US Privacy Laws: Guide to Federal and State Data Protection

Updated: June 2026

The United States has one of the most complex privacy regulatory systems in the world. Unlike Europe’s single GDPR framework, American businesses must comply with a patchwork of federal and state data protection laws. There is currently no all-encompassing federal data privacy legislation, so organisations must rely on state laws to fill the gaps in privacy protection. This creates significant challenges for organisations handling personal data.

Several states have enacted consumer privacy laws, which play a key role in regulating data collection and use, and in enforcing them. Federal regulations target specific sectors. Understanding this environment is essential for compliance.

Businesses must comply with sector-specific federal laws, such as HIPAA for healthcare data, and state privacy laws, like the California Consumer Privacy Act. Ongoing efforts to pass a federal consumer privacy law could eventually unify these requirements; for now, the lack of a single federal consumer privacy law creates overlapping jurisdictions, varying consumer rights, and different enforcement methods.

Key Takeaways

• The United States lacks a comprehensive federal data privacy law, resulting in a patchwork of sector-specific federal regulations and a range of state data privacy laws that businesses must navigate for compliance.

• Consumer privacy rights under state privacy laws typically include the right to know what personal information is collected, the right to access and delete data, and the right to opt out of the sale or sharing of personal information, with enhanced protections for sensitive data and the information of children.

• Successful compliance requires businesses to implement reasonable security practices, maintain transparency through clear and comprehensive privacy policies, respond to consumer requests within the required timeframes, conduct data protection impact assessments for high-risk processing, and stay informed about evolving federal and state privacy regulations.

Why are US federal privacy laws sector-specific?

US federal privacy laws use a sectoral approach. Different industries and data types are governed by specific statutes rather than a single data privacy law. This creates strong protections in some areas but gaps in others, which states address. When working with federal privacy laws, it is important to understand key definitions, as these clarify the scope and obligations under each statute.

What does HIPAA require for healthcare data protection?

HIPAA governs how healthcare providers, plans, and business associates handle protected health information.

Key points:

• The Privacy Rule sets minimum standards for the use and disclosure of consumer health data.

• The Security Rule requires technical and administrative safeguards. 

• Organisations must have a written information security program and conduct risk assessments. 

• Business associates must sign agreements to protect health information. 

• Patients can request access to and corrections of their medical records and authorise disclosures.

What federal laws govern financial services data protection?

Financial institutions are subject to multiple federal laws that protect consumer financial data.

Important laws:

• Gramm-Leach-Bliley Act requires clear information-sharing practices and data security programs. 

• The Fair Credit Reporting Act governs how credit reporting agencies handle consumer credit information. 

• These laws require privacy notices, reasonable security measures, and often opt-out rights for data sharing.

What does COPPA require for children’s online privacy?

COPPA protects children under 13 online.

Requirements include:

• Verifiable parental consent before collecting data. 

• Clear privacy notices. 

• Parental access to children’s information. 

• Reasonable data security measures.

The Federal Trade Commission actively enforces COPPA with significant penalties for violations.

How does the FTC enforce privacy rights?

The Federal Trade Commission enforces privacy rights under Section 5 of the FTC Act, which prohibits unfair and deceptive practices.

The FTC targets companies that:

• Fail to follow their own privacy policies. 

• Lack adequate data security. 

• Ignore consumer opt-out requests.

The commission focuses on transparency, consumer choice, and data security. The FTC regularly initiates enforcement actions against companies that violate privacy laws.

What state privacy laws govern data protection in the US?

States lead in creating data privacy laws due to stalled federal efforts. Each state privacy law contributes to a growing patchwork of requirements, with varying scopes, enforcement mechanisms, and rights for individuals.

As organisations work on compliance, they must account for the differences among various states’ laws, which can affect requirements and enforcement across jurisdictions.

What do California’s CCPA and CPRA require?

California’s laws include the California Consumer Privacy Act and the California Privacy Rights Act, administered by the California Privacy Protection Agency.

Consumer rights include:

• Knowing what personal information is collected. 

• Deleting personal information.

• Correcting inaccurate data. 

• Opting out of the sale or sharing of personal data.

Businesses must provide detailed privacy notices and implement reasonable security measures to protect their customers’ data. California enforces these laws through regulators and private rights of action in data breach cases.

What do the second wave of state privacy laws require?

Virginia’s Consumer Data Protection Act, Colorado Privacy Act, and Connecticut Data Privacy Act came into effect in 2023, each establishing frameworks for consumer data privacy. Utah’s Consumer Privacy Act takes a more business-friendly approach, with higher applicability thresholds and fewer consumer rights than in other states.

Common features:

• Transparency about data collection. 

• Data security requirements. 

• Consumer rights requests.

• Opt-in consent for sensitive personal data. 

• Data protection assessments for high-risk processing.

These acts are significant in shaping the evolving US privacy landscape and establishing new standards for data protection compliance.

What does emerging state privacy legislation cover?

New laws, such as the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and the Nebraska Data Privacy Act, along with legislation in Montana, Delaware, New Hampshire, Iowa, Tennessee, and others, have been taking effect since 2024.

These laws establish data privacy frameworks, granting consumers new rights and setting enforcement and compliance requirements for businesses operating in their respective states.

These laws address:

• Automated decision-making. 

• Artificial intelligence. 

• Biometric data processing.

What are the core consumer rights and business obligations under US privacy laws?

Modern state laws establish standard rights for data subjects and impose clear duties on businesses to protect personal information and uphold privacy principles. These laws aim to give consumers control over their personal data while requiring businesses to handle data responsibly and transparently.

What rights do consumers have under US state privacy laws?

Consumers are granted a range of rights to manage their personal information, including:

• Right to Know: Consumers have the right to be informed about what personal information is collected about them, the purposes for which it is used, and the categories of third parties with whom it is shared.

• Right to Access and Data Portability: Individuals can request access to their personal information and obtain it in a portable, commonly used electronic format, enabling them to transfer data between service providers.

• Right to Deletion: Consumers have the right to request the deletion of their personal information held by businesses, subject to certain exceptions, such as legal obligations or legitimate business interests.

• Right to Correction: If personal data is inaccurate or incomplete, consumers have the right to request corrections to ensure the accuracy of their data.

• Right to Opt-Out: Consumers may opt out of the sale, sharing, or targeted advertising involving their personal information, giving them greater control over how their data is monetised or used for marketing.

• Right to Non-Discrimination: Certain state laws, such as those in California and Virginia, include a nondiscriminatory clause that protects consumers who exercise their privacy rights, including the right to refuse services or receive different prices for the same services.

What obligations do businesses have under US state privacy laws?

To comply with these rights and build trust, businesses must follow several key obligations:

• Transparency: Companies must publish clear and accessible privacy policies that detail their data collection, use, sharing, and retention practices.

• Data Minimisation: Businesses should collect only the personal information necessary for the specified purposes, reducing unnecessary data exposure.

• Reasonable Security Measures: Organisations are required to implement appropriate technical, administrative, and physical safeguards to protect personal data from unauthorised access, loss, or misuse.

• Consumer Request Handling: Businesses must establish processes to receive, verify, and respond to consumer requests regarding their personal information within legally mandated timeframes.

• Identity Verification: To prevent fraud and unauthorised disclosures, businesses must verify the identity of individuals making data access or deletion requests.

• Compliance with Sensitive Data Rules: Enhanced protections apply when processing sensitive personal information, such as biometric data or consumer health data, often requiring explicit consumer consent.

• Children’s Data Protection: Special rules govern the collection and processing of data from minors, including requirements for verifiable parental consent and limitations on the use of data.

What accountability and governance requirements apply?

Modern privacy laws require businesses to demonstrate compliance through documentation, training, and regular assessments. This includes conducting data protection impact assessments for high-risk processing activities such as targeted advertising or profiling, appointing privacy officers or teams, and maintaining records of data processing activities.

Respecting consumer rights and meeting these obligations satisfies legal requirements and builds trust with privacy-conscious consumers.

What are the universal consumer rights across US state privacy laws?

Consumers have the right to:

• Know what personal information is collected. 

• Exercise data portability, allowing them to access and transfer their data in a portable format. 

• Delete personal information, except for specific exemptions. 

• Correct inaccurate data. 

• Opt out of sales, sharing, and targeted advertising.

What are the core business compliance requirements?

Businesses must:

• Publish clear privacy policies. 

• Limit data collection to necessary information. 

• Implement reasonable security measures. 

• Comply with legal obligations when processing personal data. 

• Process consumer requests within deadlines. 

• Verify identities to prevent fraud.

How is sensitive personal data protected under US privacy laws?

Sensitive personal information, such as biometric data and health information, receives stronger protections.

Processing sensitive data under many state laws may require explicit consumer consent or additional protections. Special rules protect children’s data, often requiring parental consent.

How should businesses approach compliance with and enforcement of US privacy law?

Effective compliance addresses multiple laws and adapts to new rules. In addition to privacy requirements, effective compliance strategies must also address data security laws, which mandate specific security measures and breach notifications.

How should businesses approach multi-state compliance?

Businesses should adopt privacy programmes meeting the strictest state requirements. This reduces complexity.

Data protection assessments are critical for high-risk processing.

Universal opt-out signals, such as Global Privacy Control, are emerging as compliance tools.

A Data Protection Officer monitors compliance and coordinates across departments.

What are the penalties for violating US privacy laws?

State attorneys general enforce most laws, and violations can result in civil penalties ranging from $2,500 to $10,000 per violation.

Recent actions include:

• California’s $1.55 million settlement for CCPA violations, following enforcement action by the state attorney general. 

• FTC fines exceeding $250 million annually as a result of enforcement action against privacy law violations.

The private right of action is limited, except in California and under Illinois’ biometric privacy law.

What are the practical steps for US privacy law compliance?

Steps include:

• Data mapping and inventory. 

• Reviewing data collection practices to meet legal obligations, registration requirements, and disclosure obligations.

• Updating privacy policies. 

• Building consumer request systems. 

• Conducting data protection impact assessments for high-risk processing activities, such as targeted advertising or profiling. 

• Vendor due diligence and contracts. 

• Completing the data broker registration process with the appropriate state authority, if applicable. 

• Employee training.

How is US privacy regulation likely to develop?

US privacy laws will continue to expand as states fill the gaps left by federal laws. Future regulations will likely focus on strengthening personal data privacy and addressing areas such as artificial intelligence, automated decision-making, and children’s online safety.

There is increasing regulatory attention to online monitoring practices, as lawmakers and regulators scrutinise how businesses track and analyse user activity for targeted advertising and data collection.

What federal privacy law proposals are currently under consideration?

Proposals like the American Data Privacy and Protection Act aim for national standards but face political hurdles. Some federal proposals include provisions for national data security standards.

How are state privacy laws continuing to expand?

More states are expected to adopt privacy laws in 2026 and beyond, covering areas such as AI, automated decision-making, biometric data, and children’s online safety. These new state laws will regulate how businesses process consumer data, designed to protect consumer data privacy and security.

There is a growing trend toward enacting data privacy laws at the state level, with legislation granting consumers rights over their personal data and setting requirements for how organisations process consumer data.

How do international frameworks affect US privacy compliance?

The EU-US Data Privacy Framework governs the transfer of data between the US and the European Union. International data transfers must respect the data subject’s rights and protect personal information, while meeting both US and European data security standards. It influences domestic privacy practices.

Businesses should build flexible privacy programmes to meet evolving requirements and maintain consumer trust. Online services, in particular, have obligations to comply with both US and international privacy standards when handling personal data across borders.