US Privacy Laws and Regulations
The United States privacy regulatory landscape operates through a patchwork of federal statutes, sector-specific regulations, and state-level frameworks rather than a single omnibus national privacy law. This page covers the structure, scope, classification boundaries, and key tensions of US privacy law as it applies to organizations, consumers, and regulated industries. Understanding this landscape is essential for compliance professionals, legal teams, technology operators, and researchers navigating obligations that vary significantly by data type, industry sector, and jurisdiction.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
US privacy law governs the collection, storage, use, disclosure, and transfer of personal information about identifiable individuals. Unlike the European Union's General Data Protection Regulation (GDPR), which sets a single binding standard across member states, the US system delegates authority across dozens of statutes and regulatory agencies. The Federal Trade Commission Act (15 U.S.C. § 45) grants the FTC broad authority to pursue unfair or deceptive practices involving consumer data, making the FTC the closest approximation to a general-purpose federal privacy regulator — though that authority is not explicit privacy legislation.
Personal information, as defined across statutes, ranges from narrow identifiers such as Social Security numbers and financial account numbers to broader categories including biometric data, geolocation records, and inferred behavioral profiles. The scope of a given law typically turns on three axes: the type of data, the type of entity collecting it, and the type of individual whose data is at stake (e.g., children, patients, employees, consumers).
The privacy providers available through this provider network reflect the breadth of organizations operating across these regulatory domains.
Core mechanics or structure
US privacy law operates through five structural mechanisms: notice, consent, access rights, security obligations, and enforcement.
Notice requires entities to disclose data practices through privacy policies, disclosures at point of collection, or mandatory filings. The Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501–6506) administered by the FTC requires verifiable parental consent before collecting personal information from children under 13, with mandatory direct notice to parents.
Consent frameworks vary in stringency. The Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801–6827) operates on an opt-out model for sharing nonpublic personal financial information with nonaffiliated third parties. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), introduced opt-in requirements for sensitive personal information and the sale of data to third parties.
Access rights allow individuals to request copies of data held about them, correct inaccuracies, or request deletion. These rights are codified at the state level in California (Cal. Civ. Code § 1798.100), Virginia (Virginia Consumer Data Protection Act, VCDPA), Colorado (Colorado Privacy Act, CPA), and 13 additional states that enacted comprehensive privacy statutes as of 2024.
Security obligations are mandated across sectors: the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. Parts 160, 162, 164) requires administrative, physical, and technical safeguards for electronic protected health information. The FTC's Safeguards Rule under GLBA (16 C.F.R. Part 314) applies similar requirements to non-bank financial institutions.
Enforcement powers are distributed across the FTC, HHS Office for Civil Rights, Consumer Financial Protection Bureau (CFPB), state attorneys general, and sector regulators such as the FCC and SEC.
Causal relationships or drivers
The fragmented structure of US privacy law reflects institutional, political, and economic factors that have shaped legislative development over six decades. Congress has historically enacted privacy legislation in reaction to specific demonstrated harms rather than through proactive, comprehensive frameworks.
The Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681) emerged in 1970 following documented consumer harm from inaccurate credit files. HIPAA followed in 1996 after healthcare industry consolidation and electronic record adoption created systemic data exposure risks. COPPA passed in 1998 after FTC investigations revealed widespread collection of children's data without parental knowledge. The Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2510–2523) governs government access to stored communications and was enacted in 1986 in response to emerging digital communication technologies.
State-level momentum accelerated after the FTC's repeated requests to Congress for comprehensive federal privacy legislation went unaddressed through the 2010s. California's CCPA, signed in 2018 and effective January 1, 2020, created the first broad state consumer privacy framework. That action catalyzed comprehensive legislation in Virginia (2021), Colorado (2021), Connecticut (2022), and at least 13 other states enacting statutes by 2024.
The privacy-provider network-purpose-and-scope page describes how this provider network maps the service sectors operating within these legal frameworks.
Classification boundaries
US privacy laws divide into five primary categories based on regulatory scope:
Sector-specific federal statutes apply to defined industries or data categories: HIPAA (health data), GLBA (financial data), FERPA (educational records), COPPA (children's data), FCRA (consumer reporting data).
General federal authority operates through the FTC's Section 5 power over unfair and deceptive practices, enabling enforcement against broken privacy promises, inadequate security, and unauthorized data sharing across industries not covered by specific statutes.
State comprehensive privacy laws apply broadly to commercial entities processing personal data above specified thresholds. California's CPRA (Cal. Civ. Code § 1798.185) established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body with rulemaking authority — the first state-level dedicated privacy agency in the US.
State sectoral and data breach laws address specific categories: biometric data (Illinois Biometric Information Privacy Act, 740 ILCS 14), data breach notification (all 50 states have enacted breach notification statutes, per the National Conference of State Legislatures), and genetic data.
Federal surveillance and national security law operates separately through the Foreign Intelligence Surveillance Act (FISA), the USA PATRIOT Act, and related authorities governing government collection of communications data.
Tradeoffs and tensions
The sectoral, multi-layered structure of US privacy law produces identifiable regulatory tensions.
Federal preemption versus state innovation: Federal sectoral statutes typically preempt conflicting state law, but where federal law is silent or sets only a floor, states may act. The absence of a federal omnibus privacy law has left states as primary innovators, but this produces compliance complexity for organizations operating across state lines that must simultaneously satisfy the requirements of 15+ distinct state privacy regimes.
