Privacy and Data Protection

The US has no comprehensive federal privacy law. Instead, businesses navigate a patchwork: state comprehensive laws (CCPA/CPRA and growing list of others), federal sectoral laws (HIPAA, GLBA, COPPA), 50 separate state breach notification laws, FTC Act enforcement against unfair or deceptive practices, and extraterritorial reach of foreign laws (GDPR) on US businesses with EU users. This guide covers what actually applies to most US businesses.

The US privacy landscape

Four layers apply to a typical US business:

1. State comprehensive privacy laws. California led with CCPA (2020) and CPRA (2023). Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and many others have followed with their own laws. Each has its own scope, definitions, and rights.
2. State breach notification laws. All 50 states require notification to affected residents (and often regulators) after security breaches. Each state's law differs in trigger, timeline, and content.
3. Federal sectoral laws. HIPAA (healthcare), GLBA (financial), COPPA (children), FERPA (education), TCPA (telephone), CAN-SPAM (email), FCRA (consumer reporting).
4. FTC enforcement. Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices". The FTC has used this authority extensively to enforce against privacy policy violations, inadequate security, and unfair data practices — effectively functioning as a national privacy regulator absent a comprehensive federal law.

Plus, US businesses with EU/UK customers, employees, or website visitors face GDPR and UK GDPR; with Canadian, those countries' laws (PIPEDA); with Brazil, LGPD; and so on for any country where data subjects reside.

State comprehensive privacy laws

As of 2025, well over a dozen states have enacted comprehensive consumer privacy laws and more pass each year. While each law is distinct, common features have emerged:

• Applicability thresholds. Most apply to businesses processing personal data of a minimum number of state residents per year (commonly 100,000) or deriving significant revenue from data sales. Some have revenue thresholds.
• Definitions. "Personal data" broadly (any information linked or linkable to an identified or identifiable person). "Sensitive data" categories (racial/ethnic, religious, health, sexual orientation, immigration, precise geolocation, biometric, children's data, etc.) get heightened treatment.
• Consumer rights. Access, deletion, correction, portability, opt-out of sale/sharing/targeted advertising/profiling. Sensitive data often requires opt-in consent.
• Controller/processor distinction. Controllers determine purposes and means of processing; processors act on the controller's behalf. Contracts between them are required.
• Data minimization and purpose limitation. Process only what's necessary for disclosed purposes.
• Privacy policy/notice requirements. Disclosure of processing activities, categories of data, purposes, sharing, rights, contact.
• Universal opt-out mechanisms. Several states require honoring browser-based opt-out signals (GPC — Global Privacy Control).
• Enforcement. Typically by state attorney general; California also has the California Privacy Protection Agency. Private right of action is limited (CCPA allows it for certain data breaches).

Compliance practice for multi-state businesses: identify the most-stringent applicable law and build to that standard, with state-specific overlays where required (e.g., specific California financial incentive disclosures). The IAPP's state law tracker is a useful resource for current status.

CCPA/CPRA in detail

California's law applies to for-profit businesses that do business in California and meet at least one of:

• Annual gross revenues over $25 million
• Buy, sell, or share personal information of 100,000+ California consumers or households annually
• Derive 50%+ of annual revenue from selling or sharing personal information

Consumer rights:

• Right to know. Categories and specific pieces of personal information collected, sources, purposes, third parties.
• Right to delete. Subject to exceptions (transaction completion, legal obligations, security, etc.).
• Right to correct. Inaccurate personal information.
• Right to opt-out of sale/sharing. "Sale" is defined broadly; "sharing" covers cross-context behavioral advertising.
• Right to limit use of sensitive personal information. SPI used beyond what's necessary to provide the service must allow opt-out.
• Right to non-discrimination. For exercising privacy rights.
• Right to opt-in for minors. Sale/sharing of personal information of consumers under 16 requires opt-in.

