US Privacy Laws: Complete Guide to Federal and State Data Protection

The United States has one of the most intricate privacy regulatory systems. Unlike Europe’s single GDPR framework, American businesses must comply with a patchwork of federal and state data protection laws. There is currently no all-encompassing federal data privacy legislation, so organisations must rely on state laws to fill the gaps in privacy protection. This creates significant challenges for organisations handling personal data.

Several states have enacted consumer privacy laws, which play a key role in regulating the collection, use, and enforcement of data. Federal regulations target specific sectors. Understanding this environment is essential for compliance.

Businesses must comply with sector-specific federal laws, such as HIPAA for healthcare data, and state privacy laws, like the California Consumer Privacy Act. Ongoing efforts to pass a federal consumer privacy law could eventually unify these requirements; for now, the lack of a single federal consumer privacy law creates overlapping jurisdictions, varying consumer rights, and different enforcement methods.

This guide helps you understand US privacy laws, your obligations, and how to build an effective compliance program across multiple frameworks.

Key Takeaways

• The United States lacks a comprehensive federal data privacy law, resulting in a patchwork of sector-specific federal regulations and a range of state data privacy laws that businesses must navigate for compliance.

• Consumer privacy rights under state privacy laws typically include the right to know what personal information is collected, the right to access and delete data, and the right to opt out of the sale or sharing of personal information, with enhanced protections for sensitive data and the information of children.

• Successful compliance requires businesses to implement reasonable security practices, maintain transparency through clear and comprehensive privacy policies, respond to consumer requests within the required timeframes, conduct data protection impact assessments for high-risk processing, and stay informed about evolving federal and state privacy regulations.

Federal Privacy Laws are Sector-Specific

US federal privacy laws use a sectoral approach. Different industries and data types are governed by specific statutes rather than a single data privacy law. This creates strong protections in some areas but gaps in others, which states address. When working with federal privacy laws, it is important to understand key definitions, as these clarify the scope and obligations under each statute.

Healthcare Sector Protections Under HIPAA

HIPAA governs how healthcare providers, plans, and business associates handle protected health information.

Key points:

• The Privacy Rule sets minimum standards for the use and disclosure of consumer health data.
• Security Rule requires technical and administrative safeguards.
• Organisations must have a written information security program and conduct risk assessments.
• Business associates must sign agreements to protect health information.
• Patients can request access to, corrections of their medical records and authorise disclosures.

Financial Services Regulations

Financial institutions are subject to multiple federal laws that protect consumer financial data.

Important laws:

• Gramm-Leach-Bliley Act requires clear information-sharing practices and data security programs.
• The Fair Credit Reporting Act governs how credit reporting agencies handle consumer credit information.
• These laws require privacy notices, reasonable security measures, and often opt-out rights for data sharing.

Children’s Online Privacy Protection

COPPA protects children under 13 online.

Requirements include:

• Verifiable parental consent before collecting data.
• Clear privacy notices.
• Parental access to children’s information.
• Reasonable data security measures.

The Federal Trade Commission actively enforces COPPA with significant penalties for violations.

FTC Enforcement Authority

The Federal Trade Commission enforces privacy rights under Section 5 of the FTC Act, which prohibits unfair and deceptive practices.

The FTC targets companies that:

• Fail to follow privacy policies.
• Lacks adequate data security.
• Ignore consumer opt-out requests.

The commission focuses on transparency, consumer choice, and data security. The FTC regularly initiates enforcement actions against companies that violate privacy laws.

State Privacy Laws: The New Frontier of Data Protection

States lead in creating data privacy laws due to stalled federal efforts. Each state privacy law contributes to a growing patchwork of state privacy laws, with varying scopes, enforcement mechanisms, and rights for individuals.

As organisations work on compliance, they must account for the differences among various states’ laws, which can impact requirements and enforcement across jurisdictions.

California Leading the Way

California’s laws include the California Consumer Privacy Act and the California Privacy Rights Act, administered by the California Privacy Protection Agency.

Consumer rights include:

• Knowing what personal information is collected.
• Deleting personal information.
• Correcting inaccurate data.
• Opting out of the sale or sharing of personal data.

Businesses must provide detailed privacy notices and implement reasonable security measures to protect their customers’ data. California enforces these laws through regulators and private rights of action in data breach cases.

Second Wave State Laws

Virginia’s Consumer Data Protection Act, Colorado Privacy Act, and Connecticut Data Privacy Act came into effect in 2023, each establishing frameworks for consumer data privacy. Utah Consumer Privacy Act, meanwhile, offers a more business-friendly approach with higher thresholds for applicability and fewer consumer rights compared to other states.

Common features:

• Transparency about data collection.
• Data security requirements.
• Consumer rights requests.
• Opt-in consent for sensitive personal data.
• Data protection assessments for high-risk processing.

These acts, including the Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, are significant in shaping the evolving US privacy landscape and establishing new standards for data protection compliance.

Emerging State Legislation

New laws, such as the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and the Nebraska Data Privacy Act, along with legislation in Montana, Delaware, New Hampshire, Iowa, Tennessee, and others, are expected to take effect between 2024 and 2026.

These laws establish data privacy frameworks, granting consumers new rights and setting enforcement and compliance requirements for businesses operating in their respective states.

These laws address:

• Automated decision-making.
• Artificial intelligence.
• Biometric data processing.

Core Consumer Rights and Business Obligations

Modern state laws establish standard rights for data subjects and impose clear duties on businesses to protect personal information and uphold privacy principles. These laws aim to empower consumers with control over their personal data while requiring businesses to handle data responsibly and transparently.

Consumer Rights

Consumers are granted a range of rights to manage their personal information, including:

• Right to Know: Consumers have the right to be informed about what personal information is collected about them, the purposes for which it is used, and the categories of third parties with whom it is shared.

