Global Data Privacy Guide |
|
USA, District of Columbia (Federal Law) |
|
| (United States) Firm Steptoe LLP Updated 08 Aug 2025 | |
| 1. What is the key legislation? | Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States. Federal Law For instance, the Gramm-Leach-Bliley Act (“GLBA”) and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 (“ECPA”)—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act —establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission. Another key federal law is the Federal Trade Commission Act (“FTCA”), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission (“FTC”) has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers. Other federal laws regulating privacy include (but are not limited to): The Cable Communications Policy Act of 1984 (“Cable Act”), which amended the Communications Act of 1934, protects the personal information of customers of cable service providers; The Children’s Online Privacy Protection Act of 1998 (“COPPA”), which established rules for the collection, retention, and disclosure of personal information from children under 13 years of age online; The Communications Act of 1934, which requires telecommunications carriers to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers; The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), which regulates unsolicited commercial email and generally preempts state anti-spam laws; The Drivers Privacy Protection Act of 1994 (“DPPA”), which protects the privacy of personal information contained in motor vehicle records; The Fair Credit Reporting Act (“FCRA”), which was amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), and limits the collection, use, maintenance, and dissemination of personal information assembled by Credit Reporting Agencies; The Family Education Rights and Privacy Act of 1974 (“FERPA”), which protects the privacy of student education records and applies to all schools that receive funds from the U.S. Department of Education; The Freedom of Information Act (“FOIA”), which provides for the disclosure of previously unreleased information and documents controlled by the federal government; The Privacy Act of 1974, which established rules for the collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies; The Telephone Consumer Protection Act of 1991 (“TCPA”), which amended the Communications Act of 1934 and bars most auto-dialed or prerecorded calls, texts, and faxes unless made with prior express consent; and The Video Privacy Protection Act of 1988 (“VPPA”), which generally prevents the disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audiovisual material.” In addition to federal statutes, federal agencies often issue rules and regulations regarding the collection and use of U.S. citizens’ personal information that amend or create new requirements under existing federal laws. A few of these rules/regulations include, but are not limited to: The Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security; The Security and Exchange Commission’s (“SEC”) Regulation S-P (“Reg S-P”), which was recently amended to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions; The FTC’s Safeguards Rule, which requires companies regulated under the GLBA to report certain data breaches of consumer information and other security events to the FTC; and The FTC’s final rule amendments to COPPA, which set new requirements around the collection, use, and disclosure of children’s personal information and gave parents new tools and protections to help them control what data is provided to third parties about their children. State Law All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84. Most states either have enacted or are beginning to enact overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020. The CCPA was amended by the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, and applies to data collected on or after January 1, 2022. Since then, several other states have enacted analogous legislation. Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, all adopted comprehensive data privacy laws that are currently in effect. Indiana, Kentucky, and Rhode Island have laws that will be effective in late 2025 or early 2026. Other states, such as Massachusetts, Michigan, North Carolina, and Pennsylvania, are considering similar legislation. An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B. Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2. A growing number of states are also implementing laws that target the collection and sale of minors’ data online. For example, Colorado’s CPA and New York’s Stop Addictive Feeds Exploitation (“SAFE Kids Act”) both require opt-in consent for the collection of teens’ data unless reasonably or strictly necessary to provide a service or product and the sale of teen data or its use for targeted advertising. Several states have laws that target the collection and use of biometric or health data. Illinois’s Biometric Information Privacy Act (“BIPA”), for example, regulates how private companies can collect, store, use, and share biometric information, such as fingerprints, retina scans, and voiceprints. BIPA also allows individuals to sue companies for violations of the law, including for negligent or reckless handling of biometric data. The Washington My Health My Data Act (“WMHMDA”) and Nevada’s consumer health data law (SB 370) both require businesses to be transparent about how they collect, use, and share consumer health data, obtain consent for certain uses, and protect the data’s security. The WMHMDA also allows individuals to sue companies for violations of the law. Finally, both New York (“New York Department of Financial Services Cybersecurity Regulation”) and Rhode Island (SB 603) impose cybersecurity requirements on financial institutions, including an obligation to provide state authorities with notification of any data breaches. The New York Department of Financial Services Regulation also applies to insurers. |
| 2. What are the key decisions applying that legislation? | Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States. Federal Law For instance, the Gramm-Leach-Bliley Act (“GLBA”) and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 (“ECPA”)—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act —establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission. Another key federal law is the Federal Trade Commission Act (“FTCA”), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission (“FTC”) has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers. Other federal laws regulating privacy include (but are not limited to): The Cable Communications Policy Act of 1984 (“Cable Act”), which amended the Communications Act of 1934, protects the personal information of customers of cable service providers; The Children’s Online Privacy Protection Act of 1998 (“COPPA”), which established rules for the collection, retention, and disclosure of personal information from children under 13 years of age online; The Communications Act of 1934, which requires telecommunications carriers to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers; The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), which regulates unsolicited commercial email and generally preempts state anti-spam laws; The Drivers Privacy Protection Act of 1994 (“DPPA”), which protects the privacy of personal information contained in motor vehicle records; The Fair Credit Reporting Act (“FCRA”), which was amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), and limits the collection, use, maintenance, and dissemination of personal information assembled by Credit Reporting Agencies; The Family Education Rights and Privacy Act of 1974 (“FERPA”), which protects the privacy of student education records and applies to all schools that receive funds from the U.S. Department of Education; The Freedom of Information Act (“FOIA”), which provides for the disclosure of