- US Data Privacy Laws: What Are They?
- Why Are Data Privacy Laws Important?
- US Data Privacy Laws by State
- California Consumer Privacy Act (CCPA and CPRA)
- Virginia Consumer Data Protection Act (CDPA)
- Colorado Privacy Act (ColoPA)
- Utah Consumer Privacy Act (UCPA)
- Connecticut (CTDPA)
Here at Cloudwards, we often decry privacy laws in the U.S. as subpar and, at times, actively harmful. However, it’s not all bad. The U.S. — and certain states in particular — have several laws and regulations that serve its citizens well. This article will go over U.S. data protection laws that try to protect the data of American citizens and users of U.S.-based services.
- Data privacy laws regulate how a person’s private data is collected, handled, used, processed and shared.
- Federal laws in the United States do little to protect their citizens from the misuse of their data, except in specific situations.
- California was the first to pass a state data privacy law, modeled after the European GDPR.
- Utah, Colorado and Virginia also have laws that protect against the misuse of a person’s personal information.
Although the U.S. protects its citizens’ data from being misused by companies and corporations to some degree, it also has some of the most intrusive surveillance laws in the world. If you’re interested in learning about them, read our articles on the Patriot Act and the Freedom Act. Our internet censorship article also touches on these topics.
Regardless of U.S. government surveillance, many companies take advantage of the hands-off approach the U.S. takes to the internet.
Thankfully, while there is no U.S. federal law governing data protection on the internet, states have started to get wise to this and have implemented laws of their own, regulating the handling of internet data. Read on to find out what those are and what the future holds for your online data.
In June 2022, the U.S. House of Representatives Committee on Energy and Commerce voted 53-2 in favor of the American Data and Privacy Protection Act (ADPPA), which would provide federal protection of personal data. ADPPA still needs to pass the House and Senate, and get White House support. We will update this article with more information as the act moves through the U.S. legal process.
02/03/2023 Facts checked
Added a map graphic to show the stages of U.S. privacy laws by state.
Added information about Connecticut’s data privacy law.
Although the United States Constitution does not recognize a right to privacy, the Supreme Court has held that U.S. citizens have an implicit right to privacy stemming from the effects of certain amendments to the Constitution.
There are four cases that constitute an invasion of privacy: unreasonably intruding into another’s personal space, appropriating their name or likeness, publicly revealing intimate details about a person, or presenting a person in a false light to the public.
The three rights include the right to request records, subject to Privacy Act exemptions; the right to request a change to records that are not accurate, relevant, timely or complete; and the right to be protected against unwarranted invasion of privacy resulting from the collection, maintenance, use and disclosure of personal information.
US Data Privacy Laws: What Are They?
Data privacy laws govern how companies and the government handle the data of their users and citizens, respectively. These laws serve to protect the personal data of people from being mishandled or used in malicious or predatory ways.
In some cases, data protection laws may dictate that a company needs to ask for explicit permission from its users to handle their data in a certain way. In other cases, they might allow a user to access and view all data a company or government has on them, or even ask for the permanent deletion of that data.
These are only some of the ways data protection laws can keep your sensitive data safe and private. Different U.S. states have different data privacy laws, so how safe you are will depend on your location, but in some cases these laws have an extraterritorial reach.
US vs European Data Privacy Laws
This is the case with the EU’s General Data Protection Regulation (GDPR). If a company wants to operate in Europe or serve European citizens, it must comply with the strict code of the GDPR, which we hold today as the gold standard for data protection.
Switzerland goes beyond even that level of protection, codifying data privacy into its constitution.
Why Are Data Privacy Laws Important?
The main reason we need privacy laws is for protection. Many people don’t care about their personal data being out there for all to see until it’s too late. Alternatively, some people might think their information is safe, but data breaches or improper handling of data can have disastrous consequences.
Let’s look at a concrete example. HIPAA (the Health Insurance Portability and Accountability Act) is a privacy law that prevents doctors from sharing their patients’ medical data.
Examples of HIPAA violation include everything from snooping on records or denying patients access to their healthcare records, to failure to manage security risks or failure to use encryption.
If someone’s personal information is involved in a healthcare data breach, hopefully the HIPAA law helps protect those patients — otherwise data becomes exposed, including patients’ names, social security numbers, dates of birth, financial account numbers, lab or test results, insurance details, passwords and more.
You can see why data privacy laws are important to protect this personal information. If you need help imagining what could go wrong with that sensitive data exposed, we can point you toward our data privacy statistics article and identity theft statistics article.
US Data Privacy Laws by State
State data security laws are much more progressive compared to federal law. California and Virginia are leading the charge in data protection legislation, but other states are joining the fight against personal data abuse, too.
Like the GDPR, these laws have an extraterritorial reach, in that any company wanting to provide services to citizens of an American state needs to comply with its privacy laws. Here are the state laws currently protecting personal information.
