At the federal level, privacy is governed by individual sectoral and specialized laws. For example, individual federal privacy laws provide protections based on industry (e.g., healthcare, finance, education), type of individual (e.g., children), or type of information (e.g., health data, financial data, student data). A brief summary of some of these laws follows. Note that many of these also require specified agencies to issue regulations that also apply. Except where particularly relevant with respect to a particular topic, this chapter does not otherwise discuss similar specialized state laws and instead is dedicated to broader consumer privacy principles, laws, and regulations. 

• The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq., protects the personal information of children under 13 when collected online. 
• The Health Insurance Portability and Accountability Act (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996), regulates “protected health information” (PHI) processed by “covered entities” (e.g., doctors, insurance companies, and others in the medical field) as well as their “business associates” (those who process PHI on behalf of covered entities). 
• Financial privacy is mainly governed by two distinct federal laws: the Gramm-Leach-Bliley Act (GLBA), Pub. L. No. 106-102, 113 Stat. 1338, which regulates the processing of “nonpublic personal information” by financial institutions, and the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., which governs the accuracy, privacy, and use of consumer information, including for purposes of determining consumers’ eligibility for credit, employment, and housing.
• The privacy of student educational records is governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, which applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 
• The Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710, provides certain protections for video viewing information. Originally adopted to protect the privacy of video rental histories, the law has been invoked in recent years with respect to online video platforms. 
• The Electronic Communications Privacy Act (ECPA), Pub. L. No. 99-508, 100 Stat. 1848, and similar state wiretapping laws generally restrict interception, monitoring, and disclosure of information about consumers’ electronic, wire, or oral communications. 

Outside of these and other sectoral laws, privacy in the U.S. is governed at the federal level largely by section 5 of the FTC Act, which generally prohibits “unfair” and “deceptive” trade practices. For example, the FTC has brought numerous enforcement actions against companies for, among other things, failing to meet the commitments they make to consumers with respect to how they collect and process personal information, failing to adequately protect the personal information they collect, and engaging in what the FTC considers to be highly unexpected and potentially harmful data use and disclosure practices.

The states have moved to fill the gaps left by the absence of a comprehensive federal privacy law. All 50 states now impose obligations to report data breaches, discussed further below. In addition, at the time of writing in 2024, 19 states have adopted omnibus consumer privacy laws modelled roughly on the GDPR. This chapter refers to these laws as “state omnibus consumer privacy laws.” More recently, states have adopted laws imposing additional obligations: 1) providing additional protections for health-related data (typically termed “consumer health data”), see, e.g., Washington My Health My Data Act, WASH. REV. CODE §§ 19.373.005-19.373.900 (2024); 2) governing the personal information of individuals known to be under 18 or collected from services that are appealing to children and teenagers, see, e.g., Maryland Age-Appropriate Design Code Act, H.B. 603, 2023 Reg. Sess. (May 9, 2024); and 3) laws imposing additional obligations on “data brokers,” see, e.g., Texas Data Broker Act, Tex. Bus. & Com. Code, Chapter 509. 

Finally, many states have adopted specialized and unique privacy laws imposing data security obligations as well as obligations to post privacy notices. Other states have adopted laws governing the collection of personal information at the point of sale in retail locations, as well as laws governing certain types of personal information, such as biometric data, genetic data, Social Security numbers, and driver’s license information, among others. 

The FTC Act governs commercial actors, specifically those engaged in “commerce.” Section 5 does not generally regulate nonprofit organizations, political organizations, or companies in certain regulated sectors. The sectoral and specialized privacy laws discussed above target actors within the specific sectors or data types described above. 

The state omnibus consumer privacy laws impose obligations on “controllers” and “processors” (note that in California only, controllers are referred to as “businesses” and processors as “service providers”). Each term is defined similarly to the GDPR: controllers are those that determine the purposes and means of processing, and processors are those that act on behalf of controllers and pursuant to their instructions. However, unlike under the GDPR, these concepts are more narrowly scoped. For instance, the majority of these laws govern only commercial actors and do not apply to nonprofits, political parties, or governments. In addition, to qualify as a controller, companies typically must meet certain thresholds with respect to revenues or numbers of consumers whose personal data they process. 

The state omnibus consumer privacy laws largely protect “consumers,” defined as those who are natural persons and residents of their states acting in a personal or household context. All the omnibus consumer privacy laws enacted to date, other than the CCPA, carve out individuals acting in a commercial context (such as in a business-to-business capacity) or in an employment context.

Federal privacy laws generally protect U.S. citizens wherever they reside. COPPA applies to foreign-based websites and online services if they are directed to children in the U.S. or if they knowingly collect personal information from children in the U.S. as well as U.S.-based sites and services that collect information from foreign children. 

The state laws each protect residents of their states, even when they are in other states. 

The FTC employs section 5 against companies engaged in all manner of processing, including collecting, using, and disclosing personal information. The sectoral and specialized laws similarly typically impose obligations on companies’ collection, use, and disclosure of personal information.