previously unreleased information and documents controlled by the federal government; The Privacy Act of 1974, which established rules for the collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies; The Telephone Consumer Protection Act of 1991 (“TCPA”), which amended the Communications Act of 1934 and bars most auto-dialed or prerecorded calls, texts, and faxes unless made with prior express consent; and The Video Privacy Protection Act of 1988 (“VPPA”), which generally prevents the disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audiovisual material.” In addition to federal statutes, federal agencies often issue rules and regulations regarding the collection and use of U.S. citizens’ personal information that amend or create new requirements under existing federal laws. A few of these rules/regulations include, but are not limited to: The Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security; The Security and Exchange Commission’s (“SEC”) Regulation S-P (“Reg S-P”), which was recently amended to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions; The FTC’s Safeguards Rule, which requires companies regulated under the GLBA to report certain data breaches of consumer information and other security events to the FTC; and The FTC’s final rule amendments to COPPA, which set new requirements around the collection, use, and disclosure of children’s personal information and gave parents new tools and protections to help them control what data is provided to third parties about their children. State Law All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84. Most states either have enacted or are beginning to enact overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020. The CCPA was amended by the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, and applies to data collected on or after January 1, 2022. Since then, several other states have enacted analogous legislation. Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, all adopted comprehensive data privacy laws that are currently in effect. Indiana, Kentucky, and Rhode Island have laws that will be effective in late 2025 or early 2026. Other states, such as Massachusetts, Michigan, North Carolina, and Pennsylvania, are considering similar legislation. An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B. Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2. A growing number of states are also implementing laws that target the collection and sale of minors’ data online. For example, Colorado’s CPA and New York’s Stop Addictive Feeds Exploitation (“SAFE Kids Act”) both require opt-in consent for the collection of teens’ data unless reasonably or strictly necessary to provide a service or product and the sale of teen data or its use for targeted advertising. Several states have laws that target the collection and use of biometric or health data. Illinois’s Biometric Information Privacy Act (“BIPA”), for example, regulates how private companies can collect, store, use, and share biometric information, such as fingerprints, retina scans, and voiceprints. BIPA also allows individuals to sue companies for violations of the law, including for negligent or reckless handling of biometric data. The Washington My Health My Data Act (“WMHMDA”) and Nevada’s consumer health data law (SB 370) both require businesses to be transparent about how they collect, use, and share consumer health data, obtain consent for certain uses, and protect the data’s security. The WMHMDA also allows individuals to sue companies for violations of the law. Finally, both New York (“New York Department of Financial Services Cybersecurity Regulation”) and Rhode Island (SB 603) impose cybersecurity requirements on financial institutions, including an obligation to provide state authorities with notification of any data breaches. The New York Department of Financial Services Regulation also applies to insurers. |
| 1. How are “personal data” and “sensitive data” defined? | Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections. In the state security breach notification law context, for example, the definition of personal information generally includes an individual’s name, Social Security number, driver’s license number, and financial account number. Notably, however, there is a trend toward broadening the definition of personal information in state breach notification laws to include health or medical information, online account information, and/or biometric information. In other contexts, such as FTC enforcement actions, the GLBA, HIPAA, or the CCPA/CPRA, the definition of personal information is broader. Certain laws apply only to electronic personal information, while others are more general. |
| 2. How is the defined data protected? | Data privacy laws in the U.S. protect personal data by imposing restrictions on the collection, use, and sharing of personal data and permitting government enforcement—and in rare instances, individual enforcement—of penalties or damages for violations. |
| 3. Who is subject to privacy obligations? | Generally, U.S. privacy laws apply to all processing of personal information by organizations subject to the jurisdiction of U.S. courts. Many U.S. privacy laws are limited to businesses in certain sectors (for example, the GLBA applying only to covered financial institutions, HIPAA applying to covered health care providers, insurers, information exchanges, and their business associates, etc.). There are also privacy laws that apply to the U.S. government, such as the Privacy Act of 1974 and the ECPA. At the state level, many comprehensive data privacy laws, such as the CCPA, the VCDPA, and the CPA, employ thresholds relating to an entity’s revenue and/or the number of residents whose personal information an entity collects and/or sells. In some cases, the exceptions also extend to non-profits and certain other business types that are already regulated at the federal level. |
| 4. How is “data processing” defined? | Generally, “data processing” under U.S. data privacy law refers to any operation performed on personal data, including but not limited to, collecting, recording, organizing, storing, using, or disclosing/sharing personal information. The specific definition of data processing depends on the applicable law or regulation. |
| 5. What are the principles applicable to personal data processing? | Companies that own personal information are required to notify individuals whose data they collect. There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers. For example, certain federal laws, such as the FCRA/FACTA, GLBA, HIPAA, and COPPA (including regulations implementing these laws), require organizations to provide privacy notices in certain circumstances. California’s Online Privacy Protection Act also requires organizations not otherwise subject to specific regulation to post conspicuous privacy policies if they collect personal information from individuals through a website or online service for commercial purposes. State level omnibus privacy laws have substantially similar notice requirements, mandating that covered entities provide consumers with notice of the categories of personal information to be collected and the purposes of collection both in their privacy policies at or before the point of collection. The CPRA requires covered entities also to include information about the sale and retention of personal information at the point of collection. |
