PRIA Logo
Back to search
GovernmentTechnology & Telecommunications

Data Privacy & Consumer Data Protection

14 min read·Updated May 12, 2026

Data Privacy & Consumer Data Protection

The United States has no comprehensive federal data privacy law — a gap that distinguishes it from the EU, which has enforced the General Data Protection Regulation (GDPR) since 2018. U.S. data privacy law is a patchwork of sector-specific federal statutes and an accelerating proliferation of state comprehensive privacy laws. Federal statutes cover specific sectors: HIPAA (health data), GLBA (financial data), COPPA (children under 13), FERPA (student records), ECPA (electronic communications), and FCRA (credit data). The FTC uses its Section 5 authority over unfair and deceptive practices as a de facto general privacy enforcement tool — but it lacks the rule-making authority to set comprehensive privacy standards without new legislation. 15+ states (led by California's CPRA) have enacted their own comprehensive privacy laws since 2023, creating a compliance patchwork for businesses that operate nationally. California's Consumer Privacy Rights Act (CPRA) gives consumers rights to know what data is collected, delete it, correct it, opt out of its sale, and limit its use for sensitive purposes. The American Data Privacy and Protection Act (ADPPA) — the most serious federal comprehensive privacy bill — passed the House Energy and Commerce Committee in 2022 but has stalled in Congress, primarily due to disagreements over whether it preempts California's law. U.S. companies operating in Europe must comply with GDPR regardless of where they are based, with penalties up to 4% of global annual revenue — making GDPR a de facto global standard for many large companies.

Current Law (2026)

ParameterValue
Federal frameworkSector-specific — no comprehensive federal privacy law (unlike EU GDPR)
Key federal statutesGLBA (financial), HIPAA (health), COPPA (children), FERPA (education), ECPA (electronic communications), FCRA (credit reporting)
FTC enforcement§ 5 unfair/deceptive practices authority as de facto privacy regulator
State comprehensive laws19+ states with comprehensive consumer privacy laws (California CCPA/CPRA, Virginia, Colorado, Connecticut, etc.)
COPPA age thresholdUnder 13 — verifiable parental consent required for data collection
GLBA applicabilityFinancial institutions must provide privacy notices and protect customer data — see also Freedom of Information Act for government records access
HIPAA applicabilityCovered entities (health providers, plans, clearinghouses) and business associates
  • 15 U.S.C. § 45 — FTC Act Section 5 (FTC authority to prohibit unfair or deceptive acts or practices in commerce; used as the primary federal enforcement tool against privacy violations — broken privacy promises, inadequate data security, deceptive data practices)
  • 15 U.S.C. § 6801-6809 — Gramm-Leach-Bliley Act / GLBA financial privacy (financial institutions must provide customers with privacy notices explaining data sharing practices; customers may opt out of sharing with nonaffiliated third parties; Safeguards Rule requires information security programs)
  • 15 U.S.C. § 6501-6506 — COPPA — Children's Online Privacy Protection Act (operators of websites/apps directed at children under 13 or that knowingly collect personal information from children must: post privacy policies, obtain verifiable parental consent, allow parents to review/delete data, maintain reasonable data security)
  • 42 U.S.C. § 1320d — HIPAA Privacy Rule (covered entities must protect individually identifiable health information; minimum necessary standard; patient rights to access, amend, and receive accounting of disclosures; Business Associate Agreements required)
  • 18 U.S.C. § 2510-2522 — Electronic Communications Privacy Act / Wiretap Act (prohibits unauthorized interception of electronic communications; stored communications access requires warrant or subpoena depending on age/type; Pen Register/Trap and Trace provisions)
  • 18 U.S.C. § 2701-2712 — Stored Communications Act (protects stored electronic communications and records held by service providers; law enforcement access requires warrants for content, subpoenas for non-content; Carpenter v. United States (2018) requires warrant for cell-site location information)
  • 47 U.S.C. § 222 — CPNI (telecommunications carriers must protect Customer Proprietary Network Information)

