Data privacy compliance in the U.S. is not simple. There is no single federal privacy law that covers every business and every type of data.
Instead, companies must navigate a mix of federal sector-specific laws, state privacy statutes, and industry regulations, often all at once. If your business collects, stores, or processes personal data, here is what you need to know.
The U.S. Does Not Have One Unified Federal Privacy Law.
Unlike the EU’s GDPR, the United States has not passed a comprehensive national data privacy law. The American Privacy Rights Act (APRA) has been in discussion in Congress, but as of 2024, no broad federal privacy statute has been enacted.
In the absence of that, federal privacy obligations in the U.S. are sector-specific. They apply based on the type of data you handle or the industry you operate in, not simply because you collect personal information.
Several Federal Laws Govern Privacy In Specific Industries.
Each of these applies to a defined category of business or data type. Here is a quick look:
| Federal Law | Industry | What It Requires |
| HIPAA | Healthcare | Protect and limit use of health data; notify on breaches |
| GLBA | Financial services | Safeguard customer financial information |
| FERPA | Education | Protect student educational records |
| COPPA | Any business targeting children under 13 | Obtain parental consent before collecting children’s data |
| FTC Act | All industries (broadly) | Prohibits unfair or deceptive data practices |
COPPA is worth highlighting here. Any business with a website or app that attracts children, even unintentionally, can fall under its scope.
The FTC fined Amazon $25 million in 2023 for COPPA violations related to its Alexa voice assistant retaining children’s voice recordings.
State Privacy Laws Are Filling The Gap Left By Federal Inaction.
With no federal standard in place, states have moved forward on their own. Several have passed comprehensive consumer privacy laws that apply broadly, not just to one industry. As of 2024, states with active comprehensive privacy laws include:
- California: CCPA / CPRA (the most expansive in the U.S.)
- Virginia: Consumer Data Protection Act (CDPA)
- Colorado: Privacy Act (CPA)
- Connecticut: Data Privacy Act
- Texas: Data Privacy and Security Act
More states are following. According to the International Association of Privacy Professionals (IAPP), over 25 states have introduced or passed privacy legislation as of 2024.
For businesses operating nationally, this creates a compliance matrix that changes by the year.
California’s Privacy Law Sets The Highest Standard For Businesses.
California’s CCPA and its amendment, the CPRA, apply to for-profit businesses that meet any of the following thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or share personal data of 100,000 or more California residents annually
- Derive 50% or more of annual revenue from selling personal data
Under these laws, California residents have the right to know what data is collected, request deletion, opt out of data sales, and sue companies directly for certain breaches.
The California Privacy Protection Agency (CPPA) can impose fines up to $7,500 per intentional violation.
The FTC Is The Closest Thing To A National Privacy Enforcer.
Even without a comprehensive federal law, the FTC Act’s prohibition on unfair and deceptive practices gives the agency broad authority over how companies handle personal data.
If your privacy policy says one thing and your data practices do another, the FTC can pursue enforcement action.
In 2023 alone, the FTC took action against several major companies for privacy violations, signaling that regulatory scrutiny is increasing regardless of whether a specific privacy law technically applies.
Businesses That Collect Personal Data Need A Compliance Baseline Now.
According to Statista, the cost of non-compliance averages 2.71 times the cost of maintaining compliance. Investing in privacy practices now is significantly cheaper than dealing with violations later.
Start with the basics, audit what data you collect, identify which laws apply to your business, and have a response plan ready before an incident occurs. The legal landscape will keep evolving, and preparation is the most practical form of protection.