U.S. Data Privacy Law: Sectoral Laws and State Rights
The U.S. has no federal omnibus privacy law. Explore how COPPA, FERPA, HIPAA, and GLBA work, California's CCPA/CPRA rights, and how the patchwork compares to the GDPR.
No Omnibus Law in the World's Largest Digital Economy
The United States remains the only major developed economy without a comprehensive federal data privacy law governing commercial use of personal information. While the European Union's General Data Protection Regulation (GDPR) sets a single standard applicable across 27 countries, American privacy protection is a patchwork: sector-specific federal laws, the FTC's limited enforcement authority under Section 5 of the FTC Act, and an accelerating wave of state legislation that forces U.S. companies to navigate up to 20 different compliance regimes simultaneously.
The Four Major Federal Sector Laws
| Law | Full Name | Sector Covered | Regulator |
|---|---|---|---|
| COPPA | Children's Online Privacy Protection Act (1998) | Online services directed to children under 13 | FTC |
| FERPA | Family Educational Rights and Privacy Act (1974) | Student education records at federally funded institutions | Dept. of Education |
| HIPAA | Health Insurance Portability and Accountability Act (1996) | Protected health information held by covered entities and business associates | HHS Office for Civil Rights |
| GLBA | Gramm-Leach-Bliley Act (1999) | Non-public personal information held by financial institutions | FTC, banking regulators |
These laws share a common limitation: they cover specific data types in specific industries. A health app that is not a HIPAA "covered entity" (a healthcare provider, insurer, or clearinghouse) is not subject to HIPAA — even if it collects sensitive health data. The FTC sued Premom in 2023 for sharing fertility tracking data with third parties without proper disclosure, using its general Section 5 authority rather than any specific privacy statute.
COPPA: Children's Privacy in Practice
COPPA requires verifiable parental consent before collecting personal information from children under 13, prohibits conditioning participation on disclosure of more information than reasonably necessary, and mandates data security safeguards. The FTC updated COPPA rules in 2013 to cover persistent identifiers (cookies), geolocation data, and photos and videos. A 2024 COPPA 2.0 proposal would extend coverage to teens aged 13–16 for certain purposes, though it had not been finalized as of early 2026.
Enforcement is serious. In 2019, the FTC fined YouTube (Google) $170 million for COPPA violations — the largest COPPA penalty ever at the time. In 2022, the FTC fined WW International (formerly Weight Watchers) $1.5 million and required deletion of improperly collected children's data.
California's CCPA and CPRA
California's Consumer Privacy Act (CCPA), effective January 1, 2020, was the most comprehensive U.S. privacy law at the time of passage. The California Privacy Rights Act (CPRA), passed by voter initiative in November 2020 and fully effective January 1, 2023, significantly expanded CCPA. Together they give California residents:
- Right to know: What personal information is collected, used, shared, or sold
- Right to delete: Request deletion of personal information subject to specified exceptions
- Right to opt-out of sale or sharing: Including behavioral advertising targeting — operationalized through the "Do Not Sell or Share My Personal Information" link
- Right to correct: Inaccurate personal information (added by CPRA)
- Right to limit use of sensitive personal information: Added by CPRA — covers SSNs, financial data, health information, precise geolocation
- Right of no retaliation: Businesses may not discriminate in price or service for exercising rights
CPRA also created the California Privacy Protection Agency (CPPA), the first dedicated privacy enforcement agency in the U.S., with authority to conduct audits, issue regulations, and levy fines up to $2,500 per violation or $7,500 per intentional violation.
State Privacy Law Comparison Table
| State | Law | Effective Date | Private Right of Action |
|---|---|---|---|
| California | CCPA/CPRA | Jan 1, 2023 | Limited (data breach only) |
| Virginia | VCDPA | Jan 1, 2023 | No (AG enforcement only) |
| Colorado | CPA | July 1, 2023 | No (AG enforcement only) |
| Connecticut | CTDPA | July 1, 2023 | No |
| Texas | TDPSA | July 1, 2024 | No |
| Oregon | OCPA | July 1, 2024 | Limited |
GDPR Comparison: Opt-In vs. Opt-Out
The GDPR's fundamental architecture differs from U.S. law in two critical ways. First, GDPR requires a lawful basis for every personal data processing activity — consent, contract, legal obligation, vital interest, public task, or legitimate interest — before data is collected or used. U.S. laws generally use an opt-out model: companies may collect and use data unless the consumer objects. Second, GDPR applies based on where the data subject is located, not where the company is incorporated, giving it extraterritorial reach over any company serving EU residents. Meta's Irish subsidiary was fined €1.2 billion ($1.3 billion) in May 2023 — the largest GDPR fine ever — for transferring EU user data to U.S. servers under inadequate safeguards.
This article is for informational purposes only and does not constitute legal advice.
Related Articles
consumer law
ACA Marketplace Subsidies Explained: APTC, Silver Loading & Cliffs
Understand ACA premium tax credits, the 2026 enhancement cliff, benchmark silver plan mechanics, reconciliation risk, and silver loading strategy for smarter enrollment.
9 min read
consumer law
CCPA and CPRA: California's Privacy Rights and What Businesses Must Do
A detailed explanation of the California Consumer Privacy Act and its 2020 amendment CPRA—covering consumer rights, business obligations, sensitive personal information rules, and enforcement mechanisms.
9 min read
consumer law
Debt Collection Harassment Laws: Your FDCPA Rights Against Collectors
The FDCPA prohibits abusive debt collection tactics. Learn what collectors cannot do, how to dispute debts, and how to sue for FDCPA violations and collect damages.
9 min read
consumer law
How Credit Reporting Errors Are Disputed and Corrected by Law
One in five Americans has a credit report error. The Fair Credit Reporting Act gives consumers specific legal rights to dispute inaccuracies and force corrections within defined timelines.
9 min read