Implementing Regulations

The U.S. lacks a single comprehensive federal privacy regulation; rules are sector-specific:

  • 16 CFR Part 314 — FTC Safeguards Rule: information security program requirements for financial institutions under GLBA

  • 16 CFR Part 312 — COPPA Rule: verifiable parental consent procedures, privacy notice requirements, and data security for operators collecting children's data

  • 45 CFR Parts 160 & 164 — HIPAA Privacy and Security Rules: covered entity obligations, patient rights, minimum necessary standard, and administrative/technical/physical safeguards for health data

  • 12 CFR Part 1016 — CFPB Regulation P (Privacy of Consumer Financial Information): the CFPB's implementing rule for the Gramm-Leach-Bliley Act financial privacy provisions (15 U.S.C. § 6804), applicable to banks, credit unions, and other financial institutions supervised by the CFPB. Key provisions:

    • § 1016.4 — Initial privacy notice: financial institutions must give customers a clear and conspicuous notice of privacy policies when establishing a customer relationship; must be given to any consumer before disclosing their nonpublic personal information (NPPI) to a nonaffiliated third party
    • § 1016.5 — Annual privacy notice: existing customers must receive a privacy notice at least once per 12-month period; institutions that do not share NPPI with nonaffiliated third parties (other than for permitted exceptions) and whose practices have not changed qualify for the annual notice exception (added by a 2018 amendment, 83 FR 40958) and may instead post their notice online
    • § 1016.6 — Notice content: must disclose the categories of NPPI collected, categories disclosed to affiliates and nonaffiliated third parties, categories of data disclosed about former customers, and opt-out rights
    • § 1016.7 — Opt-out notice: if the institution shares NPPI with nonaffiliated third parties beyond the exceptions, it must give consumers a reasonable opportunity to opt out; opt out means "do not share my information" with those parties
    • § 1016.10 — Limits on disclosure to nonaffiliated third parties: NPPI may not be shared with nonaffiliated third parties unless the institution has provided notice, offered opt-out, and the consumer has not opted out — or an exception applies
    • § 1016.12 — Account number marketing prohibition: account numbers, access codes, or credit card numbers may not be shared with nonaffiliated third parties for use in telemarketing, direct mail, or email marketing — regardless of opt-out status
    • § 1016.13 — Service provider/joint marketing exception: the opt-out requirement does not apply when sharing NPPI with a service provider who performs functions on the institution's behalf under a contract prohibiting further disclosure
    • § 1016.14 — Transaction processing exception: NPPI may be shared as necessary to process or service a transaction the consumer requested (loan servicing, securitization, account maintenance) without triggering the opt-out requirement
    • § 1016.15 — Other exceptions: sharing with consumer's consent, for fraud prevention, for legal compliance, with auditors, attorneys, regulators, or rating agencies does not require notice or opt-out; these exceptions reflect that not all third-party data sharing is commercially motivated

  • 28 CFR Part 201 — Data Protection Review Court: the DOJ implementing regulations for the independent Data Protection Review Court (DPRC) created by President Biden's Executive Order 14086 (October 7, 2022) on "Enhancing Safeguards for United States Signals Intelligence Activities." The DPRC is a U.S.-side institution created specifically to secure the EU Commission's adequacy decision for transatlantic data flows under the EU-U.S. Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield in July 2023:

    • § 201.3 — DPRC judges: the Attorney General appoints judges (former federal judges or lawyers with national security experience) to the DPRC in consultation with the DNI and PCLOB; judges are appointed for renewable 4-year terms; they serve independently of the DOJ and cannot be removed except for cause; the DPRC is not an Article III court and its independence is structural (not constitutional), but its independence provisions were key to convincing the EU Commission that it provided meaningful redress
    • § 201.4 — Special Advocates: for each DPRC proceeding, the Attorney General appoints a Special Advocate — a cleared private attorney who acts as an adversarial advocate on behalf of the EU complainant in the classified proceedings; because DPRC proceedings are classified (involving national security information), the EU resident cannot personally appear or see classified evidence; the Special Advocate fills this role, ensuring there is a substantive advocate challenging the government's position even when the complainant cannot access the classified record
    • § 201.6 — Applying for review: an EU resident who submitted a qualifying complaint to the ODNI Civil Liberties Protection Officer (CLPO) and received an adverse determination may apply for DPRC review within 60 days; the application is filed with the DOJ Office of Privacy and Civil Liberties; the DPRC convenes a three-judge panel by rotation
    • § 201.9 — Consideration and decisions: the DPRC panel reviews the ODNI CLPO's determination to assess whether U.S. signals intelligence activities complied with the EO 14086 rules; if the DPRC finds a covered violation, it shall order "appropriate remediation," which may include deletion of data unlawfully collected; DPRC decisions are binding on the government; the complainant receives a notice indicating only whether a violation was found (not classified details)
    • § 201.10 — Interpretation: the DPRC must interpret EO 14086 exclusively under U.S. law and the U.S. legal tradition — it is not required to interpret U.S. signals intelligence law in light of EU law or the GDPR; this provision was important to U.S. intelligence agencies who did not want a U.S. body applying EU standards to their activities

    The DPRC was a novel institution created specifically to provide a legal mechanism for the EU-U.S. Data Privacy Framework's adequacy finding. Without a viable redress mechanism, the EU Court of Justice had struck down both the EU-U.S. Safe Harbor (2015, Schrems I) and Privacy Shield (2020, Schrems II) on the grounds that EU residents had no effective remedy against unlawful U.S. surveillance. The DPRC provides that remedy — though critics argue that an executive-created court without Article III independence, operating in classified proceedings with a government-appointed advocate, falls short of the GDPR's requirements. As of 2026, the DPF's adequacy status is expected to face a Schrems III legal challenge in EU courts; the outcome will determine whether transatlantic data transfers can continue on the DPF basis or whether a new framework will again be needed.

How It Works

The United States does not have a single, comprehensive federal privacy law. Instead, privacy protection comes from a patchwork of sector-specific federal statutes, FTC enforcement, and increasingly, state comprehensive privacy laws.

Unlike the EU's GDPR — a single comprehensive law covering all personal data — U.S. federal privacy law is organized by sector. Financial data is governed by GLBA. Health data by HIPAA. Children's data by COPPA. Education records by FERPA. Credit data by FCRA. Electronic communications by ECPA. Each law has its own definitions, scope, requirements, and enforcement mechanisms, and data that doesn't fall into any of these categories — the vast majority of consumer data collected by tech companies, retailers, data brokers, and advertisers — has no comprehensive federal protection. The FTC has filled part of this gap using its Section 5 authority over "unfair or deceptive acts or practices": the FTC brings enforcement actions against companies that violate their own privacy policies (deception), fail to maintain reasonable data security (unfairness), or engage in egregious data collection without consent. Major FTC privacy actions have resulted in billions in penalties — Facebook/Meta ($5 billion, 2019), Equifax ($575 million, 2019), Amazon/Ring ($5.8 million, 2023) — though the FTC generally cannot impose fines for first-time violations and its jurisdiction excludes nonprofits and common carriers.