| 6. How is the processing of personal data regulated? | Companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices. It is important to ensure that the uses of personal information, and the circumstances in which and entities to which it may be disclosed, are described accurately. If an organization would like to use previously collected personal information for a materially different purpose than those set forth in its privacy notice or to disclose it to entities or in circumstances different from what is stated in the privacy notice, the FTC and state attorneys generally have said that the organization must first obtain consent to the new practice from the consumer. Several laws also restrict the disclosure of specific types of personal information. For example, the GLBA and HIPAA require an individual’s consent, the offering of an opt-out right, or, under HIPAA, an authorization before making certain disclosures of personal information. At the state level, the CCPA permits consumers to restrict the sale of their personal information. The CPRA also provides consumers with the ability to opt-out of the sharing of their personal information with third parties for the purpose of “cross-context behavioral advertising.” Other state laws restrict targeted advertising, require companies to offer opt-outs from certain targeted advertising, and require consumers to consent to uses of data beyond the originally noticed uses. |
| 7. How are storage, security and retention of personal data regulated? | Though there is no comprehensive U.S. data security law, a variety of federal and state statutes and regulations impose obligations on businesses to provide security. In addition, U.S. privacy laws generally do not regulate the retention of personal information directly, but many state laws impose a “data minimization” requirement that generally obligates businesses to delete data that is no longer required. In addition, the CCPA, for example, allows California residents to request that businesses delete their personal information (subject to several important exceptions). Many other state laws have borrowed this concept. The FTC has taken the view that not providing “reasonable” security for consumers’ personal information is an “unfair practice” under the FTCA, and it has brought dozens of enforcement actions against companies on that basis. Companies must consult complaints and consent decrees from past cases to try to understand what constitutes reasonable or unreasonable security in the mind of the FTC. A variety of other federal statutes and regulations impose more specific security obligations on certain data owners and organizations that process personal information on their behalf. For example, the Safeguards Rule implemented pursuant to the Several state laws also impose general information security standards on companies that maintain personal information. California has enacted legislation requiring businesses to “implement and maintain reasonable security procedures and practices” to protect personal information about California residents from unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code § 1798.81.5(b). Massachusetts also requires businesses to develop and maintain a comprehensive written information security program, including specific elements. See Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq. Other states are also increasingly adopting specific data security requirements for personal information. For example, New York (“New York Department of Financial Services Regulation”) and Rhode Island (SB 603) have adopted data security requirements for financial institutions. The New York Department of Financial Services Regulation also extends to insurers. In addition, U.S. privacy laws generally do not specify retention schedules, though there are many records retention laws at the federal and state levels that require companies to retain records (including those that contain personal information) for a specified length of time or restrict the retention of records beyond a certain period. Multiple state laws, however, impose data minimization requirements for personal information at a general level. HIPAA has a minimum necessary concept for the use and disclosure of protected health information. |
| 8. What are the data subjects' rights under the data legislation? | There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights, such as the Privacy Act of 1974, HIPAA, COPPA, and CRA/FACTA. More detail on each of these examples are below: The Privacy Act of 1974 requires federal agencies to provide individuals, upon request, with access to information about them, subject to certain exceptions, and allow individuals to request amendments to their records. The Privacy Rule enacted pursuant to HIPAA requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them, unless the covered entity has a valid reason to deny such access (e.g., where the PHI is subject to restricted access under other laws, or access to the PHI is reasonably likely to cause substantial harm to another person). A covered entity must either provide the requested access within thirty days of a request or explain its justification for denying access. The Privacy Rule also gives individuals the right to amend their PHI. COPPA allows parents or legal guardians to access their child’s personal information upon request, revoke their consent and refuse the further use or collection of personal information from their child, or delete their child’s personal information. FCRA/FACTA requires Credit Reporting Agencies to provide individuals with information in their credit files upon request. Individuals may also dispute inaccurate information that appears in a credit report, and inaccurate or unverifiable information must be removed within thirty days of notice of the dispute. In addition, virtually all comprehensive state data privacy laws, such as the CCPA/CPRA, CPA, and VCDPA, provide consumers with the right to access, correct, or delete their personal information, as well as the right to opt-out of the sale or sharing of their personal information for certain purposes such as targeted advertising without their consent. |
| 9. What are the consent requirements for data subjects? | Under U.S. data privacy law, consent requirements generally involve providing clear information to individuals about how their data will be collected/used and giving them the option to opt-out or, in some cases, opt-in to certain data processing activities. Specific consent requirements depend on the applicable law and the type of data being collected, with sensitive data and data collected from children often requiring explicit consent. |
| 10. How is authorization for use of data handled? | Generally, companies can utilize a variety of mechanisms to obtain an individual’s consent to use their data. Specific requirements vary by law. Some laws require written consent (via either physical or electronic means), while others permit electronic opt-in/opt-out consent collection via mechanisms provided by organizations like the Digital Advertising Alliance or the Network Advertising Initiative. Certain laws, including HIPAA and the WMHMD have specific content requirements for obtaining authorization. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | No, U.S. law does not contain a general restriction on cross-border data transfers. However, the Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security, was recently enacted. |
| 12. How are data "incidents" and "breaches" defined? | Generally, data “incidents” and “breaches” involve the unauthorized access, use, disclosure, deletion, or encryption or use of one or more individuals’ personal information that is stored or processed in systems that an organization or its service providers use to access, collect, store, use, transmit, protect, or disclose the information. Specific definitions of “incident” or “breach” vary by law. |
