United States — Privacy
This guide examines the fragmented US privacy regulatory landscape: sectoral federal laws (HIPAA, GLBA, COPPA) administered by the FTC and sector regulators, state-level comprehensive privacy statutes (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, and 22+ others), and emerging state legislation addressing children’s privacy and algorithmic transparency. We address the absence of omnibus federal privacy law, multi-jurisdictional compliance strategies for state-by-state rules, California AG enforcement patterns and private right of action liability, sectoral law complexity (healthcare, financial services), and pattern-based engineering approaches (jurisdictional metadata, purpose-limited storage, Rights APIs). This guide is for organizations determining applicability thresholds and building compliance stacks across US state jurisdictions.
TL;DR (Quick Answer)
Key points:
- US has NO single federal privacy law; instead use sectoral rules (HIPAA, GLBA, COPPA) + state laws (California, Virginia, Colorado, etc.)
- State laws are expanding rapidly; California CPRA and new state statutes grant consumer rights (access, delete, opt-out)
- FTC and state AGs enforce; fines vary ($500K to $7B+ depending on law and violation)
What you must do today: Build a jurisdiction mapper to detect user state/location. Implement consumer preference center (access, delete, opt-out). Separate children’s data flows (COPPA requires parental consent for under-13).
→ Download US Privacy Compliance Checklist (PDF)
Authoritative / tracking resources:
- California Attorney General — CPRA/CCPA resources: https://oag.ca.gov/privacy/ccpa
- National Conference of State Legislatures (NCSL) — state privacy bill tracker: https://www.ncsl.org/
- International Association of Privacy Professionals (IAPP) state law tracker and resources: https://iapp.org/
- Overview — no single federal law
As of 2026, the US does not have a single comprehensive federal consumer privacy law. Instead, privacy obligations arise from:
- Sectoral federal statutes (HIPAA for health, GLBA for financial institutions, COPPA for children’s online privacy),
- State consumer privacy statutes that grant rights such as access, deletion, and opt-out (e.g., CPRA in California, VCDPA in Virginia, CPA in Colorado), and
- Regulatory enforcement by agencies (FTC enforcement of unfair or deceptive practices; state AGs prosecuting violations).
- Mapping applicability: jurisdictional & sectoral matrix
Implement a policy engine that maps a request or feature to applicable laws by evaluating:
- User location (billing, geo-IP, account profile),
- Data categories (health, financial, children), and
- Business attributes (are you a covered entity under HIPAA? do you target California consumers?).
- State privacy laws — common patterns and important variations
Most modern state privacy laws contain a set of consumer rights (access, deletion, correction, portability), an opt-out right for targeted advertising or sale/sharing, and obligations around notices and data minimisation. Differences to watch:
- Thresholds and exemptions (SMB carve-outs, employee data exclusions),
- Definitions of “sale” or “sharing” and measurement of consumer targeting,
- Age-related rules and sensitive data definitions.
- Practical engineering patterns
- Jurisdiction-aware policy layer: centralised service that evaluates which legal rules apply and returns enforcement directives to downstream services.
- Preference center & signal propagation: expose a user-facing preferences UI and propagate choices to analytics, ad platforms, and marketing systems.
- Audit trails & logging: maintain immutable logs for DSAR workflows and consent receipts.
- Data minimisation & segmentation: avoid collecting unnecessary identifiers and separate sensitive processing into isolated pipelines with stricter controls.
- Sectoral compliance examples
- HIPAA: encryption at rest/in-transit, access logging, Business Associate Agreements (BAAs) with vendors.
- GLBA: safeguards rule requiring information security programs and risk assessments for financial institutions.
- COPPA: parental consent flows and COPPA-compliant data handling for services targeted at children under 13.
- Enforcement & penalties
Enforcement differs by law: CPRA enables AG and Attorney General enforcement; FTC pursues unfair or deceptive practices, and state AGs may bring enforcement actions. Financial and healthcare sectors have their own enforcement regimes with substantial penalties for breaches.
- Example developer checklist (US)
- Implement a jurisdiction mapper and attach
appliesTo[]metadata to new features. - Expose a privacy preference API to downstream consumers and third-party SDKs.
- Maintain a DSAR pipeline with identity verification, export tooling, and automated purge scripts covering backups and analytics.
- Segregate children’s data workflows and flag data subject to HIPAA/GLBA for additional controls.