The state omnibus consumer privacy laws work similarly to the GDPR, largely governing any processing of personal information. “Processing” is generally defined very broadly to include collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data. These laws typically provide additional protections for the sale of personal data as well as for processing for targeted advertising purposes, as detailed further below.

U.S. privacy laws use a variety of terms and scope of covered data. Some sectoral laws are limited to identifying information within the relevant construct, such as health data or financial data. The FTC has long used its section 5 authority to protect a broader swath of information, such as device identifiers and browsing information, but it has not adopted a single comprehensive definition used in all contexts.

The state omnibus consumer privacy laws generally define “personal information” or “personal data” as any information that is “linked or reasonably linkable to an identified or identifiable individual.” See, e.g., Cal. Civ. Code § 1798.140(v)(1); Va. Code Ann. § 59.1-575; Conn. Gen. Stat. Ann. § 42-515(18). In a marked contrast from the GDPR, these laws carve out publicly available information, typically defined as information that is lawfully made available in government records in addition to information that the controller has a reasonable basis to believe the consumer has lawfully made available to the general public. See, e.g., Cal. Civ. Code § 1798.140(v)(2); Va. Code Ann. § 59.1-575; Conn. Gen. Stat. Ann.; Conn. Gen. Stat. Ann. § 42-515(25).

The state omnibus consumer privacy laws also protect pseudonymous data, such as cookie and device identifiers, generally defining such data as personal data that can no longer be attributed to a specific individual without the use of additional information. However, consumer privacy rights, such as the right to request access or deletion, generally do not apply to pseudonymous data so long as the additional information needed to identify the consumer is kept separate and is subject to technical and organizational measures to ensure that personal data is not attributed to a specific individual. See, e.g., Colo. Rev. Stat. Ann. § 6-1-1307(3).

The state omnibus consumer privacy laws carve out “de-identified data” from their scope entirely, defining that concept as data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller: (1) takes reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly commits to maintaining and using the data only in a de-identified manner and not attempting to re-identify the data; and (3) contractually obligates any recipients of the data to comply with the same requirements.See, e.g., Or. Rev. Stat. Ann. This scope is similar to how the FTC considers what data is and is not entitled to privacy protections. See “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”(March 2012) (See www.ftc.gov/os/2012/03/120326privacyreport.pdf).

The FTC has long seen certain data types as entitled to additional protections, and some sectoral privacy laws reflect the same. For instance, personal data collected from children under 13, data that could reasonably reflect a consumer’s health condition or treatment, and precise location information all get specific protections under federal law. 

The state omnibus consumer privacy laws each recognize certain data as “sensitive” and provide heightened protections for such data. Collectively, most state laws consider the following — whether known or inferred about a user — to be “sensitive,” while some states add additional elements:

• race or ethnicity;
• sexual orientation or sex life;
• mental or physical health or diagnosis (including, in some states, pregnancy);
• genetic or biometric data for the purpose of uniquely identifying an individual;
• religion/belief system;
• citizenship or immigration status;
• national origin;
• precise location information;
• personal information from a known child (generally defined as an individual under 13, but some states provide certain protections for children up to 18); and
• biometric data used to try to identify an individual.

In addition to the omnibus consumer privacy laws, several states have enacted laws to provide specific notice, consent, and retention obligations for biometric data. These laws typically define biometric data to include retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and other unique biological patterns or characteristics used or intended to be used to identify a specific individual. See, e.g., Illinois Biometric Information Privacy Act, 740 ILL. COMP. STAT. ANN. 14/1(West 2008).

In the U.S., unlike in many other countries, companies are not required to establish a legal basis to process personal data under either federal or state law. Thus, controllers are typically not required to demonstrate, for instance, the necessity of processing to perform a specific task in order to process nonsensitive information. However, the majority of the state omnibus consumer privacy laws require consent to collect or disclose sensitive information. When consent is required, it generally must be freely given, specific, informed, and not obtained through “dark patterns.”

Most state omnibus consumer privacy laws carve out certain processing activities from their obligations, either in whole or in part, such as processing to:

• Comply with applicable laws, rules, or regulations or inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.
• Investigate, exercise, prepare for, or defend actual or anticipated legal claims.
• Conduct internal research to improve, repair, or develop products, services, or technology.
• Identify and repair technical errors.
• Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller.
• Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract.
• Protect the vital interests of the consumer or of another individual.
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Process personal data for reasons of public interest in the area of public health.

The FTC has interpreted section 5 of the FTC Act to effectively require clear and conspicuous notice about a company’s information collection, use, and disclosure practices. The state omnibus consumer privacy laws, as well as a few additional state laws, impose specific obligations related to the contents of privacy policies and other privacy disclosures. 

