How to Use This Data Protection Resource

The National Data Protection Authority directory serves professionals, researchers, and service seekers operating within the US data protection and privacy compliance landscape. This page describes how the directory is structured, who it serves, and how to locate the most relevant listings and reference material. Data protection as a regulatory and operational discipline spans federal statutes, sector-specific rules, and state-level frameworks — making structured navigation essential for accurate, efficient service discovery.

Purpose of this resource

The Data Protection Directory Purpose and Scope establishes the formal boundaries of what this reference covers: data protection service providers, compliance professionals, privacy technology vendors, and the regulatory frameworks that govern their work across the United States.

This directory does not offer legal, compliance, or professional advice. Its function is to map the service landscape — identifying the categories of providers, the regulatory environments in which they operate, and the qualification and licensing standards relevant to each segment. The US data protection sector is shaped by a layered body of law that includes the Health Insurance Portability and Accountability Act (HIPAA, administered by the HHS Office for Civil Rights), the Gramm-Leach-Bliley Act (GLBA, overseen by the Federal Trade Commission), the Children's Online Privacy Protection Act (COPPA), and a growing body of state privacy statutes including the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA). The FTC maintains primary federal enforcement authority over commercial data practices under 15 U.S.C. § 45.

Understanding which regulatory regime applies to a given organization determines which type of service provider or compliance specialist is relevant. A healthcare-adjacent entity subject to HIPAA requires providers with demonstrable experience in HIPAA Security Rule assessments — a different qualification profile than a financial institution governed by the GLBA Safeguards Rule, which the FTC revised with updated technical requirements effective June 2023 (FTC Safeguards Rule, 16 C.F.R. Part 314).

Intended users

The primary audiences for this directory fall into 4 distinct categories:

  1. Organizations seeking compliance services — Entities subject to federal or state data protection obligations that require third-party assessment, audit, or implementation support.
  2. Data protection professionals — Certified Privacy Professionals (CPP), Certified Information Privacy Professionals (CIPP) credentialed through the International Association of Privacy Professionals (IAPP), and information security practitioners seeking peer references or market intelligence.
  3. Procurement and legal teams — In-house counsel, vendor risk managers, and procurement officers evaluating service providers against specific regulatory requirements.
  4. Researchers and policy analysts — Academic and government researchers mapping the commercial data protection sector, its service structures, and regulatory alignment.

The directory is not structured as a consumer resource. Individuals seeking personal data rights remedies — such as CCPA opt-out requests or HIPAA access requests — should engage directly with the covered entity or the relevant enforcement agency: the California Privacy Protection Agency (CPPA) for CCPA matters, or the HHS Office for Civil Rights for HIPAA complaints (HHS OCR Complaint Portal).

How to navigate

The Data Protection Listings section organizes providers by service category, regulatory specialization, and geographic coverage. Listings are structured around 3 primary classification axes:

Navigation between regulatory domains matters because qualification standards differ substantively. A SOC 2 Type II audit (governed by the AICPA's Trust Services Criteria) is a recognized attestation for general data security posture, while a HIPAA Security Risk Assessment follows the methodology outlined in NIST SP 800-66 Rev. 2. These are not interchangeable, and a listing's relevance depends on which framework governs the prospective client's obligations.

Listings that carry certifications from named standards bodies — including ISO/IEC 27001 (administered by the International Organization for Standardization), FedRAMP authorization (for cloud service providers), or IAPP organizational membership — carry those designations within the listing record.

What to look for first

When entering the directory with a specific compliance need, the most efficient starting point is regulatory jurisdiction, not service category. Identify the primary applicable law or regulation before filtering by service type.

A structured evaluation sequence for first-time users:

  1. Identify the governing statute or rule — HIPAA, GLBA Safeguards, CCPA/CPRA, or sector-specific (e.g., FERPA for education, COPPA for child-directed services).
  2. Determine the required deliverable — Risk assessment, gap analysis, written information security program (WISP), data processing agreement (DPA), or incident response retainer.
  3. Check for applicable credentialing — IAPP CIPP/US or CIPM for privacy generalists; CISSP or CISM for security-focused practitioners; CPA with AICPA SOC competency for audit engagements.
  4. Cross-reference enforcement guidance — The NIST Privacy Framework (NIST Privacy Framework 1.0) and CISA's data protection resources provide baseline standards against which provider capabilities can be compared.
  5. Review listing scope statements — Listings specify whether a provider operates nationally or in defined states, and whether their work covers regulated industries (healthcare, financial services, education) or general commercial sectors.

For broader context on what this directory covers and excludes, the Data Protection Directory Purpose and Scope page defines the full classification boundaries. For direct inquiries about listings or inclusion criteria, the contact page provides submission and inquiry information.

📜 7 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Data Protection Directory: Purpose and Scope The directory functions as a structured reference instrument for organizations, researchers, and procurement professionals... Data Protection Listings Each entry is structured to support service seekers, compliance teams, and researchers in identifying qualified practitioners... Cybersecurity Directory: Purpose and Scope The directory covers providers operating under federal and state data protection frameworks, including those governed by the...