Business obligations include privacy notice at collection, comprehensive privacy policy, response procedures for rights requests (with statutory deadlines), data minimization, purpose limitation, contracts with service providers and contractors that pass through obligations, and (under CPRA) reasonable security and certain cybersecurity audits / risk assessments for high-risk processing.

The California Privacy Protection Agency (CPPA) issues regulations and enforces alongside the Attorney General. Penalties: civil penalties for violations, with intentional violations and violations involving consumers under 16 carrying higher amounts; statutory damages per consumer per incident for certain data breaches under the private right of action.

GDPR reach into US businesses

The EU General Data Protection Regulation (GDPR) applies to US businesses that either:

• Offer goods or services to data subjects in the EU/EEA (regardless of payment), or
• Monitor the behavior of data subjects in the EU/EEA (including via cookies and analytics).

A US business with EU customers, EU employees, or EU-based website visitors tracked for advertising or analytics generally falls within GDPR scope. The UK GDPR (post-Brexit) applies similarly to UK data subjects.

Key obligations:

• Lawful basis for processing. Consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Data subject rights. Access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, rights related to automated decision-making.
• Transparency. Comprehensive privacy notice satisfying Articles 13/14.
• Records of processing activities (Article 30).
• Data Processing Agreements with processors (Article 28).
• Data Protection Officer in certain cases.
• EU representative for non-EU controllers in scope (Article 27).
• Data Protection Impact Assessments for high-risk processing (Article 35).
• Breach notification. 72 hours to supervisory authority; affected individuals if high risk.
• International transfer mechanisms for moving data outside the EEA (see below).

GDPR penalties: up to €20 million or 4% of annual global turnover, whichever is higher, for serious violations. Several US businesses have been subject to substantial GDPR fines.

Federal sectoral laws

HIPAA (Health Insurance Portability and Accountability Act). Covers covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. Requires safeguards on protected health information (PHI), breach notification, written agreements with business associates. Enforced by HHS Office for Civil Rights with significant penalty exposure.

GLBA (Gramm-Leach-Bliley Act). Financial institutions broadly defined — banks, broker-dealers, insurance, but also tax preparers, mortgage brokers, debt collectors. Requires Safeguards Rule (information security program), Privacy Rule (privacy notices to consumers), Pretexting provisions.

COPPA (Children's Online Privacy Protection Act). Online services directed to children under 13, or those with actual knowledge of collecting personal information from children under 13. Requires verifiable parental consent, privacy notice, data minimization, deletion on request. FTC enforced; very high per-violation penalties.

FERPA (Family Educational Rights and Privacy Act). Educational institutions receiving federal funding; restricts disclosure of education records.

TCPA (Telephone Consumer Protection Act). Restrictions on robocalls, autodialers, prerecorded messages, and SMS marketing. Substantial statutory damages per violation; significant private litigation.

CAN-SPAM Act. Commercial email messages must include accurate header, identification as advertisement (if applicable), valid physical address, conspicuous opt-out, and honor opt-outs within 10 business days.

FCRA (Fair Credit Reporting Act). Use of consumer reports for employment, credit, insurance. Notice, consent, and adverse action requirements.

FTC Act enforcement

Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in or affecting commerce." The FTC applies this to privacy in two ways:

• Deception. Saying one thing in the privacy policy and doing another. The FTC has brought scores of cases against companies whose actual practices diverged from their disclosures.
• Unfairness. Practices that cause substantial harm to consumers, not outweighed by benefits, that consumers couldn't reasonably avoid. Used for data security failures and certain dark patterns.

FTC consent orders often require 20 years of compliance commitments, third-party assessments, and significant penalty exposure for any subsequent violation.