| 13. Are there any notification requirements for incidents and/or data breaches? | There is no generally applicable federal breach notification law, but there are several targeted breach notification laws at both the federal and state levels, including: HIPAA and the HITECH Act The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and third-party service providers pursuant to the Health Breach Notification Rule (HBNR). GLBA and Federal Interagency Guidance Several federal banking regulators—the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of Thrift Supervision—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice in 2005, interpreting the Safeguards Rule implemented pursuant to the GLBA to require financial institutions to develop and implement a response program designed to address incidents of unauthorized access to customer information processed in systems the institutions or their service providers use to access, collect, store, use, transmit, protect, or dispose of the information. The Guidance also contains breach notification requirements. State Breach Notification Laws All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have enacted breach notification laws requiring data owners to notify affected individuals and (in some cases) regulators in the event of unauthorized access to or acquisition of their personal information. Although some state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, other jurisdictions require notification of any incident that meets their definition of a breach. Certain state requirements mandate industry specific notification requirements, for example, insurance commissioners and health regulators. |
| 14. Who is/are the privacy regulator(s)? | There is no single authority in the United States that regulates privacy law. At the federal level, the regulatory authority responsible for oversight varies based on the applicable law or regulation. The FTC is the primary federal privacy regulator and may bring privacy enforcement actions pursuant to section 5 of the FTCA to address a wide range of alleged violations by entities whose information practices have been deemed “deceptive” or “unfair.” These enforcement actions typically result in consent decrees that prohibit companies from future misconduct and often require biennial audits for up to twenty years. The FTC may also impose a fine on businesses that violate a consent decree. In the financial services context, various financial services and state insurance regulators have adopted standards pursuant to the At the state level, attorneys general may bring enforcement actions for unfair or deceptive trade practices and enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the |
| 15. What are the consequences of a data breach? | Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Violations of the ECPA or the Computer Fraud and Abuse Act (“CFAA”) can lead to both civil liability and criminal sanctions. Many states have also enacted surveillance laws that provide for both civil liability and criminal sanctions in the case of a violation. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations. Privacy breaches have also led to civil lawsuits against breached companies by individuals or other entities affected by the breach, with varying degrees of success. The CCPA expressly provides California residents a private right of action for data breaches. |
| 16. How is electronic marketing regulated? | Several U.S. laws target electronic marketing, including commercial email, telemarketing, text message marketing, and fax marketing. Commercial email is regulated at the federal level by CAN-SPAM, which generally preempts state anti-spam laws. The TCPA and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC, while fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws. In 2021, the U.S. Supreme Court significantly narrowed the scope of a portion of the TCPA restricting the use of auto-dialer equipment to place calls and text messages. In the aftermath of the Supreme Court’s decision, Florida adopted a mini-TCPA law and other states are considering taking similar action. The U.S. Supreme Court’s decision does not affect the TCPA’s prohibition on placing calls to numbers on the Do Not Call Registry. In addition to the federal Do Not Call Registry, certain states maintain their own Do Not Call lists. |
| 17. Are there sector-specific or industry-specific privacy requirements? | Yes. See “What is the key legislation?” There is an array of federal and state laws that regulate different aspects of privacy in the United States, some of which are sector- or industry-specific. For instance, the GLBA and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the HIPAA establishes privacy and data security requirements for entities in the health and medical sector. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | The United States does not have a comprehensive law requiring the appointment of a Data Protection Officer (“DPO”) at the federal level. While some federal laws, like HIPAA, mandate specific privacy and security officials, they don't explicitly require a DPO. Many state laws also lack specific DPO requirements. |
| 19. What are the record-keeping and documentation obligations? | Generally, federal and state U.S. privacy laws impose various record-keeping and documentation obligations, which include documenting data processing activities (e.g., the purposes of collection, the types of data collected, and how the data is used), documenting data requests and resolution of data requests from individuals, and cataloging security measures to protect personal data. Specific requirements vary by law. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | While not mandated at the federal level, some U.S. state consumer privacy laws include Data Protection Impact Assessments (“DPIA”) requirements for specific types of data processing. |
| 21. What are the requirements for third-party vendor management and data sharing? | U.S. requirements for third-party vendor management and data sharing vary by law. Generally, U.S. laws require companies and organizations to enter into written agreements with vendors, service providers, and other third-parties that address the use and protection of individuals’ personal information. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations, and the FTC can impose crippling fines for violations of federal privacy law. Many state attorneys general may bring enforcement actions for unfair or deceptive trade practices and to enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the CCPA. Some state privacy laws also allow individuals to sue for damages when violations occur, such as BIPA. |
| 23. What are the ongoing compliance and audit requirements? | Compliance and audit requirements vary widely depending on the applicable law. The GLBA and HIPPA, for example, require covered entities to conduct regular audits or assessments to ensure the security and confidentiality of personal information. At the state level, a growing number of comprehensive data privacy laws require Data Protection Impact Assessments (DPIAs) or other compliance measures. See “What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?” |
| 24. Are there any recent developments or expected reforms? | At the federal level, the FTC will likely continue its role as the main arbiter of how the government, companies, and other organizations collect and use individuals’ personal data, unless Congress enacts a uniform data privacy law that designates regulatory responsibility over personal data. At the state level, as mentioned, the CCPA and CPRA, effective in 2020 and 2023, respectively, led other states to adopt similar comprehensive data privacy legislation. Since the CCPA was enacted, 19 other states have passed similar comprehensive data privacy laws, and five states have active bills that, if passed, would add to the total. 14 other states are considering comprehensive data privacy bills, but there has not been significant legislative activity recently regarding those bills. Given that virtually all U.S. states have at least considered implementing comprehensive data privacy laws, we can expect the trend toward increased state regulation of the collection and use of individuals’ personal data to continue. |
Global Data Privacy Guide
Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States.