The two strongest sector-specific privacy regimes are COPPA (children) and HIPAA (health). COPPA applies to commercial websites and online services directed to children under 13 or that knowingly collect data from children under 13; operators must obtain verifiable parental consent before collecting data and give parents access and control over their children's information. The FTC enforces COPPA aggressively — penalties reached $170 million (YouTube/Google, 2019) and $520 million (Epic Games/Fortnite, 2022). HIPAA's Privacy Rule governs how covered entities (healthcare providers, health plans, clearinghouses) and their business associates use and disclose protected health information — minimum necessary use, patient access and amendment rights, authorization for most non-treatment disclosures, and 60-day breach notification. HIPAA does NOT cover health data held by non-covered entities — fitness apps, wellness platforms, genetic testing companies like 23andMe — unless they are business associates. The gap that neither regime fills is being addressed at the state level: as of 2026, 19+ states have enacted comprehensive privacy laws modeled on the California Consumer Privacy Act (CCPA, 2018) and California Privacy Rights Act (CPRA, 2020), providing rights to know, delete, opt out of data sales, and limit use of sensitive data, with California's dedicated enforcement agency (CPPA) as the strongest implementation.

How It Affects You

If you're a consumer trying to understand or exercise your data rights, the answer depends almost entirely on where you live. Federal law protects specific types of data — your financial records (GLBA gives you the right to opt out of sharing with third parties; look for the annual privacy notice from your bank), your credit report (FCRA gives you one free report per year from each bureau at annualcreditreport.com, the right to dispute inaccuracies, and restrictions on who can pull your credit), and your health records (HIPAA gives you the right to access your medical records within 30 days, usually for a small copying fee). For everything else — your browsing history, location data, purchase behavior, social media activity — federal protection is minimal. If you live in California, the CPRA gives you the right to know what data companies collect about you, delete it, correct inaccuracies, opt out of the sale or sharing of your data, and limit use of sensitive personal information. Exercise these rights directly with companies via their privacy request portals (typically linked from their privacy policy) or through the California Privacy Protection Agency at cppa.ca.gov. 19+ other states have enacted similar (though generally less powerful) rights — check your state's attorney general website for your specific rights. If you're in a state without comprehensive privacy law, your practical options are more limited: use browser privacy settings and opt-out signals (Global Privacy Control), request data deletion via company opt-out tools, and file FTC complaints at reportfraud.ftc.gov when companies violate their own privacy policies.

If you have children under 13 who use apps or websites, COPPA gives you meaningful, federally enforceable rights that most parents don't know to use. Before a commercial app or website can collect personal information from a child under 13, they must get verifiable parental consent — not just a checkbox. If a service collects your child's name, photos, location, or usage data without your consent, that's a potential COPPA violation. Your rights: review any personal information collected from your child, direct the company to delete it, and refuse further collection. To exercise these rights, contact the company through its privacy policy or email to the privacy contact it's required to provide. To report violations: file a complaint with the FTC at ftc.gov/complaint. The FTC has levied enormous COPPA penalties — $170 million against YouTube/Google in 2019 and $520 million against Epic Games/Fortnite in 2022 — so enforcement is real. Watch for apps that technically target "all ages" but clearly attract young children; if the app "knowingly" collects data from under-13 users, COPPA applies regardless of the stated age range. For teens 13-17, COPPA doesn't apply federally (some states extend protections), but many platforms offer parental control and supervision features voluntarily.

If you're a business collecting personal data from consumers, you are almost certainly operating under multiple overlapping legal frameworks simultaneously, and the compliance landscape has become significantly more complex since 2023. The core requirements by sector: financial data (GLBA Safeguards Rule — written information security program, encryption in transit and at rest, annual risk assessments, incident response plan — recently strengthened with specific technical requirements); health data (HIPAA — if you're a covered entity or business associate, you need a compliance program with designated privacy officer, staff training, BAAs with vendors, and breach notification protocols); children's data (COPPA — if any portion of your audience could be under 13, you need an age verification or parental consent mechanism, or you must restrict collection to data that doesn't trigger COPPA). For the 19+ state privacy laws: California's CPRA is the most demanding (applies to businesses that process data of 100,000+ California residents OR derive 25%+ of revenue from selling California data), but Virginia, Colorado, Connecticut, and a dozen more states have their own laws with varying thresholds and requirements. If you operate nationally, design your privacy program around California's requirements as the high-water mark — a California-compliant program generally satisfies the other state laws with minor modifications. Key universal requirements: maintain an accurate privacy policy, honor consumer rights requests within 45 days, have a mechanism to process opt-out of sale requests, and conduct data protection assessments for high-risk processing. The FTC can also bring enforcement actions against companies whose privacy practices don't match their privacy policies — "deceptive practices" enforcement under Section 5 — even without a specific statutory violation.