The state omnibus consumer privacy laws generally require controllers to not collect more information than necessary to fulfil a purpose disclosed to consumers, and some require not disclosing more information than necessary to provide a good or service specifically requested by a consumer. Some state laws also require not retaining data longer than necessary to fulfil such purposes. The state laws also require clear and conspicuous disclosures of “sales” of personal information to third parties, as detailed further below. Processors generally must process only on behalf of the controllers on whose behalf they act.

The state omnibus consumer privacy laws also introduce data security requirements. In general, controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue. In addition, all 50 states and the District of Columbia have enacted laws that require private entities (and, in some cases, state agencies) to notify individuals in the event of a data breach that involves particular data points with the potential to be used for fraud, such as Social Security numbers, driver’s license or state identification card numbers, and account, credit card, or debit card numbers in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Federal laws in the U.S. do not provide individuals with comprehensive rights with respect to the collection, use, or disclosure of their data. Rather, all such rights in the U.S. are presently provided only by the state omnibus consumer privacy laws. While the rights afforded by these state laws differ somewhat, there are some similarities to those provided under the GDPR, specifically:

• Transparency. The state privacy laws provide consumers with the right to know about a company’s data collection practices, including the types of personal information the company collects about consumers, the sources of this information, and how such information is used and disclosed. Some of this information must be provided through notices, such as in privacy policies and just-in-time privacy disclosures, whereas other disclosures must be made in response to privacy rights requests from consumers.
• Access and portability. Consumers have a right to request access to the personal information a company collects about them, sometimes in a portable format.
• Deletion. Consumers have the right to request deletion of their personal information, subject to certain exemptions.
• Correction. Consumers have the right to request that a company correct inaccurate personal information.
• Opt out of sales. Consumers have the right to opt out of “sales” of their personal information, with “sale” defined broadly, often to cover every disclosure not directed by a consumer made to an entity not acting as a processor.
• Opt out of targeted advertising. The state laws include the right for consumers to opt out of the use of their personal information for targeted advertising, defined generally as displaying advertisements based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.
• The right to nondiscrimination. The state laws prohibit companies from discriminating against consumers who have exercised any of the rights described above, though they are permitted to offer certain incentives in return for personal data.

Sending commercial or direct marketing communications is primarily regulated through federal law: email through the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 15 U.S.C. §§ 7701-7713 (2003), and text messages and phone calls through the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227 (1991), and the Telemarketing Sales Rule, 16 C.F.R. § 310 (2016).

CAN-SPAM generally sets forth an opt-out regime for commercial emails, requiring companies to accurately label their commercial emails and provide an opt-out mechanism. The sender must honor opt-out requests within 10 business days. The TCPA sets forth an opt-in regime for companies that call or send text messages to cellular numbers using automatic telephone dialling systems (ATDS) that have the capacity to store or produce a telephone number using a random or sequential number generator or artificial or pre-recorded voice messages. Messages that include an advertisement or marketing material must pass a higher consent bar than messages or calls that are transactional in nature. The Telemarketing Sales Rule generally requires companies to honor opt-out requests and maintain a list of such requests (referred to as an “internal Do Not Call list”) and to avoid making calls at certain times. See 16 C.F.R. § 310.

U.S. privacy laws generally do not restrict transfers of personal information outside of either state or federal borders. 

The FTC has broad authority to initiate investigations and bring complaints against companies. Typically, these enforcement actions are resolved via public settlement agreements with no court involvement.

State omnibus consumer privacy laws are typically enforced by the attorney general of the relevant state with authorities similar to the FTC. California recently stood up a new agency devoted exclusively to privacy matters that also has enforcement authority. These state regulators generally lack audit or similar authority, but have broad investigatory authority, such as to demand information.

Sanctions and remedies vary widely under different laws and jurisdictions. The FTC generally lacks fining authority under section 5 of the FTC Act but can seek injunctive relief and disgorgement of profits. Typically, the FTC resolves complaints brought under section 5 via settlement decree between the FTC and the company, whereby the company promises it will not repeat the offending behavior, agrees to implement specific privacy controls, and submits to 20 years of FTC oversight and monitoring. Nevertheless, the FTC increasingly extracts monetary relief from companies as part of its settlements. Unlike section 5, COPPA and CAN-SPAM are backed by steep civil penalties of more than USD 50,000 per violation. The TCPA provides a private right of action for injunctive relief and provides for statutory damages of USD 500–1,500 per call or text sent without prior express consent.

The omnibus consumer privacy laws provide for statutory fines ranging from USD 2,500 to USD 25,000 per violation. The CCPA uniquely provides for a limited private right of action for uncured breaches of unencrypted data that are reportable under California’s breach notification law, under which individuals may each seek to recover the greater of actual damages or statutory damages up to USD 750 per violation. Washington’s consumer health data act, known as My Health My Data Act or MHMD, notably is backed by a private right of action in which plaintiffs may recover actual damages (which may be trebled up to USD 25,000) as well as costs and reasonable attorneys’ fees.