Enforcement Case Studies: US Privacy
Case 1: Meta (Facebook) — FTC Fine $5B (2019, CCPA Settlements) — Privacy Violations & Misleading Practices
What happened: Meta misled users about privacy controls. Privacy settings that appeared to limit data sharing didn’t fully prevent third-party app access. Users couldn’t opt-out of targeted ads.
FTC finding: Meta’s practices were unfair and deceptive (FTC Act Section 5). Consent mechanisms were illusory; users had no real control over data use.
Penalty: $5B settlement (at the time, largest FTC fine ever); required to implement privacy by design, conduct DPIAs, and certify compliance annually.
Lesson: Consent UI must provide real control. Opt-out mechanisms must work. Misleading privacy settings result in substantial fines and reputational damage.
Case 2: TikTok Inc. — FTC Investigation (2019–2023) — COPPA & Children’s Data
What happened: TikTok collected biometric data (face, voiceprints) from users without parental consent. Platform failed to implement age-gating and collected data from children under 13.
FTC finding: Violated COPPA (Children’s Online Privacy Protection Act) by collecting personal information from children without verifiable parental consent.
Penalty: $5.7M fine (2023); required to implement age verification, parental consent workflows, and data minimization for child users.
Lesson: If your product attracts users under 13, COPPA compliance is mandatory. Implement age verification, parental consent, and strict data minimization for children’s data.
Case 3: Equifax Data Breach — $700M Settlement (2017 Breach, 2019 Settlement)
What happened: Equifax (credit reporting agency) failed to patch a known vulnerability. Attackers accessed 147M individuals’ personal data (SSN, DOB, addresses). Breach went undetected for months.
Regulatory finding: Equifax violated GLBA (Gramm-Leach-Bliley Act) security rules and failed to notify individuals promptly. State AGs and FTC pursued enforcement.
Penalty: $700M settlement (largest data breach settlement at time); required identity monitoring for affected individuals, enhanced security practices, and annual compliance audits.
Lesson: Maintain patch management discipline and breach detection systems. Notify regulators and individuals within mandated timelines. Poor breach response multiplies penalties.
Cross-Border Compliance
If a US-based organisation processes EU/UK personal data, the EU/UK transfer rules apply in addition to any US-specific obligations. Implement dual compliance workflows where necessary (EU SCCs + local risk assessments).
- References and resources
- CPRA/CCPA: https://oag.ca.gov/privacy/ccpa
- NCSL state privacy tracker: https://www.ncsl.org/
- IAPP resources: https://iapp.org/
This guide is intentionally operational: engineering teams should treat US privacy compliance as a rules engine problem and centralise jurisdictional logic, consent management, and DSAR tooling to reduce fragmentation and repetitive implementation across services.
Code Example: Jurisdictional Privacy Mapper (JavaScript)
Determine applicable laws based on user location and data type:
class PrivacyComplianceEngine {
// Map user location to applicable privacy laws
getApplicableLaws(userProfile: {
ip_address: string,
home_state: string,
signup_country: string,
data_type: 'consumer_profile' | 'health' | 'financial' | 'children'
}): string[] {
const laws = [];
// Determine primary jurisdiction
const userState = userProfile.home_state;
// Federal laws always apply
if (userProfile.data_type === 'health') {
laws.push('HIPAA'); // Federal health law
}
if (userProfile.data_type === 'financial') {
laws.push('GLBA'); // Gramm-Leach-Bliley Act
}
if (userProfile.data_type === 'children') {
laws.push('COPPA'); // Children's Online Privacy Protection Act
}
// State-specific laws
if (userState === 'CA') {
laws.push('CPRA'); // California Privacy Rights Act (strongest)
} else if (['CO', 'CT', 'DE', 'IN', 'IA', 'KY', 'ME', 'MD', 'MI', 'MN', 'MS', 'MO', 'MT', 'NE', 'NH', 'NJ', 'NM', 'NV', 'NY', 'OR', 'TX', 'UT', 'VA'].includes(userState)) {
laws.push('STATE_PRIVACY_LAW'); // CPA, VCDPA, UCPA equivalents
}
// EU residents also subject to GDPR
if (userProfile.signup_country === 'EU') {
laws.push('GDPR');
}
return laws;
}
// Get DSAR compliance requirements by jurisdiction
getDSARRequirements(applicableLaws: string[]): {