•Right to Access and Data Portability: Individuals can request access to their personal information and obtain it in a portable, commonly used electronic format, enabling them to transfer data between service providers.

• Right to Deletion: Consumers have the right to request the deletion of their personal information held by businesses, subject to certain exceptions, such as legal obligations or legitimate business interests.

• Right to Correction: If personal data is inaccurate or incomplete, consumers have the right to request corrections to ensure the accuracy of their data.

• Right to Opt-Out: Consumers may opt out of the sale, sharing, or targeted advertising involving their personal information, giving them greater control over how their data is monetised or used for marketing.

• Right to Non-Discrimination: Certain state laws, such as those in California and Virginia, include a nondiscriminatory clause that protects consumers who exercise their privacy rights, including the right to refuse services or receive different prices for the same services.

Business Obligations

To comply with these rights and build trust, businesses must follow several key obligations:

• Transparency: Companies must publish clear and accessible privacy policies that detail their data collection, use, sharing, and retention practices.

• Data Minimisation: Businesses should collect only the personal information necessary for the specified purposes, reducing unnecessary data exposure.

• Reasonable Security Measures: Organisations are required to implement appropriate technical, administrative, and physical safeguards to protect personal data from unauthorised access, loss, or misuse.

• Consumer Request Handling: Businesses must establish processes to receive, verify, and respond to consumer requests regarding their personal information within legally mandated timeframes.

• Identity Verification: To prevent fraud and unauthorised disclosures, businesses must verify the identity of individuals making data access or deletion requests.

• Compliance with Sensitive Data Rules: Enhanced protections apply when processing sensitive personal information, such as biometric data or consumer health data, often requiring explicit consumer consent.

• Children’s Data Protection: Special rules govern the collection and processing of data from minors, including requirements for verifiable parental consent and limitations on the use of data.

Accountability and Governance

Modern privacy laws emphasise accountability, requiring businesses to demonstrate compliance through documentation, training, and regular assessments. This includes conducting data protection impact assessments for high-risk processing activities, such as targeted advertising or profiling, appointing privacy officers or teams, and maintaining records of data processing activities.

By respecting consumer rights and fulfilling their obligations, businesses not only comply with legal requirements but also build consumer trust and competitive advantage in an increasingly privacy-conscious market.

Universal Consumer Rights

Consumers have the right to:

• Know what personal information is collected.
• Exercise data portability, allowing them to access and transfer their data in a portable format.
• Delete personal information, except for specific details
• Correct inaccurate data.
• Opt out of sales, sharing, and targeted advertising.

Business Compliance Requirements

Businesses must:

• Publish clear privacy policies.
• Limit data collection to necessary information.
• Implement reasonable security measures.
• Comply with legal obligations when processing personal data.
• Process consumer requests within deadlines.
• Verify identities to prevent fraud.

Sensitive Data Protections

Sensitive personal information, such as biometric data and health information, receives stronger protections.

Processing sensitive data under many state laws may require explicit consent from consumers or additional protections. Special rules protect children’s data, often requiring parental consent.

Compliance Strategies and Enforcement

Effective compliance addresses multiple laws and adapts to new rules. In addition to privacy requirements, effective compliance strategies must also address data security laws, which mandate specific security measures and breach notifications.

Multi-State Compliance Approach

Businesses should adopt privacy programs meeting the strictest state requirements. This reduces complexity.

Data protection assessments are critical for high-risk processing.

Universal opt-out signals, such as Global Privacy Control, are emerging as compliance tools.

A Data Protection Officer monitors compliance and coordinates across departments.

Enforcement and Penalties

State attorneys general enforce most laws, and violations can result in civil penalties ranging from $2,500 to $10,000 per violation.

Recent actions include:

• California’s $1.55 million settlement for CCPA violations, following enforcement action by the state attorney general.

• FTC fines exceeding $250 million annually as a result of enforcement action against privacy law violations.

The private right of action is limited, except in California and under Illinois’ biometric privacy law.

Practical Compliance Steps

Steps include:

• Data mapping and inventory.

• Reviewing data collection practices to meet legal obligations, registration requirements, and disclosure obligations.

• Updating privacy policies.

• Building consumer request systems.

• Conducting data protection impact assessments for high-risk processing activities, such as targeted advertising or profiling.

• Vendor due diligence and contracts.

• Completing the data broker registration process with the appropriate state authority, if applicable.

• Employee training.

The Future of US Privacy Regulation

US privacy laws will continue to expand as states fill the gaps left by federal laws. Future regulations will likely focus on strengthening personal data privacy and expanding privacy laws to address evolving consumer expectations and technological advancements.

There is increasing regulatory attention to online monitoring practices, as lawmakers and regulators scrutinise how businesses track and analyse user activity for targeted advertising and data collection.

Congressional Efforts Toward Federal Law

Proposals like the American Data Privacy and Protection Act aim for national standards but face political hurdles. Some federal proposals include provisions for national data security standards.

Continued State-Level Expansion

More states are expected to adopt privacy laws in 2025 and 2026, covering areas such as AI, automated decision-making, biometric data, and children’s online safety. These new state laws will regulate how businesses process consumer data, designed to protect consumer data privacy and security.

There is a growing trend toward enacting data privacy laws at the state level, with legislation granting consumers rights over their personal data and setting requirements for how organisations process consumer data.

International Considerations

The EU-US Data Privacy Framework governs the transfer of data between the US and the European Union. International data transfers must respect the rights of the data subject and protect private information, meeting both US and European data security laws. It influences domestic privacy practices.

Businesses should prepare flexible privacy programs to meet evolving requirements and maintain consumer trust. Online services, in particular, have obligations to comply with both US and international privacy standards when handling personal data across borders.