative and market drivers:

Sector-specific congressional action historically preceded any cross-sector framework. Congress passed HIPAA in response to healthcare industry data misuse; GLBA in response to financial sector data sharing after banking deregulation; COPPA in response to commercial targeting of children online. Each statute addressed a discrete harm vector rather than a unified rights model.

State legislative acceleration after 2018 was triggered by the GDPR's extraterritorial reach (which affected US companies holding EU resident data), California's Proposition 24 ballot initiative, and high-profile data incidents including the Facebook-Cambridge Analytica disclosure. The absence of federal preemption created a regulatory vacuum that state legislatures moved to fill.

FTC enforcement gaps — the FTC lacks general rulemaking authority over non-profit entities, common carriers, and financial institutions already regulated by other agencies — created documented coverage gaps that amplified state action. The FTC privacy enforcement record shows the agency relying primarily on consent decree authority rather than statutory penalty structures for most sectors.

Commercial data monetization by data brokers, ad-tech networks, and platform operators expanded the practical scope of personal data collection beyond what sector-specific frameworks anticipated, particularly in the online tracking and cookies and location data privacy domains.

Classification boundaries

US privacy law classifies covered data and entities along four primary axes:

By data type: Health data under HIPAA constitutes Protected Health Information (PHI) — individually identifiable health information held by covered entities or business associates. Financial data under GLBA constitutes Nonpublic Personal Information (NPI). Educational records under FERPA are defined by their direct association with a student. Biometric data receives heightened treatment under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) and under several state comprehensive laws. The biometric data privacy laws and sensitive data handling standards pages address these categories in depth.

By entity type: HIPAA's covered entity definition includes health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. Business associates — vendors handling PHI on behalf of covered entities — are also directly regulated. COPPA applies to operators of websites or online services directed to children or with actual knowledge of child users.

By jurisdiction threshold: The CCPA applies to for-profit businesses meeting at least one of three thresholds: annual gross revenues exceeding $25 million, buying or selling personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenues from selling personal information (Cal. Civ. Code § 1798.140(d)).

By data sensitivity tier: Most comprehensive state laws distinguish between general personal information and sensitive categories — including precise geolocation, health data, financial account data, racial or ethnic origin, sexual orientation, and citizenship status — with heightened obligations for the latter.

Tradeoffs and tensions

Preemption vs. state innovation: Federal preemption of state privacy laws would create national uniformity but eliminate California's role as a regulatory floor-raiser. Industry groups have historically advocated for federal preemption; consumer advocates and state attorneys general have opposed provisions that would weaken CCPA/CPRA protections.

Consent vs. legitimate interest: US law generally does not adopt a "legitimate interest" processing basis comparable to GDPR Article 6(1)(f). Opt-out models dominant in US state law allow commercial data use to proceed without affirmative consumer action, creating asymmetric default positions favoring data controllers.

Sectoral coherence vs. coverage gaps: Health data held by a fitness app is not PHI under HIPAA because the app developer is not a covered entity — yet the data is functionally identical to clinical records. The health data privacy beyond HIPAA domain exposes this structural gap. Similarly, employee privacy rights remain largely unaddressed by any comprehensive federal statute.

Enforcement capacity vs. violation volume: The FTC's Bureau of Consumer Protection and state attorneys general collectively lack sufficient enforcement bandwidth relative to the volume of potential violations, particularly in the third-party data sharing rules and vendor privacy management contexts.

Common misconceptions

Misconception: HIPAA applies to all health data. HIPAA applies only to covered entities and their business associates. A consumer wellness app, employer wellness program not integrated with a group health plan, or social media platform collecting symptom data is not bound by HIPAA. The FTC Act and applicable state law may apply instead.

Misconception: A privacy policy satisfies all disclosure obligations. Different statutes impose distinct notice formats, timing, and content requirements. A generic website privacy policy does not satisfy HIPAA's Notice of Privacy Practices, COPPA's direct notice to parents, GLBA's annual notice obligation, or CCPA's category-specific disclosure requirements.