California Consumer Privacy Act (CCPA and CPRA)
California arguably has the best privacy laws in the United States. The California Consumer Privacy Act (CCPA) was a major piece of legislation that passed in 2018, protecting the data privacy of Californians and placing strict data security requirements on companies.
The CCPA draws many comparisons to the European GDPR, which is high praise considering the excellent data protection the EU affords its citizens.
Among these parallels is the right of citizens to access all data a company has on them, as well as the right to be forgotten — or in other words, have your personal data deleted. However, probably the most important similarity between the CCPA and the GDPR is how broadly they both interpret the term “personal data.”
Under the CCPA definition, personal data is any “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This is a landmark definition that prevents data brokers and advertisers from collecting your personal data and profiling you, or at least makes it very difficult for them to do so.
The California Privacy Rights Act (CPRA) is another Californian act that amends the CCPA to expand its scope. Most importantly, it created the California Privacy Protection Agency, in charge of implementing the laws and making sure they’re followed.
Virginia Consumer Data Protection Act (CDPA)
Virginia’s Consumer Data Protection Act (CDPA) bears many similarities to the CCPA and GDPR, and is based on the same principles of personal data protection. Covered entities have the same responsibilities as under CCPA, including giving users the right to access, view, download and delete personal information from a company’s database.
Covered entities include ones that process the data of at least 100,000 people annually, or ones that process the data of at least 25,000 people annually but get at least 50% of their income from selling that data (like data brokers).
Virginia’s CDPA differs from the CCPA in the scope of what constitutes the sale of personal information, using a narrower definition. CCPA and GDPR define it as the exchange of personal information, either for money or for other reasons, whereas CDPA narrows down those other reasons to just a few specific cases.
Also notable is the lack of a dedicated regulatory authority like the one formed in California under CPRA. The current regulator is Virginia’s attorney general, which means the law might be more difficult to enforce than it is in California.
Moreover, Virginia’s CDPA does not include a private right of action, meaning that Virginia residents cannot sue companies for CDPA violations.
Colorado Privacy Act (ColoPA)
The Colorado Privacy Act (ColoPA) follows in the footsteps of its predecessors and adheres to the same principles of personal information protection. There’s really no notable difference between it and California’s regulations, although it goes a bit further in some of its protections.
For example, CCPA allows a consumer to request access to all their personal data (using the definition of personal data under CCPA), while ColoPA gives a consumer access to information of any kind that a company has on them.
It also adds a sensitive data requirement to consent requests. This means that a data processor must request special permission to process data that could classify a person into a protected category (such as race, gender, religion and medical diagnoses). At the time of writing, ColoPA is enforced by Colorado’s attorney general.
Utah Consumer Privacy Act (UCPA)
The Utah Consumer Privacy Act (UCPA) is the latest state data security law to be passed in the U.S. Like all the previous laws, it uses the example set by the GDPR, so we’ll only point out what sets it apart.
One notable point of difference is that its definition of personal data only applies to consumer data. This excludes data that an employer has about its employees, or that a business gets from another business.
There is also no requirement for data protection assessments. Colorado’s law demands a recurring security audit for all data processors to ensure they’re implementing reasonable data security measures, but Utah imposes no such requirement. There’s also a $25 million annual revenue threshold for data processors — entities earning less than that do not need to comply.
The Connecticut Data Privacy Act (CTDPA) was signed into law in May 2022, and will take effect in July 2023. It applies to companies that process data from 100,000 or more people per year, or who get more than 25% of their revenue from consumer data while processing that of at least 25,000 people. Laws also apply to third parties who process data on behalf of those companies.
Protections in the CDPA include the rights to access personal information held by data controllers and processors, to store it in easily transferable format, to request corrections and to have data deleted. Citizens can opt out of having their data used for targeted advertising or sold for profit.
Importantly, the CDPA comes with a universal opt-out mechanism, though controllers and processors are only required to recognize it beginning in 2025.
Connecticut joins Virginia, Colorado, California and Utah as the fifth state to pass a strong personal privacy law modeled on GDPR. Privacy advocates hope that a domino effect will boost legislation currently being considered in Pennsylvania, Ohio and Michigan, plus another 14 states where bills are in the preliminary stages.
Federal Data Privacy Laws
There aren’t many data privacy laws enacted at a federal level, and the ones that are in place are pretty specific as to what kind of data they cover and the groups they protect. We’ll outline the most significant ones below, but know that there are dozens of minor case-specific laws and regulations for data privacy.
Privacy Act of 1974
The Privacy Act of 1974 is a major data privacy law that applies to how the federal government and its agencies handle the data of U.S. citizens. The Privacy Act allows citizens to access and view the government records containing their data, as well as request a change in the records in case of inaccuracies.
The law also protects against invasions of privacy stemming from the handling of a person’s personal information. It also prevents the information in the federal system of records from being released or shared without written consent of the person (with a few exceptions).