Breach notification

All 50 states, DC, Puerto Rico, and several US territories have breach notification laws. Common elements:

• Trigger. Unauthorized acquisition (or unauthorized access in some states) of personal information; some states require risk of harm before notification is triggered.
• Definition of personal information. Typically name plus a sensitive identifier (SSN, driver's license, financial account number with security code, sometimes medical information, biometric data, online credentials).
• Timeline. "Most expedient time possible and without unreasonable delay" in many states; specific deadlines in others (Connecticut: 60 days; Florida: 30 days; etc.).
• Notification content. Required elements vary — date of breach, types of data, contact info for the business, what consumers can do, free credit monitoring in some cases.
• Recipient. Affected residents; in many states, the AG (above a threshold), credit reporting agencies, and consumer protection agencies; in some, media notification for large breaches.
• Substitute notice. Available if notification cost exceeds a threshold or affected number is large.

For multistate breaches, response counsel typically uses a 50-state matrix to coordinate notifications across jurisdictions with different requirements. The differences between states' definitions of triggering data, timeline, and content make breach response a complex multi-jurisdiction exercise.

HIPAA, GLBA, and federal contractor regulations add federal breach notification overlays. The SEC requires disclosure of material cybersecurity incidents for public companies.

Privacy policy

A privacy policy is the primary public-facing privacy disclosure. Required by:

• California (CalOPPA, predating CCPA, applies to commercial websites collecting personal information from Californians)
• CCPA/CPRA and other state comprehensive laws (specific content requirements)
• GDPR (Articles 13/14 transparency)
• COPPA (for child-directed services)
• HIPAA (Notice of Privacy Practices)
• GLBA (initial and annual privacy notices)

Practical contents:

• Identity and contact of the business (and EU representative if applicable, DPO if applicable)
• Categories of personal information collected, with sources
• Purposes of processing
• Lawful basis (for GDPR)
• Categories of recipients (including service providers, sub-processors, advertising partners)
• International transfers (mechanisms)
• Retention periods or criteria
• Consumer rights and how to exercise them
• Right to lodge complaints with regulators
• Cookies and similar tracking technologies (often a separate cookie policy)
• Children's data treatment
• Sensitive data treatment
• Sale/sharing/targeted advertising disclosure and opt-out
• Effective date and amendment history

Layered notices are common: a short, accessible summary linked to the full policy. "Notice at collection" required by CCPA is a separate, just-in-time disclosure of categories and purposes at the point of data collection.

Data processing agreements

Controllers and processors (in GDPR terms) or businesses and service providers (in CCPA terms) must have written contracts addressing data processing. Required elements:

• Subject matter, duration, nature, purpose
• Categories of personal data and data subjects
• Processor obligations (process only on documented instructions, confidentiality, security, sub-processor controls, data subject rights assistance, breach notification, audit rights, return/deletion on termination)
• Sub-processor authorization and chain of contracts

Standard practice: a master Data Processing Agreement (or Addendum to the main services agreement) that incorporates the regulatory requirements. Many vendors publish a standard DPA on their websites that customers accept by reference; some negotiate custom terms with enterprise customers.

International data transfers

GDPR restricts transfers of personal data from the EEA to "third countries" (including the US, until adequacy). Permitted transfer mechanisms:

• Adequacy decisions. European Commission has determined the third country provides adequate protection. The EU-US Data Privacy Framework (DPF, 2023) provides a route for US companies that self-certify.
• Standard Contractual Clauses (SCCs). EU-approved contract clauses imposing data protection obligations on the importer.
• Binding Corporate Rules. For intra-group transfers within a multinational, after regulator approval.
• Derogations. Limited exceptions for specific situations (explicit consent, contract necessity, etc.) — not for routine bulk transfers.

The Schrems II decision (2020) invalidated the prior Privacy Shield and required Transfer Impact Assessments for SCC-based transfers, considering whether the destination country's surveillance laws undermine the SCCs. The 2023 EU-US DPF was designed to address Schrems II concerns; it remains subject to challenge. Check current status before relying on a particular mechanism.

Privacy impact assessments

GDPR Article 35 requires Data Protection Impact Assessments (DPIAs) for processing likely to result in high risk to rights and freedoms — profiling, large-scale special category processing, large-scale monitoring of public areas. CPRA introduced "risk assessment" requirements for processing presenting significant risk. Other state laws (Connecticut, Colorado, others) have similar requirements.

