Consumers can request information about what personal data a business has collected about them.
US Privacy Laws
The United States privacy landscape is rapidly evolving. As of 2025, 20+ states have enacted comprehensive consumer privacy laws, with more legislation pending. Understanding these laws is essential for both consumers and businesses operating online.
Privacy Regulation is Increasing
As of 2025, over 20 states have enacted comprehensive consumer privacy laws. California's CCPA/CPRA remains the most stringent, but states like Colorado, Connecticut, Virginia, and others have created a complex patchwork of requirements that businesses must navigate.
The Current State of US Privacy Law
Unlike Europe's unified GDPR, the United States has no comprehensive federal privacy law. Instead, privacy is regulated through a patchwork of state laws, sector-specific federal laws (like HIPAA for healthcare), and FTC enforcement actions.
States with Comprehensive Privacy Laws (Enacted)
| State | Law Name | Effective Date | Key Features |
|---|---|---|---|
| California | CCPA/CPRA | January 1, 2020 / January 1, 2023 | Most comprehensive; private right of action for data breaches |
| Colorado | Colorado Privacy Act (CPA) | July 1, 2023 | Universal opt-out mechanism required |
| Connecticut | Connecticut Data Privacy Act (CTDPA) | July 1, 2023 | Loyalty program protections |
| Virginia | Virginia CDPA | January 1, 2023 | First state after California to enact comprehensive law |
| Utah | Utah Consumer Privacy Act (UCPA) | December 31, 2023 | Most business-friendly approach |
| Iowa | Iowa Consumer Data Protection Act | January 1, 2025 | 90-day cure period for violations |
| Indiana | Indiana Consumer Data Protection Act | January 1, 2026 | Similar to Virginia model |
| Tennessee | Tennessee Information Protection Act | July 1, 2025 | Affirmative defense for privacy programs |
| Montana | Montana Consumer Data Privacy Act | October 1, 2024 | Lower thresholds than most states |
| Texas | Texas Data Privacy and Security Act | July 1, 2024 | Small business exemption |
| Oregon | Oregon Consumer Privacy Act | July 1, 2024 | Nonprofit inclusion unique provision |
| Delaware | Delaware Personal Data Privacy Act | January 1, 2025 | Lower revenue thresholds |
| New Jersey | New Jersey Data Privacy Act | January 15, 2025 | Financial data provisions |
| Maryland | Maryland Online Data Privacy Act | October 1, 2025 | Data minimization requirements |
| Kentucky | Kentucky Consumer Data Protection Act | January 1, 2026 | Standard Virginia model approach |
Core Consumer Rights
Most state privacy laws grant consumers the following fundamental rights:
→
Right to Know/Access
→
Right to Delete
Consumers can request deletion of their personal data, subject to certain exceptions.
→
Right to Correct
Consumers can request correction of inaccurate personal data held by businesses.
→
Right to Opt Out
Consumers can opt out of the sale of their personal data or targeted advertising.
Website Privacy Compliance Statistics
The Reality of Website Compliance
76% of the top 100 websites in the US do not honor CPRA opt-out signals. Despite clear legal requirements, most websites continue to share personal data with advertising third parties even when users opt out. Businesses face increasing enforcement risk as regulators step up compliance monitoring.