Privacy versus public safety and security: Law enforcement access to personal data — whether held by telecommunications carriers (under ECPA and the Communications Assistance for Law Enforcement Act, CALEA) or by technology platforms — generates persistent conflict between Fourth Amendment protections, statutory privacy rights, and national security imperatives.
Consumer control versus commercial data economics: Opt-out consent models, as used under GLBA and the original CCPA, place the burden of limiting data sharing on consumers. Opt-in models, as required by the CPRA for sensitive data categories, reduce the volume of data available for commercial use. Industry groups have argued before Congress and state legislatures that opt-in requirements impose material costs on advertising-dependent business models.
Private rights of action: HIPAA contains no private right of action; enforcement is exclusively governmental. The Illinois BIPA (740 ILCS 14/20) allows private suits with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, producing litigation volumes that have generated nine-figure settlements. The CCPA includes a limited private right of action for data breaches but not for most other violations.
Common misconceptions
Misconception: HIPAA applies to all health data. HIPAA's Privacy Rule (45 C.F.R. Part 164) applies only to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. A fitness tracking application not affiliated with a covered entity is not a HIPAA-regulated entity. Its data practices are governed by the FTC Act and applicable state law.
Misconception: A privacy policy is legally sufficient for compliance. Posting a privacy policy satisfies notice requirements under specific statutes but does not, by itself, constitute compliance with consent, security, access, or breach notification obligations. The FTC has brought enforcement actions against companies that had privacy policies but failed to implement stated data practices (see FTC Privacy Enforcement).
Misconception: The US has no comprehensive privacy law. While no single omnibus federal privacy statute exists, 16 states had enacted comprehensive consumer privacy laws as of 2024 (IAPP State Privacy Legislation Tracker). These laws share structural elements modeled in part on the GDPR but differ materially on thresholds, enforcement, and rights architecture.
Misconception: Federal law always supersedes state privacy protections. HIPAA expressly preserves more protective state laws (45 C.F.R. § 160.203). Absent explicit preemption language in federal statutes, states retain authority to enact stronger protections.
The how-to-use-this-privacy-resource page provides guidance on navigating the provider network's categorization of organizations by regulatory regime.
Checklist or steps (non-advisory)
The following sequence describes the compliance mapping process organizations undertake when assessing US privacy law obligations. This is a process description, not legal guidance.
- Identify the data categories processed — distinguish between health data, financial data, children's data, biometric data, and general consumer personal information.
- Identify the entity type and sector — determine whether the organization qualifies as a HIPAA covered entity, a GLBA financial institution, an FTC-regulated commercial entity, or a specialized category (consumer reporting agency under FCRA, educational institution under FERPA).
- Map applicable federal statutes — each sector triggers distinct notice, consent, security, and breach notification requirements under the applicable federal framework.
- Identify applicable state comprehensive privacy laws — assess whether the organization meets revenue, data volume, or entity thresholds in California (25,000 consumers), Virginia (100,000 consumers), Colorado (100,000 consumers), Connecticut (100,000 consumers), or other enacted state regimes (IAPP State Privacy Legislation Tracker).
- Assess state sectoral obligations — check whether the organization collects biometric data (triggering Illinois BIPA, Texas CUBI, Washington My Health MY Data Act), genetic data, or other specialized categories.
- Review breach notification obligations — all 50 states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted breach notification laws. Requirements for notification timing, covered information, and regulator notice vary by jurisdiction (NCSL Breach Notification Laws).
- Document data maps and processing activities — statutory frameworks under CPRA and VCDPA require the ability to respond to consumer access, deletion, and correction requests, requiring known data inventories.
- Establish vendor and third-party controls — HIPAA Business Associate Agreements, GLBA service provider contracts, and CCPA/CPRA contractual requirements impose downstream obligations on data processors.
Reference table or matrix
| Law | Regulator | Scope | Consent Model | Private Right of Action | Penalty Ceiling |
|---|---|---|---|---|---|
| FTC Act (15 U.S.C. § 45) | FTC | Cross-sector (commercial entities) | Unfair/deceptive practices standard | No | Civil penalties up to $51,744/violation (FY2023 adjustment) |
| HIPAA Privacy & Security Rules | HHS Office for Civil Rights | Healthcare covered entities and business associates | Notice of Privacy Practices; opt-out for some uses | No | Up to $1.9 million per violation category per year (HHS) |
| GLBA Safeguards Rule | FTC, federal banking regulators | Financial institutions | Opt-out for nonaffiliated sharing | No | Per FTC Rule: civil penalties under Section 5 |
| COPPA | FTC | Online services directed to children under 13 | Verifiable parental consent (opt-in) | No | Up to $51,744 per violation (FTC) |
| FCRA | FTC, CFPB | Consumer reporting agencies | Permissible purpose required | Yes | Actual or statutory damages; $100–$1,000/violation |
| California CPRA | California Privacy Protection Agency, CA AG | For-profit entities meeting thresholds | Opt-out for sale/sharing; opt-in for sensitive data | Limited (data breaches) | Up to $7,500/intentional violation (Cal. Civ. Code § 1798.155) |
| Illinois BIPA (740 ILCS 14) | State courts (private litigation) | Biometric data collectors in Illinois | Opt-in (written release required) | Yes | $1,000/negligent; $5,000/intentional violation |
| Virginia VCDPA | Virginia AG | Controllers and processors meeting thresholds | Opt-out for targeted advertising/sale; opt-in for sensitive | No | Up to $7,500/violation |
| Colorado CPA | Colorado AG | Controllers and processors meeting thresholds | Opt-out for sale/targeted advertising; opt-in for sensitive | No | Up to $20,000/violation |