A standard PIA/DPIA covers: description of the processing, necessity and proportionality assessment, risk assessment for data subjects, and mitigation measures. Many privacy programs use a standardized template and trigger PIA review before launching new products or significant processing changes.

Cookies and online tracking

Cookies and similar tracking technologies face overlapping requirements:

• ePrivacy Directive (EU). Consent required for non-essential cookies, separate from GDPR. Implementation varies by EU member state.
• CCPA/CPRA. Tracking for cross-context behavioral advertising is "sharing" subject to opt-out. Sale/share opt-out link required.
• Global Privacy Control (GPC). Browser signal that several state laws (California, Colorado, Connecticut) require honoring as an opt-out.
• Industry standards. IAB Multi-State Privacy Agreement (MSPA), Global Privacy Platform (GPP), TCF (Transparency and Consent Framework) for EU.

Standard implementation: a consent management platform (CMP) that surveys the cookies set, categorizes them (strictly necessary, functional, analytics, advertising), and presents a banner or notice with controls. Different regional rules require different consent flows — opt-in for the EU, opt-out for California sale/sharing.

Common mistakes

• Privacy policy that doesn't match practices. Single most common cause of FTC actions. The policy must accurately describe what actually happens.
• Assuming "we don't sell data" means CCPA doesn't apply. "Sale" is defined broadly and includes some advertising-related data transfers. "Sharing" was added in CPRA to cover targeted advertising scenarios.
• Treating cookies as low-risk. EU regulators have brought significant cases over cookie consent. US state laws are moving toward stricter opt-out enforcement.
• Vendor compliance assumed. Sub-processors' practices flow up to the controller. Vendor diligence matters.
• No incident response plan. When a breach happens, time to notification starts immediately. A pre-built plan with response counsel, forensic firm, and notification template saves days.
• Sending unsolicited marketing without consent. CAN-SPAM is laxer (opt-out works); TCPA on SMS and calls is opt-in and has produced massive class actions.
• Children's data without thinking about COPPA. Apps and services attractive to children even when not "directed to" them can fall within COPPA's "actual knowledge" trigger.
• EU users on a US-only privacy posture. Anyone in the EU/UK can be a data subject; even small EU exposure triggers GDPR obligations.
• Skipping the DPA. Without a written processor agreement, both sides are in violation of GDPR and CCPA.

FAQ

Do small businesses need a privacy policy? Yes, in most cases. California's CalOPPA applies to any commercial website collecting personal information from Californians, regardless of size. GDPR has no small-business exemption. Industry-specific laws (HIPAA, GLBA, COPPA) don't depend on size.

Is there a federal privacy law? No comprehensive federal law as of writing. Multiple bills have been proposed; none has passed. Federal sectoral laws apply in specific contexts. Watch for developments — this changes.

What's the difference between controller and processor? Controller decides why and how data is processed; processor handles data on behalf of a controller. SaaS vendors are typically processors; the customer using the SaaS is the controller. CCPA uses "business" and "service provider" with similar meaning.

Do we need a Data Protection Officer? Required under GDPR for public authorities and businesses whose core activities involve large-scale monitoring or sensitive data processing. Not universally required for US-only businesses; optional but useful for privacy programs at any scale.

How long do we have to respond to a consumer rights request? 45 days under CCPA/CPRA (extendable by 45 more); one month under GDPR (extendable by two more in complex cases); other state laws have similar timelines.

Can we charge for handling privacy requests? Generally no, unless requests are manifestly unfounded or excessive. Don't condition service on waiver of privacy rights (CCPA non-discrimination provision).

What constitutes a breach? Differs by law. Generally: unauthorized acquisition or access to personal information. Some laws require a risk assessment before notification is triggered.

Is encryption mandatory? Often a safe harbor or mitigating factor rather than a strict requirement. CCPA private right of action requires unencrypted personal information. GLBA Safeguards Rule has specific encryption requirements.