Federal Law
For instance, the Gramm-Leach-Bliley Act (“GLBA”) and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 (“ECPA”)—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act —establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission.
Another key federal law is the Federal Trade Commission Act (“FTCA”), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission (“FTC”) has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers.
Other federal laws regulating privacy include (but are not limited to):
The Cable Communications Policy Act of 1984 (“Cable Act”), which amended the Communications Act of 1934, protects the personal information of customers of cable service providers; The Children’s Online Privacy Protection Act of 1998 (“COPPA”), which established rules for the collection, retention, and disclosure of personal information from children under 13 years of age online; The Communications Act of 1934, which requires telecommunications carriers to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers; The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), which regulates unsolicited commercial email and generally preempts state anti-spam laws; The Drivers Privacy Protection Act of 1994 (“DPPA”), which protects the privacy of personal information contained in motor vehicle records; The Fair Credit Reporting Act (“FCRA”), which was amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), and limits the collection, use, maintenance, and dissemination of personal information assembled by Credit Reporting Agencies; The Family Education Rights and Privacy Act of 1974 (“FERPA”), which protects the privacy of student education records and applies to all schools that receive funds from the U.S. Department of Education; The Freedom of Information Act (“FOIA”), which provides for the disclosure of previously unreleased information and documents controlled by the federal government; The Privacy Act of 1974, which established rules for the collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies; The Telephone Consumer Protection Act of 1991 (“TCPA”), which amended the Communications Act of 1934 and bars most auto-dialed or prerecorded calls, texts, and faxes unless made with prior express consent; and The Video Privacy Protection Act of 1988 (“VPPA”), which generally prevents the disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audiovisual material.”
In addition to federal statutes, federal agencies often issue rules and regulations regarding the collection and use of U.S. citizens’ personal information that amend or create new requirements under existing federal laws. A few of these rules/regulations include, but are not limited to:
The Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security; The Security and Exchange Commission’s (“SEC”) Regulation S-P (“Reg S-P”), which was recently amended to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions; The FTC’s Safeguards Rule, which requires companies regulated under the GLBA to report certain data breaches of consumer information and other security events to the FTC; and The FTC’s final rule amendments to COPPA, which set new requirements around the collection, use, and disclosure of children’s personal information and gave parents new tools and protections to help them control what data is provided to third parties about their children.
State Law
All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84.
Most states either have enacted or are beginning to enact overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020. The CCPA was amended by the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, and applies to data collected on or after January 1, 2022. Since then, several other states have enacted analogous legislation. Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, all adopted comprehensive data privacy laws that are currently in effect. Indiana, Kentucky, and Rhode Island have laws that will be effective in late 2025 or early 2026. Other states, such as Massachusetts, Michigan, North Carolina, and Pennsylvania, are considering similar legislation.
An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B.
Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2.
A growing number of states are also implementing laws that target the collection and sale of minors’ data online. For example, Colorado’s CPA and New York’s Stop Addictive Feeds Exploitation (“SAFE Kids Act”) both require opt-in consent for the collection of teens’ data unless reasonably or strictly necessary to provide a service or product and the sale of teen data or its use for targeted advertising.
Several states have laws that target the collection and use of biometric or health data. Illinois’s Biometric Information Privacy Act (“BIPA”), for example, regulates how private companies can collect, store, use, and share biometric information, such as fingerprints, retina scans, and voiceprints. BIPA also allows individuals to sue companies for violations of the law, including for negligent or reckless handling of biometric data. The Washington My Health My Data Act (“WMHMDA”) and Nevada’s consumer health data law (SB 370) both require businesses to be transparent about how they collect, use, and share consumer health data, obtain consent for certain uses, and protect the data’s security. The WMHMDA also allows individuals to sue companies for violations of the law.
Finally, both New York (“New York Department of Financial Services Cybersecurity Regulation”) and Rhode Island (SB 603) impose cybersecurity requirements on financial institutions, including an obligation to provide state authorities with notification of any data breaches. The New York Department of Financial Services Regulation also applies to insurers.
Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States.
Federal Law
For instance, the Gramm-Leach-Bliley Act (“GLBA”) and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 (“ECPA”)—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act —establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission.
Another key federal law is the Federal Trade Commission Act (“FTCA”), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission (“FTC”) has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers.
Other federal laws regulating privacy include (but are not limited to):
The Cable Communications Policy Act of 1984 (“Cable Act”), which amended the Communications Act of 1934, protects the personal information of customers of cable service providers; The Children’s Online Privacy Protection Act of 1998 (“COPPA”), which established rules for the collection, retention, and disclosure of personal information from children under 13 years of age online; The Communications Act of 1934, which requires telecommunications carriers to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers; The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), which regulates unsolicited commercial email and generally preempts state anti-spam laws; The Drivers Privacy Protection Act of 1994 (“DPPA”), which protects the privacy of personal information contained in motor vehicle records; The Fair Credit Reporting Act (“FCRA”), which was amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), and limits the collection, use, maintenance, and dissemination of personal information assembled by Credit Reporting Agencies; The Family Education Rights and Privacy Act of 1974 (“FERPA”), which protects the privacy of student education records and applies to all schools that receive funds from the U.S. Department of Education; The Freedom of Information Act (“FOIA”), which provides for the disclosure of previously unreleased information and documents controlled by the federal government; The Privacy Act of 1974, which established rules for the collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies; The Telephone Consumer Protection Act of 1991 (“TCPA”), which amended the Communications Act of 1934 and bars most auto-dialed or prerecorded calls, texts, and faxes unless made with prior express consent; and The Video Privacy Protection Act of 1988 (“VPPA”), which generally prevents the disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audiovisual material.”