Misconception: The US has no federal data breach notification law. While no single omnibus federal breach notification law exists, sector-specific breach rules include HHS's HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), the FTC's Health Breach Notification Rule (16 CFR Part 318), and GLBA's Safeguards Rule breach notification provisions. All 50 states have enacted breach notification laws. The data breach notification requirements framework addresses this multi-layered obligation structure.

Misconception: Anonymized data carries no privacy obligations. De-identification under HIPAA requires satisfaction of either the Expert Determination or Safe Harbor method (45 CFR § 164.514). Re-identification risk from data enrichment means that improperly de-identified data can trigger full regulatory obligations upon re-linkage. The standards for de-identification and anonymization vary by statute.

Checklist or steps

The following sequence describes the structural compliance assessment process organizations use to map applicable US privacy obligations — presented as a reference framework, not legal advice:

  1. Identify all personal data categories collected — distinguish general personal information from sensitive categories as defined by each applicable statute (health, financial, biometric, children's data, precise geolocation).
  2. Determine entity classification — assess whether the organization qualifies as a HIPAA covered entity, business associate, GLBA-regulated financial institution, COPPA operator, or FERPA educational agency.
  3. Apply jurisdictional thresholds — evaluate which state comprehensive privacy laws apply based on consumer volume, revenue, and state of residence of data subjects.
  4. Map data flows — document collection sources, internal processing purposes, third-party disclosures, and cross-border transfers per cross-border data transfers requirements.
  5. Assess consent and notice obligations — identify which frameworks require opt-in versus opt-out consent, parental consent, or specific notice formats.
  6. Evaluate individual rights obligations — determine which access, correction, deletion, portability, and opt-out rights must be honored, and establish general timeframes.
  7. Review vendor contracts — confirm Business Associate Agreements (HIPAA), service provider clauses (CCPA/CPRA), or vendor agreements address downstream data handling per applicable statutes.
  8. Assess breach notification obligations — identify applicable federal and state notification triggers, timelines, and recipient agencies for each data category.
  9. Document privacy impact assessments — conduct privacy impact assessments for new products, data uses, or high-risk processing activities.
  10. Establish governance and training — assign accountability to a designated chief privacy officer role or equivalent function; implement documented privacy training and awareness programs.

Reference table or matrix

Framework Regulating Agency Covered Entity Data Type Key Individual Right Penalty Ceiling
HIPAA Privacy Rule HHS Office for Civil Rights Health plans, providers, clearinghouses, BAs Protected Health Information (PHI) Access, amendment, accounting $1.9M per violation category per year (HHS Civil Money Penalties)
GLBA Safeguards Rule FTC / CFPB / prudential regulators Financial institutions Nonpublic Personal Information (NPI) Opt-out of sharing FTC Act civil penalties (up to $51,744/day per violation as adjusted)
COPPA FTC Operators of child-directed websites/apps Personal info of children under 13 Parental access/deletion Up to $51,744 per violation (FTC, 16 CFR Part 312)
FERPA US Dept. of Education Educational agencies/institutions receiving federal funding Education records Inspect, amend, consent to disclosure Loss of federal funding
CCPA/CPRA CA Privacy Protection Agency For-profit businesses meeting thresholds Personal information of CA residents Know, delete, correct, opt-out, portability Up to $7,500 per intentional violation (Cal. Civ. Code § 1798.155)
Illinois BIPA Illinois courts (private right of action) Any private entity in IL collecting biometric data Biometric identifiers/information Written release consent $1,000–$5,000 per violation (740 ILCS 14/20)
FTC Section 5 FTC Non-exempt commercial entities Any personal data (unfair/deceptive practices) N/A (enforcement-driven) Civil penalties for rule violations; equitable relief
State Comprehensive Laws (e.g., VA CDPA, TX TDPSA, CO CPA) State AGs Businesses meeting state thresholds Personal data of state residents Access, correction, deletion, opt-out, portability Varies by state: TX up to $7,500/violation; VA up to $7,500/intentional violation

References

📜 11 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator