The United States has a patchwork and ever-changing web of laws governing data privacy. While there’s no comprehensive federal privacy decree, several laws do focus on specific data types or situations regarding privacy.
Without a holistic statute, however, it can be unclear what protections are in place for the various types of personal information with which companies. Despite the lack of a comprehensive privacy framework, organizations that process or store data are still responsible for staying up-to-date on the latest regulations to ensure compliance.
This guide provides details of the major U.S. privacy laws and shares some recent updates and changes. You can also download this detailed fact sheet for a quick background on U.S. data protection laws.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
- Online privacy and security: How is it handled?
- U.S. privacy laws with a vertical focus
- New U.S. state data privacy laws
- Which privacy requirements apply to me?
- Data privacy FAQ
Online privacy and security: How is it handled?
Unlike other forms of communication, such as physical mail, online privacy and security is more difficult to govern. This can leave individuals vulnerable to an invasion of privacy.
Internet security and deceptive advertising: How do they relate?
The internet has revolutionized our lives and work, providing unprecedented access to information and communication. However, along with this increased connectivity comes new risks to privacy. Everyone’s lives are now online, leaving behind a digital trail of personal data that unscrupulous businesses or individuals can exploit.
Thankfully, data privacy laws govern the collection, use, and disclosure of personal data and set standards for how businesses need to handle sensitive data. The Federal Trade Commission (FTC) is the principal enforcer of these laws in the U.S. In recent years, the FTC has taken several enforcement actions against companies that have misled consumers about their data security and privacy practices.
For example, in 2012, the FTC reached a settlement with Google after it accused the company of misrepresenting its privacy policies to users of its service. Under the payment terms, Google agreed to pay a $22.5 million fine and change its privacy practices. More recently, in 2018, the FTC took action against Facebook for deceiving users about their ability to control the visibility of their personal information. Again, under a settlement with the FTC, Facebook agreed to pay a $5 billion fine and make significant changes to its privacy measures.
These cases show that the FTC is willing to crack down on companies that violate consumer privacy laws. These examples also set a critical precedent for future internet privacy lawsuits — as people’s lives continue to move online, strong laws must be in place to protect data from exploitation.
GDPR vs. CCPA: How do U.S. and EU privacy laws compare?
GDPR vs. CCPA: How do they differ?
GDPR:
- Broad reach: Applies to all organizations worldwide that process or monitor EU citizens' data
- Consistent enforcement: Levies heavy fines against companies in violation
- Dedicated oversight: Requires the appointment of a data protection officer to oversee compliance
CCPA:
- Narrow reach: Applies only to organizations that do business in California
- Inconsistent enforcement: Gives residents enforcement power via litigation against violating companies
- Lack of oversight: Does not require the appointment of an officer to oversee enforcement
The United States and Europe have the most comprehensive data security and privacy laws; the EU’s General Data Protection Regulation (GDPR) came into effect in 2018, while the California Consumer Privacy Act (CCPA) took effect in 2020.
GDPR and CCPA set strict standards for how service providers must handle personal data, including ensuring that data collection is transparent, secure, and obtained with the concerned individual's consent. The standards also provide individuals the right to know what personal data is collected about them and allow them to access it and request its deletion.
The main difference between CCPA and GDPR is that GDPR applies to any organization that processes or intends to process EU citizens’ sensitive data, regardless of location. GDPR compliance is mandatory for any organization that processes the personal data of EU citizens, regardless if they're customers or not. There are also no entity revenue or processing threshold requirements for GDPR.
CCPA only covers entities that do business in California. This regulation applies to entities satisfying thresholds such as annual revenues above $25 million, any organization that processes personal data of more than 50,000 individuals, and those entities that acquire 50 percent of their revenue from selling data.
These requirements mean GDPR has a much broader reach and protection than CCPA. For example, in terms of enforcement, GDPR provides heavy fines for service providers violating its provisions. In contrast, CCPA offers California residents the right to sue businesses for damages if there's a violation of their consumer rights.
Finally, GDPR requires companies to appoint a data protection officer, while CCPA has no such requirement. While GDPR and CCPA are strong data protection laws providing individuals with robust rights and protection, GDPR applicability extends beyond U.S. borders, making it one of the most far-reaching data protection structures today.
It's crucial for organizations to consult with legal counsel and carefully consider which laws apply to them, ensuring compliance with each applicable requirement.