Federal Trade Commission Act (FTC Act)
The Federal Trade Commission was mainly created to deal with issues arising from businesses employing shady financial practices. However, the FTC also functions as the government’s watchdog for data privacy, at least where businesses are concerned.
Under Section 5 of the FTC Act, which brought the FTC into existence, the FTC prevents companies and financial institutions from engaging in “unfair or deceptive acts or practices” toward their customers.
This section prevents companies from misrepresenting how they handle your data. For example, Facebook made several false claims in the years leading up to a 2012 FTC lawsuit, including misleading users about the visibility of posts and information they marked as “private” or “friends only,” as well as sharing data with third-party apps.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is another regulation enforced by the FTC. The GLBA states that all financial institutions must fully disclose how they handle and share the data of customers. The list of institutions covered includes likely suspects like banks and insurance companies, but also financial advisors or any institutions that give out loans.
The GLBA also includes a clause about data protection called the Safeguards Rule, which states that institutions covered must also provide an adequate level of protection for your data.
Fair Credit Reporting Act (FCRA)
The Fair Credit Reporting Act is a law regulating how consumer data is handled, focusing on consumer credit information. It ensures that consumer reports (or credit reports) are always accurate, and prevents consumer reporting agencies from purposefully and maliciously altering information in those reports.
The data in these reports is collected by consumer reporting agencies, such as credit bureaus, medical information companies and tenant screening services.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is one of the most significant pieces of data privacy legislation in the U.S. This is a far-reaching law that prevents your protected health information (PHI) from being shared by a medical institution without your consent. The FTC also mandates data breach notifications, so if a medical provider has suffered a data breach, it must immediately notify all of its patients.
It prevents breaches of patient-doctor confidence and prevents a medical institution from sharing patient data with collaborators (you need to sign permission for that, as well). HIPAA also covers any institution or individual providing medical services, including psychologists and chiropractors.
The regulations of HIPAA are extremely strict, and even something as innocuous as your doctor telling your mom you have a cold, or a nurse going through your medical history without permission constitutes a breach.
Even mobile health apps and cloud storage services need to comply with HIPAA if they store any identifiable data (like your date of birth).
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) protects the data in a student’s educational record and governs how it can be released, made public, accessed or amended. It allows parents of underage students to access the educational records of their children and request that they be altered if necessary.
The law also limits what information is publicly available, and it allows students and parents of underage students to withhold certain information that might be damaging to the future of a student.
FERPA has some overlap with HIPAA and is the cause for the so-called FERPA exception. In cases where an educational institution holds what could be considered medical data (like information on a counseling session, or on-campus medical treatments), FERPA takes precedence over HIPAA, and its rules are followed concerning how that data is handled.
Children’s Online Privacy Protection Act (COPPA)
COPPA seeks to protect children under 13 from online predation, and imposes strict rules on how the data of these children is handled.
This includes implementing verifiable parental consent (children cannot consent to the handling of their data), limiting marketing to children, providing a clear overview of what data gets collected, and deleting any information that is no longer necessary.
Of course, there’s more to it than that, and if you’re interested in learning all the details, the FTC has a clear COPPA compliance guide on its website.
However, because COPPA requirements are very strict, most social media companies simply claim to not provide service to children under 13 to avoid having to comply. Unfortunately, this doesn’t prevent those children from simply creating an account on their own and sharing potentially dangerous personal information online, and the company can just shift the blame to the parents.
Owing to the lack of adequate protection, parents should take active measures to protect their children. Restricting access to social media sites via a filtering program is the easiest way to prevent children from accessing dangerous websites, and some ISPs provide such tools, as well.
Online Privacy Protection Software
The best way to keep your online activity private is to use a VPN whenever you’re online (read our online privacy guide to learn more). A VPN will encrypt your traffic, making it impossible for anyone to know what websites you’re visiting. You can check out our list of the best VPNs to find one that suits your needs.
However, not even a VPN can prevent a website from gathering information about you if you’ve given it any personal details. For example, using a VPN can’t stop Facebook from seeing what you’ve liked on its website and connecting that to your email. This data could then get passed on to data brokers and advertisers.
Unfortunately, you can’t know for sure which data brokers have your data. Plus, the only thing you can do to get your data removed from a data broker’s archive is to ask them to do so and hope they follow up.
Thankfully, Surfshark Incogni — the best data privacy management tool — is a solution to this situation. The service that acts on your behalf, contacting data brokers to get them to erase your data.
It does the laborious task of going through each broker in its database and following up multiple times to pressure them into actually deleting your information. You can read our review of Incogni if you want to know more.
Data privacy laws are key for keeping your information safe. Federal data privacy laws in the U.S. are lacking in comparison to the data protection efforts of the European Union, but individual states are increasingly stepping up to meet the privacy needs of their citizens.
Was this guide to digital privacy laws in the U.S. useful to you? Are you surprised by the lack of protection on a federal level? Let us know in the comments below. As always, thank you for reading.