If you're a healthcare provider or covered entity, HIPAA compliance is not optional and OCR enforces it with real penalties. The most common HIPAA violations and their practical implications: impermissible disclosures (sharing PHI with unauthorized parties, including family members without authorization); lack of Business Associate Agreements (you must have signed BAAs with every vendor who handles PHI — cloud storage providers, billing services, EHR vendors, IT support); insufficient access controls (workforce members should only access PHI they need to do their jobs); failure to honor patient rights (patients have the right to receive their own records within 30 days; charging more than $6.50 per page or imposing other barriers is a violation); and breach notification failures (breaches affecting 500+ individuals must be reported to OCR within 60 days and to affected individuals without unreasonable delay). OCR investigates complaints at hhs.gov/hipaa/filing-a-complaint. Civil penalties range from $141 to $2,134,831 per violation category depending on culpability level. Practices that handle sensitive behavioral health, HIV/AIDS, or substance use disorder records face additional privacy requirements beyond standard HIPAA.

State Variations

This is the most state-variable area in the entire wiki:

  • California (CCPA/CPRA): The strongest state law — private right of action for breaches, dedicated enforcement agency (CPPA), opt-in for sensitive data, global privacy control requirement
  • 19+ states have comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, Maryland, Rhode Island, and more)
  • State laws vary significantly in: private right of action (most states: no; California: yes for breaches), applicability thresholds (revenue, data volume), opt-in vs. opt-out for sensitive data, and recognition of universal opt-out signals
  • Illinois BIPA (Biometric Information Privacy Act) has generated the most privacy litigation in the country with its private right of action for biometric data violations
  • State data breach notification laws exist in all 50 states

Pending Legislation

  • HR 6291 — Children and Teens' Online Privacy Protection Act: expands COPPA to teens, bans targeted ads to minors. Status: In Committee.
  • HR 6734 — Auto Data Privacy and Autonomy Act: gives vehicle owners consent control over car data. Status: Introduced.
  • S 3097 — Health Information Privacy Reform Act: federal HIPAA-like regime for non-HIPAA companies. Status: Introduced.
  • S 3494 — Auto Data Privacy and Autonomy Act: give vehicle owners control of car data, ban most manufacturer sales without consent, require free real-time access and an open API. Status: Introduced.
  • HR 7816 — Protect Liberty and End Warrantless Surveillance Act of 2026: limit warrantless searches of U.S. persons, curb paid data buys from brokers, add FISA court transparency. Status: Introduced.
  • HR 7738 / S 3918 — Government Surveillance Transparency Act of 2026: public searchable dockets for criminal surveillance orders with capped secrecy and limited grants for implementation. Status: Introduced.

No major comprehensive federal privacy legislation has passed. The American Privacy Rights Act (APRA) advanced in committee in 2024 but did not pass.

Recent Developments

  • The state privacy law wave continues to accelerate — several new states enacted comprehensive privacy laws in 2025-2026
  • AI regulation intersects heavily with privacy — AI training on personal data, automated decision-making, and AI-generated profiles raise new privacy questions
  • FTC has proposed strengthened COPPA rules and a commercial surveillance rulemaking that could create de facto comprehensive federal privacy requirements through FTC rulemaking authority
  • The EU-U.S. Data Privacy Framework (2023) replaced Privacy Shield for transatlantic data transfers, though its long-term stability remains uncertain

At My Address

See how Data Privacy & Consumer Data Protection plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address