U.S. privacy laws with a vertical focus
Generally speaking, privacy laws fall into two categories: vertical and horizontal. Vertical privacy laws protect medical records or financial data, including details such as an individual's health and financial status.
Horizontal privacy laws focus on how organizations use information, regardless of its context. The types of data covered by these laws include fingerprints, retina scans, biometric data, and other personally identifiable information such as names and addresses.
U.S. data privacy law timeline
1974
U.S. Privacy Act of 1974
Rights and restrictions on data held by government agencies
1996
Health Insurance Portability and Accountability Act (HIPAA)
Healthcare and heath insurance personal data protection
1999
Gramm-Leach-Bliley Act (GLBA)
Protects financial nonpublic personal information (NPI)
2000
Children's Online Privacy Protection Act (COPPA)
Protects the personal information of those age 12 and younger
While both vertical and horizontal privacy laws play an essential role in protecting individuals' privacy rights, many view vertical policies as more effective because they're better at targeting specific risks.
U.S. Privacy Act of 1974
The federal government passed the U.S. Privacy Act of 1974 to enhance individual privacy protection. This act established rules and regulations regarding U.S. government agencies' collection, use, and disclosure of personal information. Below are some examples of the guaranteed rights covered by the information privacy rule:
- The right to request access and correct data if needed: U.S. citizens have the right to access their personal data kept by government agencies and request changes if they believe the information is inaccurate.
- The right to access data (restricted on an individual basis): Government agencies grant users data access based on their role in their company.
- The right to information about data uses: Individuals must know how agencies use their personal data upon collection.
HIPAA
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal privacy protection law that safeguards individuals’ medical information. HIPAA applies to all entities that handle protected health information (PHI), including healthcare providers, hospitals, and insurance companies. When a company shares PHI with a healthcare provider or covered entity, individuals have the following rights:
- The covered entity can use patient data for specific purposes, such as treatment and payment. However, the explicit authorization of marketing activities requires that healthcare providers request permission from patients who own their private information.
- The healthcare provider must furnish the patient with a notice of privacy practices that outlines how the provider will use and protect the patient's data. Patients can request restrictions on how healthcare providers use and disclose their private information.
- Patients have the right to update their medical records if they believe the information is inaccurate.
COPPA
Congress enacted the Children's Online Privacy Protection Act (COPPA) in 1998 to protect the online privacy of minors under the age of 13. COPPA applies to any website or online service that collects, uses, or discloses personal information from children. Under COPPA, websites and online services must take the following steps to protect children’s privacy:
- Post a clear and concise privacy policy explaining what information service providers will collect from children, how they will use it, and under what circ*mstances they will disclose it to third parties.
- Secure parental consent before collecting, using, or disclosing personal data from children.
- Provide parents with the opportunity to review and delete their child’s personal information.
GLBA
In 1999, the U.S. government signed the Gramm-Leach-Bliley Act (GLBA). This law protects consumer privacy and applies to any financial institution that collects, uses, or discloses personal information. Financial institutions must take the following steps to protect individuals’ privacy:
- Explain information-sharing practices to customers and allow them to opt out of having their data shared with third parties.
- Follow established guidelines for how financial institutions can collect, use, and protect customer data. The law applies to all types of consumer data, including information collected online.
- Develop and implement a written information security program to protect customer data from unauthorized access.
New U.S. state data privacy laws
Privacy laws in the U.S. vary by state — some states have signed laws that provide privacy protections, while others have no rules. Below are some examples of signed and proposed individual state privacy laws:
California
In 2020, voters in California passed the California Privacy Rights Act (CPRA), an amendment to the CCPA. The CPRA provides additional protection for Californians, such as the right to know what personal data entities are collecting about them and the right to know if businesses are selling their data and to whom.
Colorado
The Colorado Privacy Act is a new law that will take effect on July 1, 2023. This law will require businesses to disclose their data collection and sharing practices to consumers and gives Colorado residents the right to opt out of the sale of their personal data. The law also imposes strict penalties for companies and authorizes the state attorney general to bring enforcement actions.
Connecticut
The Connecticut Personal Data Privacy and Online Monitoring Act covers any business that collects personal information from Connecticut residents. The law provides privacy protection regulations for data controllers and processors and requires them to take reasonable security measures to protect personal data.
Maryland
The Maryland Online Consumer Protection Act protects consumers from cybersecurity threats, including data breaches, theft, phishing, and spyware. While this law is similar to other state privacy laws, it’s more comprehensive in certain respects.
