US Data Protection Laws: Federal and State Landscape
The United States data protection landscape operates without a single omnibus federal privacy statute, producing a fragmented regulatory environment in which sector-specific federal laws, state comprehensive privacy acts, and agency enforcement regimes operate in parallel. This page maps that landscape — covering the structural mechanics of federal and state frameworks, the classification boundaries between sector-specific and general-purpose laws, and the enforcement authorities that give these rules operational force. The reference is oriented toward compliance professionals, legal researchers, and service seekers navigating a sector where jurisdictional overlap and regulatory gaps create material legal exposure.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
Definition and scope
US data protection law encompasses the collection of federal statutes, state statutes, agency regulations, and enforcement guidance governing the collection, storage, processing, transfer, and deletion of personal information. Unlike the European Union's General Data Protection Regulation (GDPR), which establishes a single horizontal framework applicable across member states, US law is vertically segmented: different statutes govern health data, financial data, children's data, telecommunications data, and consumer data — each administered by a different federal agency.
The principal federal sector-specific statutes include:
- HIPAA (Health Insurance Portability and Accountability Act, 45 C.F.R. Parts 160 and 164) — governs protected health information (PHI) held by covered entities and their business associates, enforced by the HHS Office for Civil Rights (hhs.gov/ocr).
- GLBA (Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.) — imposes data security and privacy notice requirements on financial institutions, with rulemaking authority shared by the FTC, banking regulators, and the SEC (ftc.gov/glba).
- COPPA (Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.) — restricts collection of personal data from children under 13, enforced by the Federal Trade Commission (ftc.gov/coppa).
- FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) — protects education records held by federally funded institutions, administered by the US Department of Education.
- FCRA (Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.) — governs consumer reporting agencies and the permissible use of consumer reports.
At the state level, 20 states had enacted comprehensive consumer privacy laws as of 2024, a count tracked by the International Association of Privacy Professionals (IAPP). California's framework — encompassing the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA) — remains the most operationally influential, having taken full enforcement effect under the California Privacy Protection Agency (CPPA) (cppa.ca.gov).
The scope of any given law turns on three definitional variables: the category of personal data covered, the type of organization subject to the law, and the geographic nexus of the individuals whose data is processed.
Core mechanics or structure
Federal data protection statutes share a common structural architecture, even where enforcement authorities differ.
Notice requirements obligate covered entities to inform individuals about data practices before or at the time of collection. GLBA's Privacy Rule (16 C.F.R. Part 313) requires annual privacy notices to customers describing information sharing practices. HIPAA's Notice of Privacy Practices must be provided at first service contact.
Data minimization and purpose limitation appear in varying degrees. COPPA imposes explicit minimization obligations — operators may not condition a child's participation in an activity on collecting more information than is reasonably necessary (16 C.F.R. § 312.7). State comprehensive laws, particularly Virginia's Consumer Data Protection Act (CDPA) and Colorado's Privacy Act (CPA), adopt purpose limitation standards modeled loosely on GDPR principles.
Individual rights — access, correction, deletion, and portability — appear primarily in state comprehensive laws rather than federal sector statutes. California's CCPA grants consumers the right to know, delete, opt-out of sale, and non-discrimination, with CPRA adding the right to correct and to limit use of sensitive personal information (Cal. Civ. Code § 1798.100 et seq.).
Security safeguards obligations appear across frameworks. The FTC's Safeguards Rule under GLBA (revised 2023, 16 C.F.R. Part 314) requires financial institutions to implement administrative, technical, and physical safeguards calibrated to organizational size and complexity. HIPAA's Security Rule specifies required and addressable implementation specifications for electronic PHI.
Enforcement is disaggregated. The FTC exercises general authority over unfair or deceptive data practices under Section 5 of the FTC Act (15 U.S.C. § 45), independent of sector-specific statutes. HHS OCR enforces HIPAA. State attorneys general enforce state comprehensive privacy laws in most jurisdictions, with California uniquely having a dedicated administrative enforcement agency in the CPPA.
For a broader view of how these regulatory bodies fit within the national cybersecurity landscape, the Data Protection Providers page indexes regulated service providers and compliance professionals by practice area.
