Published in: Compliance

US Data Privacy Laws: A Comprehensive Guide

Published on: 01/28/2025

Data is the most crucial asset for modern-age companies to drive business growth. And the U.S. has been, for quite a while, at the forefront of big-tech businesses and the ever-dynamic digital landscape.

But like anything valuable, data is also subjected to vulnerability. And U.S. Data Privacy laws are the result of the inability of businesses to limit and secure data that causes no harm to an individual whatsoever.

The U.S. has had a history of continuing frameworks and ever-evolving laws that regulate businesses for the judicial usage of an individual’s data.

Though more than 90% of small-medium businesses still need privacy compliance, a lot is changing with enforced regulations such as CPRA and CPA.

So, this guide will be an in-depth review of data privacy, its history, the current regulatory landscape, and its future implications on modern-age businesses.

History of US Data Privacy Laws

Privacy Laws are usually categorized into Vertical Focus and Horizontal Focus.

Privacy Laws with Vertical Focus refer to the information about an individual’s medical and financial information as they are susceptible to breach. This includes medical health records or financial statements and account numbers.

Privacy Laws with a Horizontal Focus refer to how an organization processes an individual’s personal information, regardless of its context. These privacy laws govern information such as fingerprints, facial and voice recognition, biometric data, retina scans, and other personally identifiable information such as names and addresses.

Timeline of US Data Privacy Laws

1974

U.S. Privacy Act of 1974

Rights and restrictions on data held by federal agencies

1996

Health Insurance Portability and Accountability Act (HIPAA)

Healthcare and health insurance personal data protection

1999

Gramm-Leach-Bliley Act (GLBA)

Regulates financial institutions collecting sensitive consumer data.

2000

Children’s Online Privacy Protection Act (COPPA)

Protects the personal information of those aged 13 and younger

U.S. Privacy Act 1974

Enacted in 1974 and enforced in September 1975, the U.S. Privacy Act is the first and foremost data privacy regulation formed to govern the federal U.S. government.

It was primarily enforced to establish a code to conduct “fair information practices” among federal agencies, particularly those that indulge in national security and consumer entities.

The act: “balances the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies’ collection, maintenance, use, and disclosure of personal information about them.”

Right to access and modify personal data: U.S.’s first privacy act gives American citizens the right to access the data collected and processed by federal agencies and change their personal information if found inaccurate.
Right to access for privileged individuals: Depending upon an individual’s role in the company, this act would allow only certain people to access their personal information.
Right to inquire about personal data: As per the act, individuals have the right to know how and what federal agencies can do with their data.

HIPAA

The HIPAA Act, or the Health Insurance Portability and Accountability Act, regulates hospitals, insurance companies, and healthcare providers to protect and secure patients’ sensitive personal information or Protected Health Information or PHI.

The U.S. Department of Health and Human Services (HHS) regulates this health privacy law, while Office enforces the regulatory provisions for Civil Rights (OCR).

Entities that are compliant with HIPAA:

Use an individual’s personal information for specific purposes such as payments and medical treatments. However, healthcare providers require patients’ explicit consent when that personal data is used for marketing and advertisement activities or promotions.
It is mandatory for healthcare providers to compulsorily provide a privacy notice to the patients declaring the practices used by the entity to collect and process personal data and for what purpose it will be used. The patient can limit or restrict healthcare providers from disclosing personal data.
The patient can access and modify the medical information if the records are inaccurate.

COPPA

The Children’s Online Privacy and Protection Act, colloquially known as COPPA, is a set privacy standard regulating websites, apps, and other online platforms that exchange personal data pertaining to children under 13.

Essential requirements in COPPA:

Post a precise and straightforward privacy statement outlining what data service providers will gather on children, how they will use it, and whether they will disclose it to third-party organizations.
Before obtaining, using, or disclosing children’s personal information, obtain their parent’s or guardian’s explicit consent.

Giving parents and guardians the right to examine and erase their child’s personal information is mandatory under COPPA.

GLBA

The Gramm-Leach-Bliley Act is a regulation enacted by the U.S. government in 1999 that requires financial institutions and fin-tech businesses and startups that provide financial products and services to their client to declare their data collection, processing, and sharing practices with their clients upfront and safeguard their sensitive data.

Essential requirements in GLBA:

Enabling consumers to Opt-out of sensitive data-sharing options and explaining in-depth data-sharing practices of your organization.

Mandatory regulatory guidelines for financial organizations on how to gather, process, or safeguard users’ data. It applies to all data types collected from consumers, including online information.
Create and implement a defined information security program to prevent unauthorized access to client information.

Current State of Privacy Laws in the U.S. and its Implications

The U.S. has enacted privacy laws with only state-wide jurisdiction while it is consistently planning and working to implement a federal law as well.

So, let’s start with laws already active in certain states, some passed, and a brief look at the federal privacy law in the making.

CCPA & CPRA: California Consumer Privacy Act

California became the first state in the U.S. to enact a privacy law on January 1, 2020. And CPRA amends CCPA expanding full scope of the privacy law state-wide and established California Privacy Protection Agency or CPPA substantially make businesses compliant.