For instance, Maryland law requires businesses to take reasonable steps to protect consumers' personal information from unauthorized access, use, or disclosure. The law also requires entities to provide consumers with a way to opt out of having their personal information collected, used, or sold.
This act applies to all businesses that collect, use, or disclose personal data about Maryland residents, including out-of-state companies that sell goods or services to Maryland locals.
Massachusetts
The Massachusetts Data Privacy Law is a set of regulations governing businesses' handling of personal information. The law applies to any organization that holds, uses, or discloses personal data about Massachusetts residents.
Some of the law’s provisions state that companies must obtain consumer consent before collecting or using their data. In addition, entities must take necessary steps to secure consumer data. The state law also establishes that companies must disclose how they use consumer data and allow customers to opt out of specific uses. Finally, organizations must ensure that the data they collect is accurate and up-to-date.
New York
The New York Privacy Act is one of the most comprehensive pieces of privacy and security legislation in the U.S. This law sets strict rules about how businesses must handle consumers’ personal information and gives individuals new rights concerning data. The act significantly impacts companies operating in New York state and helps ensure all residents control their personal information. Some key provisions of the privacy law include:
- Entities must disclose what categories of consumer data they collect, use, or sell, and the purposes for which they’ll use the data.
- Robust enforcement mechanisms provide a private right of action and implement civil penalties per violation.
Virginia
The Virginia Consumer Data Protection Act is a new law that’ll take effect on January 1, 2023. It will require businesses to take reasonable steps to protect consumer data privacy, confidentiality, and integrity.
This new law applies to any business that collects, uses, or discloses the personal information of 100,000 or more Virginia consumers or derives 50 percent or more of its revenue from the sale of consumer data.
The law also gives Virginia residents the right to access their personal data and request correction if it’s inaccurate.
U.S. state privacy law comparison
There are some significant distinctions between each state’s laws. For instance, California, New York, and Massachusetts laws cover any company that does business in the state, regardless of whether they have an office located there. In comparison, Maryland's law only applies to entities with a physical presence in the state. Also, California and Maryland privacy laws apply to businesses with more than $25 million in annual revenue, while the others have no such limitations.
Which privacy requirements apply to me?
Although the state and federal privacy law ecosystem may seem daunting, there are straightforward ways to determine which regulatory requirements apply to you and your business. Consider your business:
- Location: Work with your compliance partner and gain a good internal understanding of which state and federal frameworks apply to you.
- Industry: Different verticals receive different treatment as it relates to U.S. privacy laws, from healthcare to retail to financial services. Along with your compliance partner, you’ll want to conduct a thorough search of industry-specific standards and implement measures and controls to meet HIPAA, the Financial Industry Regulatory Authority, and other industry-specific regulations.
- Size: If you store large amounts of private or sensitive data using third-party cloud service providers or entities, you should also double-check that their controls don’t jeopardize your compliance in any way.
Using these key factors, honing in on which privacy requirements apply to your organization can be a relatively straightforward endeavor.
Data privacy FAQ
Below are frequently asked questions about data privacy laws.
Q: How do privacy laws in the U.S. differ from those in Europe?
A: The most significant difference is that the U.S. doesn't have a single, comprehensive federal privacy law like the EU's GDPR. Instead, the U.S. has a patchwork of federal and state laws that offer varying levels of protection for consumers' personal data.
Q: What are the main points of U.S. federal and state privacy laws?
A: Most U.S. privacy laws share a few main provisions, such as obtaining consumer consent before collecting or using personal data and the need to take data security steps. However, there are some crucial differences between the laws, so it’s essential to check the specific requirements of each decree to ensure compliance.
Q: What are the consequences of violating U.S. privacy laws?
A: The consequences of violating U.S. privacy laws can vary depending on the law. In some cases, entities may be subject to fines or other penalties. In other cases, consumers may have the right to sue the company for damages.
The future of data privacy laws
As more private and sensitive data digitally changes hands each year, it becomes increasingly critical to understand the laws protecting our privacy. In the United States, internet privacy laws are still evolving, but they are a strong start toward protecting personal data. Citizens and residents can expect more states to pass comprehensive privacy laws in the future, and the federal government may eventually pass a law that provides nationwide protection for consumers’ data.
In the meantime, staying informed about the latest security controls and data privacy developments is essential in taking steps to protect your personal information. Deploying data loss prevention and threat detection solutions can also help you keep your data safe and ensure compliance with privacy laws.