Causal relationships or drivers
The fragmented US data protection structure is a product of legislative history rather than deliberate design. Congress enacted HIPAA in 1996 primarily to address insurance portability, with privacy provisions added as a secondary objective and the Privacy Rule finalized in 2000. COPPA followed in 1998 as a targeted response to documented commercial exploitation of children's online activity. GLBA addressed financial data in 1999 as part of financial services deregulation. Each statute responded to a discrete policy problem rather than contributing to a unified framework.
The absence of federal omnibus legislation by 2015 created the conditions for state-level action. California enacted the CCPA in 2018 following a ballot initiative threat, establishing the first US general-purpose consumer privacy statute. The California model created competitive pressure: states with large consumer populations or active privacy advocacy communities subsequently enacted their own laws, including Virginia (2021), Colorado (2021), Connecticut (2022), Utah (2022), and Texas (2023).
Commercial data flows also drive regulatory development. The growth of data broker ecosystems — firms that aggregate and resell personal data without a direct consumer relationship — exposed gaps in sector-specific statutes that did not contemplate such intermediaries. Several state laws now explicitly address data brokers; California's Delete Act (SB 362, 2023) requires data brokers to register with the CPPA and honor deletion requests through a centralized mechanism.
Classification boundaries
Data protection law in the US classifies obligations along four primary axes:
1. Data type — The most significant boundary separates regulated categories (health, financial, children's, biometric) from general personal information. Biometric data receives heightened protection under Illinois's Biometric Information Privacy Act (BIPA, 740 ILCS 14), which imposes a private right of action and has generated more than $1 billion in class action settlements since 2019 (IAPP litigation tracker).
2. Entity type — HIPAA applies only to covered entities (health plans, healthcare clearinghouses, covered healthcare providers) and their business associates. The FTC Safeguards Rule applies to "financial institutions" as defined under GLBA, a category that the revised 2023 rule extended to auto dealers, mortgage brokers, and tax preparers. State comprehensive laws typically apply based on revenue thresholds (e.g., California's $25 million annual revenue threshold under CCPA) or data volume thresholds.
3. Jurisdiction — Federal law applies based on the regulated entity's activities. State comprehensive laws apply based on the state of residence of the consumer whose data is processed, regardless of where the processing organization is domiciled.
4. Purpose — Employment data, B2B transaction data, and publicly available information are frequently exempt from state comprehensive privacy laws. California's CPRA extended CCPA coverage to employee and B2B data after temporary exemptions expired in 2023.
Tradeoffs and tensions
Federal preemption vs. state innovation — Industry groups have advocated for a federal omnibus privacy law that would preempt state laws, arguing that complying with 20-plus state frameworks creates disproportionate compliance costs for mid-sized organizations. Privacy advocates counter that federal preemption risks lowering the floor to the weakest state standard. The American Data Privacy and Protection Act (ADPPA), which passed the House Energy and Commerce Committee in 2022, contained limited preemption provisions but stalled before a floor vote.
Opt-in vs. opt-out consent models — Federal sector statutes generally use opt-out frameworks for secondary data uses. State comprehensive laws diverge: most use opt-out for general personal data sale but opt-in for sensitive data categories. This creates implementation complexity for organizations processing data across multiple jurisdictions.
Private right of action — HIPAA contains no private right of action; enforcement is exclusively governmental. CCPA/CPRA provides a limited private right of action for security breaches but not for general violations. Illinois BIPA's broad private right of action has made it the most litigated US privacy statute. The ADPPA debate included a private right of action as a central point of contention.
Data localization vs. global operations — No current federal US statute imposes general data localization requirements, but sector-specific requirements (certain banking regulations, cloud security frameworks) create de facto localization obligations for regulated data categories.
The structural tensions in this landscape are documented in the reference page.
Common misconceptions
Misconception: HIPAA covers all health-related data.
HIPAA applies only to covered entities and their business associates. A fitness app, wellness platform, or consumer genomics service that is not a healthcare provider, health plan, or clearinghouse is not subject to HIPAA, regardless of the sensitivity of the health data it processes. The FTC has addressed this gap through enforcement actions under Section 5 and through the Health Breach Notification Rule (16 C.F.R. Part 318).