In addition to federal statutes, federal agencies often issue rules and regulations regarding the collection and use of U.S. citizens’ personal information that amend or create new requirements under existing federal laws. A few of these rules/regulations include, but are not limited to:
The Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security; The Security and Exchange Commission’s (“SEC”) Regulation S-P (“Reg S-P”), which was recently amended to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions; The FTC’s Safeguards Rule, which requires companies regulated under the GLBA to report certain data breaches of consumer information and other security events to the FTC; and The FTC’s final rule amendments to COPPA, which set new requirements around the collection, use, and disclosure of children’s personal information and gave parents new tools and protections to help them control what data is provided to third parties about their children.
State Law
All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84.
Most states either have enacted or are beginning to enact overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act (“CCPA”) which came into effect on January 1, 2020. The CCPA was amended by the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023, and applies to data collected on or after January 1, 2022. Since then, several other states have enacted analogous legislation. Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, all adopted comprehensive data privacy laws that are currently in effect. Indiana, Kentucky, and Rhode Island have laws that will be effective in late 2025 or early 2026. Other states, such as Massachusetts, Michigan, North Carolina, and Pennsylvania, are considering similar legislation.
An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B.
Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2.
A growing number of states are also implementing laws that target the collection and sale of minors’ data online. For example, Colorado’s CPA and New York’s Stop Addictive Feeds Exploitation (“SAFE Kids Act”) both require opt-in consent for the collection of teens’ data unless reasonably or strictly necessary to provide a service or product and the sale of teen data or its use for targeted advertising.
Several states have laws that target the collection and use of biometric or health data. Illinois’s Biometric Information Privacy Act (“BIPA”), for example, regulates how private companies can collect, store, use, and share biometric information, such as fingerprints, retina scans, and voiceprints. BIPA also allows individuals to sue companies for violations of the law, including for negligent or reckless handling of biometric data. The Washington My Health My Data Act (“WMHMDA”) and Nevada’s consumer health data law (SB 370) both require businesses to be transparent about how they collect, use, and share consumer health data, obtain consent for certain uses, and protect the data’s security. The WMHMDA also allows individuals to sue companies for violations of the law.
Finally, both New York (“New York Department of Financial Services Cybersecurity Regulation”) and Rhode Island (SB 603) impose cybersecurity requirements on financial institutions, including an obligation to provide state authorities with notification of any data breaches. The New York Department of Financial Services Regulation also applies to insurers.
Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections.
In the state security breach notification law context, for example, the definition of personal information generally includes an individual’s name, Social Security number, driver’s license number, and financial account number. Notably, however, there is a trend toward broadening the definition of personal information in state breach notification laws to include health or medical information, online account information, and/or biometric information. In other contexts, such as FTC enforcement actions, the GLBA, HIPAA, or the CCPA/CPRA, the definition of personal information is broader. Certain laws apply only to electronic personal information, while others are more general.
Data privacy laws in the U.S. protect personal data by imposing restrictions on the collection, use, and sharing of personal data and permitting government enforcement—and in rare instances, individual enforcement—of penalties or damages for violations.
Generally, U.S. privacy laws apply to all processing of personal information by organizations subject to the jurisdiction of U.S. courts. Many U.S. privacy laws are limited to businesses in certain sectors (for example, the GLBA applying only to covered financial institutions, HIPAA applying to covered health care providers, insurers, information exchanges, and their business associates, etc.). There are also privacy laws that apply to the U.S. government, such as the Privacy Act of 1974 and the ECPA.
At the state level, many comprehensive data privacy laws, such as the CCPA, the VCDPA, and the CPA, employ thresholds relating to an entity’s revenue and/or the number of residents whose personal information an entity collects and/or sells. In some cases, the exceptions also extend to non-profits and certain other business types that are already regulated at the federal level.
Generally, “data processing” under U.S. data privacy law refers to any operation performed on personal data, including but not limited to, collecting, recording, organizing, storing, using, or disclosing/sharing personal information. The specific definition of data processing depends on the applicable law or regulation.
Companies that own personal information are required to notify individuals whose data they collect. There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers.
For example, certain federal laws, such as the FCRA/FACTA, GLBA, HIPAA, and COPPA (including regulations implementing these laws), require organizations to provide privacy notices in certain circumstances. California’s Online Privacy Protection Act also requires organizations not otherwise subject to specific regulation to post conspicuous privacy policies if they collect personal information from individuals through a website or online service for commercial purposes. State level omnibus privacy laws have substantially similar notice requirements, mandating that covered entities provide consumers with notice of the categories of personal information to be collected and the purposes of collection both in their privacy policies at or before the point of collection. The CPRA requires covered entities also to include information about the sale and retention of personal information at the point of collection.
Companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices. It is important to ensure that the uses of personal information, and the circumstances in which and entities to which it may be disclosed, are described accurately.
If an organization would like to use previously collected personal information for a materially different purpose than those set forth in its privacy notice or to disclose it to entities or in circumstances different from what is stated in the privacy notice, the FTC and state attorneys generally have said that the organization must first obtain consent to the new practice from the consumer.
Several laws also restrict the disclosure of specific types of personal information. For example, the GLBA and HIPAA require an individual’s consent, the offering of an opt-out right, or, under HIPAA, an authorization before making certain disclosures of personal information.