Federal Privacy Laws
While the US lacks a comprehensive federal privacy law, several sector-specific federal laws provide important privacy protections:
Children's Online Privacy Protection Act (COPPA)
COPPA regulates the collection of personal information from children under 13. Websites and online services directed at children, or that knowingly collect information from children, must:
- Post a clear, comprehensive privacy policy describing data practices
- Provide direct notice to parents before collecting information from children
- Obtain verifiable parental consent before collection
- Allow parents to review and delete their child's information
- Limit data collection to what is reasonably necessary
- Maintain reasonable security procedures
Violations can result in civil penalties of up to $50,120 per violation, enforced by the FTC.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects sensitive patient health information from disclosure. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Key requirements:
- Privacy Rule: Standards for protecting individually identifiable health information
- Security Rule: Standards for protecting electronic protected health information (ePHI)
- Breach Notification Rule: Requirements to notify patients of data breaches
- Minimum Necessary Standard: Limit access to only necessary information
Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions to explain information-sharing practices and protect sensitive data:
- Privacy notices explaining what data is collected and how it's shared
- Opt-out rights for sharing with non-affiliated third parties
- Safeguards Rule requiring security programs for customer data
- Pretexting protections against fraudulent access to financial data
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records at schools receiving federal funding:
- Parents have rights to access and review education records
- Rights transfer to students at age 18 or when entering postsecondary education
- Schools must have written permission before disclosing personally identifiable information
- Directory information may have different disclosure rules
Biometric Privacy Laws
Several states have enacted specific laws governing the collection and use of biometric data:
Illinois Biometric Information Privacy Act (BIPA)
Illinois BIPA is the most stringent biometric privacy law in the US, featuring:
- Private right of action allowing individuals to sue directly
- Damages of $1,000 per negligent violation, $5,000 per intentional violation
- Applies to fingerprints, retina/iris scans, voiceprints, and facial geometry
- Requires written consent and data retention policies
Major settlements include Facebook ($650 million) and Google ($100 million in Illinois alone).
Other State Biometric Laws
- Texas: Capture or Use of Biometric Identifier Act (no private right of action)
- Washington: Biometric privacy provisions (no private right of action)
- New York City: Commercial establishments must post biometric collection notices
- Portland, OR: Bans facial recognition in private places of public accommodation
Data Breach Notification Laws
All 50 states have enacted data breach notification laws requiring businesses to notify affected individuals when their personal information is compromised:
| Requirement | Typical Standard | Strictest States |
|---|---|---|
| Notification Timing | 30-60 days after discovery | Colorado, Florida: 30 days |
| Attorney General Notice | Threshold varies (500-1000 affected) | Some states require for any breach |
| Covered Data Types | Name + SSN, financial, medical | Expanding to include biometric, login credentials |
| Encryption Safe Harbor | Most states provide | California: only if key not compromised |
Emerging Privacy Topics
AI and Automated Decision-Making
Several states are addressing privacy concerns related to artificial intelligence:
- Colorado requires transparency about automated decision-making affecting consumers
- Connecticut requires disclosure of profiling and automated decisions
- Illinois has passed legislation on AI in employment decisions
- New York City requires bias audits for AI in hiring
Location Data and Geofencing
Location privacy is increasingly regulated, particularly regarding:
- Reproductive health location tracking following Dobbs v. Jackson
- Geofencing warrant protections in some states
- State laws limiting sale of precise geolocation data
- FTC enforcement against apps selling location data
Dark Patterns and Consent
Regulators are cracking down on manipulative design practices:
- California's CPRA regulations specifically prohibit dark patterns in consent interfaces
- FTC has taken enforcement actions against deceptive subscription practices
- Colorado and Connecticut require clear, affirmative consent without dark patterns
US Privacy Laws vs. GDPR
Key differences between US state privacy laws and Europe's General Data Protection Regulation:
| Aspect | US State Laws | GDPR (EU) |
|---|---|---|
| Scope | Patchwork of state laws with varying thresholds | Unified law across EU/EEA |
| Default Position | Opt-out model (can collect unless opted out) | Opt-in model (need consent first) |
| Private Right of Action | Limited (mostly data breaches only) | Yes, broad right to seek compensation |
| Maximum Penalties | Per-violation fines (e.g., $7,500/violation) | Up to 4% of global annual revenue |
| Data Protection Officer | Not generally required | Required for many organizations |
Privacy Compliance Checklist
Essential steps for businesses to comply with US privacy laws:
- Data Mapping: Identify what personal data you collect, where it's stored, and how it flows
- Privacy Policy: Update your privacy policy to meet all applicable state requirements
- Consumer Rights Portal: Implement mechanisms for consumers to exercise their rights
- Opt-Out Mechanisms: Provide clear "Do Not Sell/Share" links and honor GPC signals
- Vendor Contracts: Update agreements with service providers and contractors
- Data Security: Implement reasonable security measures appropriate to data sensitivity
- Employee Training: Train staff on privacy procedures and consumer request handling
- Record Keeping: Maintain records of consumer requests and responses