Misconception: Compliance with one state law satisfies obligations in all states.
State comprehensive privacy laws contain materially different definitions, thresholds, and individual rights. Virginia's CDPA does not include a private right of action; Illinois BIPA does. Texas's Data Privacy and Security Act has a different applicability threshold than California's CCPA. Organizations operating nationally require jurisdiction-specific analysis.
Misconception: Anonymized data is outside the scope of all privacy laws.
CCPA and several state laws extend obligations to data that is "de-identified" only if specific technical and organizational safeguards are maintained. Re-identification risk is an active regulatory concern; the FTC has published guidance warning that publicly available data combined with other datasets can re-identify nominally anonymous records.
Misconception: The FTC has no data protection enforcement authority absent a specific statute.
The FTC's Section 5 authority over unfair or deceptive acts or practices has been applied to inadequate data security practices since at least the 2002 settlement with Eli Lilly. This general authority operates independently of sector-specific statutes and has formed the basis for more than 60 data security consent orders (ftc.gov/data-security).
Checklist or steps
The following sequence represents the standard jurisdictional scoping process for US data protection compliance assessments. This is a structural reference, not legal advice.
- Identify all personal data categories in scope — Distinguish regulated special categories (health, financial, biometric, children's data) from general personal information.
- Map entity status under federal sector statutes — Determine whether the organization qualifies as a HIPAA covered entity, GLBA financial institution, or COPPA operator.
- Identify state law applicability thresholds — Apply revenue, employee count, and data volume thresholds for each state where consumers reside.
- Catalog applicable individual rights obligations — Access, deletion, correction, portability, opt-out of sale, and sensitive data use limits vary by state.
- Assess data sharing and vendor relationships — Business associate agreements (HIPAA), service provider contracts (CCPA/CPRA), and data processing agreements (state CDPAs) each have distinct requirements.
- Audit security safeguards against applicable standards — GLBA Safeguards Rule, HIPAA Security Rule, NIST SP 800-53, and state-specific security requirements impose different implementation specifications.
- Verify breach notification obligations — All 50 states have breach notification statutes with differing trigger thresholds, notification timelines, and regulator notification requirements.
- Document data protection impact assessments where required — Virginia CDPA, Colorado CPA, and Connecticut CTDPA require documented data protection assessments for high-risk processing activities.
- Register with applicable state data broker registries — California, Texas, and Oregon maintain data broker registration requirements with distinct deadlines.
- Maintain records of processing activities — Required explicitly under GDPR for US-based organizations processing EU resident data, and adopted as best practice under NIST Privacy Framework guidance.
For assistance identifying qualified data protection professionals by jurisdiction, the Data Protection Providers page provides an indexed provider network of practitioners and services.
Reference table or matrix
US Data Protection Law Comparison Matrix
| Law | Jurisdiction | Data Type Covered | Enforcing Body | Private Right of Action | Individual Rights |
|---|---|---|---|---|---|
| HIPAA Privacy/Security Rule | Federal | Protected Health Information | HHS Office for Civil Rights | No | Access, amendment |
| GLBA Safeguards Rule | Federal | Financial customer data | FTC, banking regulators, SEC | No | Notice, opt-out of sharing |
| COPPA | Federal | Children's data (under 13) | FTC | No | Parental access, deletion |
| FCRA | Federal | Consumer report data | FTC, CFPB | Yes (limited) | Access, dispute, opt-out |
| FERPA | Federal | Education records | US Dept. of Education | No | Access, amendment |
| CCPA/CPRA | California | General personal information | CPPA, CA AG | Yes (breach only) | Access, delete, correct, portability, opt-out, limit sensitive use |
| Virginia CDPA | Virginia | General personal information | VA AG | No | Access, delete, correct, portability, opt-out |
| Colorado CPA | Colorado | General personal information | CO AG | No | Access, delete, correct, portability, opt-out |
| Illinois BIPA | Illinois | Biometric identifiers | Private litigants, IL AG | Yes (broad) | Consent before collection |
| Texas DPDPA | Texas | General personal information | TX AG | No | Access, delete, correct, portability, opt-out |
| FTC Act § 5 | Federal | General (deceptive/unfair acts) | FTC | No | Varies by order |