response_deadline: number, // days
formats_required: string[],
verification_method: string,
opt_out_mechanism: string
} {
const strictest = {
response_deadline: 30, // GDPR and CPRA stricter than most state laws
formats_required: ['json', 'csv', 'portable_format'],
verification_method: 'multi_factor', // Email + secondary verification
opt_out_mechanism: 'email_form'
};
// California CPRA: 45 days (some claim earlier start date)
if (applicableLaws.includes('CPRA')) {
strictest.response_deadline = Math.min(strictest.response_deadline, 45);
}
// GDPR: 30 days
if (applicableLaws.includes('GDPR')) {
strictest.response_deadline = Math.min(strictest.response_deadline, 30);
}
return strictest;
}
}
// Usage example
const engine = new PrivacyComplianceEngine();
const laws = engine.getApplicableLaws({
ip_address: '73.45.122.5',
home_state: 'CA',
signup_country: 'US',
data_type: 'consumer_profile'
});
// Output: ['CPRA', 'GDPR']
const dsarReqs = engine.getDSARRequirements(laws);
// Output: { response_deadline: 30, formats_required: ['json', 'csv'], ... }Workflow: US CCPA Opt-Out & Consumer Preference Center
┌────────────────────────────────────┐
│ User Accesses Privacy Controls │
│ (Consumer Preference Center) │
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Step 1: Identify Applicable Laws │
│ - Detect user jurisdiction │
│ - Map to state privacy laws │
│ - Load CCPA/state controls │
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Step 2: Display Preference Options │
│ - Opt-out of sale/sharing │
│ - Opt-out of targeted ads │
│ - Delete account & data │
│ - Download my data │
│ - Correct inaccurate info │
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Step 3: User Makes Selection │
│ - "Opt-out of Sale of Data" │
│ - "Do Not Sell My Personal Info" │
│ - Confirm by email (optional) │
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Step 4: Store Preference Signal │
│ - consumer_opt_out: true │
│ - opt_out_timestamp: 2026-05-19 │
│ - opt_out_jurisdiction: 'CA' │
│ - opt_out_signature: 'user_email' │
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Step 5: Enforce Across Services │
│ - Block data sharing with vendors │
│ - Remove from ad networks │
│ - Suppress data use for targeting │
│ - Propagate to processors (30 days)│
└────────────┬───────────────────────┘
│
▼
┌────────────────────────────────────┐
│ Opt-Out Honored Within 45 Days │
│ (CCPA timeline: verify monthly) │
└────────────────────────────────────┘Workflow: Multi-State DSAR Compliance (Phased Approach)
┌─────────────────────────────────────┐
│ User Requests DSAR (Any Jurisdiction)│
│ (/privacy/my-data) │
└────────────┬───────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Phase 1: Detect Jurisdiction │
│ - User IP? Signup address? State? │
│ - Map to applicable law(s) │
└────────────┬───────────────────────┘
│
┌──────┴─────────────┬──────────┐
│ │ │
CA │ VA│ Other
│ │ │
▼ ▼ ▼
┌─────┐ ┌─────┐ ┌──────┐
│CPRA │ │VCDPA│ │ CPA │
│45d │ │45d │ │60d │
└─────┘ └─────┘ └──────┘
│ │ │
└────────┬───────────┴──────────┘
│
▼
┌─────────────────────────────────────┐
│ Phase 2: Compile Data (Stricter SLA)│
│ - Use 30-day deadline (GDPR-aligned)│
│ - Compile across: DB, logs, cache │
│ - Format: JSON or CSV required │
└────────────┬───────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Phase 3: Verify & Deliver │
│ - Encrypt download link │
│ - Expires in 7 days │
│ - Log delivery + expiration │
└────────────┬───────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Complete (30-day SLA = Safest) │
│ - California: 45 days max │
│ - Other states: up to 60 days │
│ - We deliver at 30-day mark │
└─────────────────────────────────────┘Related Guides & Resources
Global Overview:
- Data Protection Laws by Jurisdiction (Hub) — Compare US laws to other jurisdictions
Other Jurisdiction Guides:
- EU GDPR Compliance — EDPB guidance and transfer measures
- UK Data Protection — Post-Brexit rules and ICO guidance
- India DPDP Act — Fiduciary obligations and purpose limitation
- Brazil LGPD — ANPD enforcement and DPO requirements
- China PIPL — CAC security assessments and data residency
- Canada PIPEDA — Federal/provincial framework
- Australia Privacy Act — NDB scheme and APP compliance
- Japan APPI — PPC guidance and use limitation
- South Africa POPIA — DSAR and cross-border accountability