It enforces for-profit businesses that are based in California or collect process, and share/sell the personal data of California’s citizens.

This Law also gives Californians greater control over their data. Californians have the right to ask for their data from businesses and can access, modify or delete their personal information it needs to be.

If a business is found in violation of privacy laws, there can be fined anywhere between $2500 to up to $7500 per violation in highly sensitive cases.

Businesses, especially small-medium enterprises, must take precautions and get their company compliant with privacy laws as it will mitigate the risk of fines and penalties, safeguard your businesses’ reputations, and build long-term consumer trust.

US Data Privacy Laws

Each state’s law shares the common goal of protecting consumer’s personal data. However, these laws differ in scope, applicability, consumer rights and business obligations. Let’s explore their highlights and see how they stack up.

Key Components of State Data Privacy Laws

While each law is unique, there are common elements:

Scope and Applicability: Defines which businesses the law applies to, often based on revenue, data volume, or the percentage of revenue derived from data sales.
Consumer Rights: Includes rights like accessing, correcting, deleting or opting out of data processing.
Sensitive Data Protection: Some laws require explicit consent for processing sensitive personal data.
Business Obligations: Includes requirements for privacy notices, security measures, and data protection assessments.
Enforcement: Typically handled by the state attorney general, with penalties for violations.

Comparison Table of State Privacy Laws

State	Effective Date	Applicability	Consumer Rights	Sensitive Data	Enforcement	Penalties
California Consumer Privacy Act (CCPA/CPRA)	January 1, 2020/2023	$25M revenue, 50,000 consumers, or 50%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	CA Attorney General	$2,500 per violation; $7,500 for intentional violations
Virginia Consumer Data Protection Act (VCDPA)	January 1, 2023	100,000 consumers or 25,000+ consumers with 50%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	VA Attorney General	Up to $7,500 per violation
Colorado Privacy Act (CPA)	July 1, 2023	100,000 consumers or 25,000+ consumers with 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	CO Attorney General	Up to $20,000 per violation with a total maximum penalty of $500,000
Connecticut Data Privacy Act (CTDPA)	July 1, 2023	100,000 consumers or 25,000+ consumers with 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	CT Attorney General	Up to $500,000 per violation
Utah Consumer Privacy Act (UCPA)	Dec 31, 2023	$25M revenue and 100,000 consumers or 25,000+ consumers with 50%+ revenue from data sales	Access, Delete, Opt-Out, Portability	Explicit consent required	UT Attorney General	Up to $7,500 per violation
Oregon Consumer Privacy Act (OCPA)	July 1, 2024	100,000 consumers or 25,000+ consumers with 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	OR Attorney General	Up to $7,500 per violation
Texas Data Privacy and Security Act (TDPSA)	July 1, 2024	35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	Texas Attorney General	Up to $7,500 per violation
Montana Consumer Data Privacy Act (MTCDPA)	Oct 1, 2024	50,000 consumers or 25,000+ consumers with 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	MT Attorney General	Not specified
Delaware Personal Data Privacy Act (DPDPA)	January 1, 2025	35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	DE Attorney General	up to $10,000 per violation
Iowa Consumer Data Protection Act (ICDPA)	January 1, 2025	100,000 consumers or 25,000+ consumers with 50%+ revenue from data sales	Access, Delete, Portability, Opt-Out	Notice and opt-out required	Iowa Attorney General	Up to $7,500 per violation
Nebraska Data Privacy Act (NDPA)	January 1, 2025	Annual Gross revenue exceeding $10 million or buying/ selling/sharing personal information of 50,000 or more consumers or50%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	Nebraska Attorney General	Up to $7,500 per violation
New Hampshire Privacy Act	January 1, 2025	35,000 consumers or 10,000+ consumers with 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	New Hampshire Attorney General	up to $10,000 per violation
New Jersey Data Privacy Act (NJDPA)	January 15, 2025	100,000 consumers or 25,000+ consumers with data sales revenue	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	NJ Attorney General	Up to $10,000 for 1^st violation and up to $20,000 for subsequent violations
Tennessee Information Protection Act (TIPA)	July 1, 2025	$25M revenue, 25,000 consumers (50%+ revenue from data sales) or 175,000 consumers	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	TN Attorney General	$7,500 per violation; treble damages for intentional violations
Minnesota Consumer Data Privacy Act (MCDPA)	July 31, 2025	100,000 consumers or 25,000+ consumers with data 25%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability,	Explicit consent required	Minnesota Attorney General	up to $7,500 per violation
Maryland Online Data Privacy Act (MODPA)	Oct 1, 2025	35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	MD Attorney General	up to $10,000 per violation, and up to $25,000 for repeated violations
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)	January 1, 2026	35,000 consumers or 10,000+ consumers with 20%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	Rhode Island Attorney General	$10,000 per violation and between $100 – $500 for each intentional disclosure of personal data
Kentucky Consumer Data Protection Act (KCDPA)	January 1, 2026	100,000 consumers or 25,000+ consumers with data 50%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	Kentucky Attorney General	Up to $7,500 per violation
Indiana Consumer Data Protection Act (INCDPA)	January 1, 2026	100,000 consumers or 25,000+ consumers with 50%+ revenue from data sales	Access, Delete, Correct, Opt-Out, Portability	Explicit consent required	IN Attorney General	Up to $7,500 per violation

U.S. Data Privacy Laws vs. E.U.’s GDPR

EU’s General Data Protection Regulations is the world’s most comprehensive data privacy regulation, colloquially known as the “mother of all privacy laws.”