At the state level, the CCPA permits consumers to restrict the sale of their personal information. The CPRA also provides consumers with the ability to opt-out of the sharing of their personal information with third parties for the purpose of “cross-context behavioral advertising.” Other state laws restrict targeted advertising, require companies to offer opt-outs from certain targeted advertising, and require consumers to consent to uses of data beyond the originally noticed uses.
Though there is no comprehensive U.S. data security law, a variety of federal and state statutes and regulations impose obligations on businesses to provide security.
In addition, U.S. privacy laws generally do not regulate the retention of personal information directly, but many state laws impose a “data minimization” requirement that generally obligates businesses to delete data that is no longer required. In addition, the CCPA, for example, allows California residents to request that businesses delete their personal information (subject to several important exceptions). Many other state laws have borrowed this concept.
The FTC has taken the view that not providing “reasonable” security for consumers’ personal information is an “unfair practice” under the FTCA, and it has brought dozens of enforcement actions against companies on that basis. Companies must consult complaints and consent decrees from past cases to try to understand what constitutes reasonable or unreasonable security in the mind of the FTC.
A variety of other federal statutes and regulations impose more specific security obligations on certain data owners and organizations that process personal information on their behalf. For example, the Safeguards Rule implemented pursuant to the
GLBA (and updated by the FTC) requires financial institutions to “develop, implement, and maintain a comprehensive information security program” with “administrative, technical, and physical safeguards” to protect the security, confidentiality, and integrity of all nonpublic personal information. COPPA requires operators of commercial websites and online services to maintain the confidentiality, security, and integrity of “personal information” (as defined by the FTC’s implementing regulation) they collect from children. The Security Rule implemented pursuant to HIPAA prescribes detailed administrative, technical, and physical safeguards for covered entities and their service providers to protect the security, confidentiality, availability, and integrity of electronic protected health information.
Several state laws also impose general information security standards on companies that maintain personal information. California has enacted legislation requiring businesses to “implement and maintain reasonable security procedures and practices” to protect personal information about California residents from unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code § 1798.81.5(b). Massachusetts also requires businesses to develop and maintain a comprehensive written information security program, including specific elements. See Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq. Other states are also increasingly adopting specific data security requirements for personal information. For example, New York (“New York Department of Financial Services Regulation”) and Rhode Island (SB 603) have adopted data security requirements for financial institutions. The New York Department of Financial Services Regulation also extends to insurers.
In addition, U.S. privacy laws generally do not specify retention schedules, though there are many records retention laws at the federal and state levels that require companies to retain records (including those that contain personal information) for a specified length of time or restrict the retention of records beyond a certain period. Multiple state laws, however, impose data minimization requirements for personal information at a general level. HIPAA has a minimum necessary concept for the use and disclosure of protected health information.
There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights, such as the Privacy Act of 1974, HIPAA, COPPA, and CRA/FACTA. More detail on each of these examples are below:
The Privacy Act of 1974 requires federal agencies to provide individuals, upon request, with access to information about them, subject to certain exceptions, and allow individuals to request amendments to their records.
The Privacy Rule enacted pursuant to HIPAA requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them, unless the covered entity has a valid reason to deny such access (e.g., where the PHI is subject to restricted access under other laws, or access to the PHI is reasonably likely to cause substantial harm to another person). A covered entity must either provide the requested access within thirty days of a request or explain its justification for denying access. The Privacy Rule also gives individuals the right to amend their PHI.
COPPA allows parents or legal guardians to access their child’s personal information upon request, revoke their consent and refuse the further use or collection of personal information from their child, or delete their child’s personal information.
FCRA/FACTA requires Credit Reporting Agencies to provide individuals with information in their credit files upon request. Individuals may also dispute inaccurate information that appears in a credit report, and inaccurate or unverifiable information must be removed within thirty days of notice of the dispute.
In addition, virtually all comprehensive state data privacy laws, such as the CCPA/CPRA, CPA, and VCDPA, provide consumers with the right to access, correct, or delete their personal information, as well as the right to opt-out of the sale or sharing of their personal information for certain purposes such as targeted advertising without their consent.
Under U.S. data privacy law, consent requirements generally involve providing clear information to individuals about how their data will be collected/used and giving them the option to opt-out or, in some cases, opt-in to certain data processing activities. Specific consent requirements depend on the applicable law and the type of data being collected, with sensitive data and data collected from children often requiring explicit consent.
Generally, companies can utilize a variety of mechanisms to obtain an individual’s consent to use their data. Specific requirements vary by law. Some laws require written consent (via either physical or electronic means), while others permit electronic opt-in/opt-out consent collection via mechanisms provided by organizations like the Digital Advertising Alliance or the Network Advertising Initiative. Certain laws, including HIPAA and the WMHMD have specific content requirements for obtaining authorization.
No, U.S. law does not contain a general restriction on cross-border data transfers. However, the Department of Justice’s (“DOJ”) 2025 Final Rule—implementing a February 28, 2024 Executive Order, titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO 14117”)—which prohibits and restricts “bulk” data transactions with countries that have demonstrated a willingness and capability to use Americans’ sensitive personal data to threaten U.S. national security, was recently enacted.
Generally, data “incidents” and “breaches” involve the unauthorized access, use, disclosure, deletion, or encryption or use of one or more individuals’ personal information that is stored or processed in systems that an organization or its service providers use to access, collect, store, use, transmit, protect, or disclose the information. Specific definitions of “incident” or “breach” vary by law.
There is no generally applicable federal breach notification law, but there are several targeted breach notification laws at both the federal and state levels, including:
HIPAA and the HITECH Act
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and third-party service providers pursuant to the Health Breach Notification Rule (HBNR).
GLBA and Federal Interagency Guidance
Several federal banking regulators—the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of Thrift Supervision—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice in 2005, interpreting the Safeguards Rule implemented pursuant to the GLBA to require financial institutions to develop and implement a response program designed to address incidents of unauthorized access to customer information processed in systems the institutions or their service providers use to access, collect, store, use, transmit, protect, or dispose of the information. The Guidance also contains breach notification requirements.
State Breach Notification Laws
All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have enacted breach notification laws requiring data owners to notify affected individuals and (in some cases) regulators in the event of unauthorized access to or acquisition of their personal information. Although some state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, other jurisdictions require notification of any incident that meets their definition of a breach. Certain state requirements mandate industry specific notification requirements, for example, insurance commissioners and health regulators.
There is no single authority in the United States that regulates privacy law. At the federal level, the regulatory authority responsible for oversight varies based on the applicable law or regulation. The FTC is the primary federal privacy regulator and may bring privacy enforcement actions pursuant to section 5 of the FTCA to address a wide range of alleged violations by entities whose information practices have been deemed “deceptive” or “unfair.” These enforcement actions typically result in consent decrees that prohibit companies from future misconduct and often require biennial audits for up to twenty years. The FTC may also impose a fine on businesses that violate a consent decree.
In the financial services context, various financial services and state insurance regulators have adopted standards pursuant to the
GLBA regulating the collection, use, and disclosure of non-public personal information. In the healthcare context, the Department of Health and Human Services is responsible for the enforcement of HIPAA against covered entities.
At the state level, attorneys general may bring enforcement actions for unfair or deceptive trade practices and enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the
CCPA. Most other state privacy laws are enforced by state attorneys general. Some state privacy laws also allow individuals to sue for damages when violations occur, such as BIPA.
Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Violations of the ECPA or the Computer Fraud and Abuse Act (“CFAA”) can lead to both civil liability and criminal sanctions. Many states have also enacted surveillance laws that provide for both civil liability and criminal sanctions in the case of a violation. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations.
Privacy breaches have also led to civil lawsuits against breached companies by individuals or other entities affected by the breach, with varying degrees of success. The CCPA expressly provides California residents a private right of action for data breaches.
Several U.S. laws target electronic marketing, including commercial email, telemarketing, text message marketing, and fax marketing.
Commercial email is regulated at the federal level by CAN-SPAM, which generally preempts state anti-spam laws.
The TCPA and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the
FTC and the Federal Communications Commission (“FCC”), regulate telemarketing. There are also state laws regulating telemarketing activities.
Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC, while fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws.
In 2021, the U.S. Supreme Court significantly narrowed the scope of a portion of the TCPA restricting the use of auto-dialer equipment to place calls and text messages. In the aftermath of the Supreme Court’s decision, Florida adopted a mini-TCPA law and other states are considering taking similar action. The U.S. Supreme Court’s decision does not affect the TCPA’s prohibition on placing calls to numbers on the Do Not Call Registry. In addition to the federal Do Not Call Registry, certain states maintain their own Do Not Call lists.
Yes. See “What is the key legislation?” There is an array of federal and state laws that regulate different aspects of privacy in the United States, some of which are sector- or industry-specific. For instance, the GLBA and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the HIPAA establishes privacy and data security requirements for entities in the health and medical sector.
The United States does not have a comprehensive law requiring the appointment of a Data Protection Officer (“DPO”) at the federal level. While some federal laws, like HIPAA, mandate specific privacy and security officials, they don't explicitly require a DPO. Many state laws also lack specific DPO requirements.
Generally, federal and state U.S. privacy laws impose various record-keeping and documentation obligations, which include documenting data processing activities (e.g., the purposes of collection, the types of data collected, and how the data is used), documenting data requests and resolution of data requests from individuals, and cataloging security measures to protect personal data. Specific requirements vary by law.
While not mandated at the federal level, some U.S. state consumer privacy laws include Data Protection Impact Assessments (“DPIA”) requirements for specific types of data processing.
U.S. requirements for third-party vendor management and data sharing vary by law. Generally, U.S. laws require companies and organizations to enter into written agreements with vendors, service providers, and other third-parties that address the use and protection of individuals’ personal information.
Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations, and the FTC can impose crippling fines for violations of federal privacy law.
Many state attorneys general may bring enforcement actions for unfair or deceptive trade practices and to enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the CCPA. Some state privacy laws also allow individuals to sue for damages when violations occur, such as BIPA.
Compliance and audit requirements vary widely depending on the applicable law. The GLBA and HIPPA, for example, require covered entities to conduct regular audits or assessments to ensure the security and confidentiality of personal information. At the state level, a growing number of comprehensive data privacy laws require Data Protection Impact Assessments (DPIAs) or other compliance measures. See “What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?”
At the federal level, the FTC will likely continue its role as the main arbiter of how the government, companies, and other organizations collect and use individuals’ personal data, unless Congress enacts a uniform data privacy law that designates regulatory responsibility over personal data.
At the state level, as mentioned, the CCPA and CPRA, effective in 2020 and 2023, respectively, led other states to adopt similar comprehensive data privacy legislation. Since the CCPA was enacted, 19 other states have passed similar comprehensive data privacy laws, and five states have active bills that, if passed, would add to the total. 14 other states are considering comprehensive data privacy bills, but there has not been significant legislative activity recently regarding those bills. Given that virtually all U.S. states have at least considered implementing comprehensive data privacy laws, we can expect the trend toward increased state regulation of the collection and use of individuals’ personal data to continue.