E.U.’s GDPR came into effect in May 2018 due to the international data breach incidents that caused significant compromise to millions of sensitive consumer data.

With the strictest sets of standards, E.U.’s GDPR and U.S.’s CCPA rigorously focus on how businesses handle users’ data and what data protection practices are implemented in their operations.

Along with that, both privacy laws are fully committed to providing consumers their right to privacy by regulating businesses to grant the ability to access, modify or delete personal data if the consumer does so.

Let me outline the key differences between E.U.’s GDPR and U.S.’s CCPA:

Jurisdiction and Applicability

GDPR: GDPR not only operates within the purview of the European Union but applies to any business worldwide that collects, process, share/sell the personal data of E.U. citizens. This Law doesn’t require data processing or a revenue threshold.

CCPA: CCPA operates within the purview of California State and applies to businesses that collect, process, share/sell the personal data of Californians. This Law requires data processing or revenue threshold.

Scope of Personal Information

GDPR: The GDPR encompasses a broader definition of personal data that includes any information that directly or indirectly identifies an individual, such as names, email addresses, I.P. addresses, and even cookie data.

CCPA: As per CCPA, personal information is data that identifies, relates to, describes, or could be reasonably linked to a particular consumer or natural human being.

Consent and Opt-out Rights

GDPR: Under the GDPR, businesses must get users’ explicit consent to process their data. Also, users have the right to withdraw consent and request the deletion of their data.

CCPA: The CCPA provides consumers with the right to opt out of the sale of their personal information. However, it does not require explicit consent for data processing as the GDPR does.

Rights and Enforcement

GDPR: The GDPR grants individuals various rights, including the right to access their data, rectify inaccuracies, restrict processing, and data portability. Non-compliance can result in significant fines (up to 4% of global annual turnover) and regulatory actions.

CCPA: The CCPA grants consumers rights such as access to their information, request deletion, and opt-out of sales. While it does not impose penalties directly, it allows for a private right of action in case of data breaches.

Business Obligations

GDPR: The GDPR places a greater emphasis on accountability and requires businesses to implement measures such as privacy notices, data protection impact assessments (DPIAs), appointing a Data Protection Officer (DPO) in some instances, and maintaining records of processing activities.

CCPA: The CCPA focuses more on transparency and requires businesses to provide clear privacy policies, inform consumers about data collection and sharing practices, and offer opt-out mechanisms to sell personal information.

Which Law Will Apply to Your Business?

There are three significant criteria you should consider as a business owner to make an informed decision regards to privacy law compliance:

Location: If your business is in a state with an active data privacy law, compliance is a must for you regardless of the revenue or data processing threshold. Why?

Getting compliance will build your brand identity. It will give you a competitive edge to market your business.
You will have consented to the user’s personal data if you comply with privacy law. This data can be further used for Advertising or personalization.
Compliance will mitigate the risk of potential fines and penalties apart from reputational damages the business might suffer.

Industry: Though data is the lifeline of every industry in the digital age, some businesses indulge in sensitive data collection, making them more vulnerable to data breaches and cyber-attack.

Also, you should focus on the industry-specific standards crucial for your business as they meet different vertical treatments. For example, healthcare businesses must comply with HIPAA; financial institutions need GLBA compliance, and much more.

Size: If you deal in large chunks of data, you want to make sure of the third parties you are dealing with. Also, ensure that if you have on-premises data storage, it is well interacted, and rigorous data security measures are implemented.

Conclusion

In an ever-changing digital world, data is critical for future brands. But businesses need to adopt the “Data Privacy” concept as the new benchmark to enhance the consumer experience.

Businesses must consider getting privacy compliance as the competitive edge they can build their brand around. Because even if you don’t want privacy, your customer indeed does.

Experience the difference our solution can make. Schedule your demo now!

Schedule A Demo

Consent Management Platform

Consent Management Platform

Explore our entire suite of webtools designed to keep your data safe, and your business in compliance

Cookie Consent

Consent Preference

DSAR Management

Social Fortuna

GDPR (EU)

CPRA / CCPA

VCDPA (Virginia)

PIPEDA (Canada)

IAB TCF v2.2

CPA (Colorado)

CTDPA (Connecticut)

LGPD (Brazil)

DPDPA (India)

PDPL (Saudi Arabia)

Ecommerce

Automotive

Healthcare

Fintech

Chambers of Commerce

Blogs

Insights Newsletter (Coming Soon)

Cookie Scanner & Site Audit

Privacy Policy Generator

14 Day Free Trial

About Us

Partnership Programs

Contact Us

Careers

Help Center

FAQs

Our Latest Blog

Send a message.