Skip to main content
TDX registration is open! Save $600 for a limited time and join the must-attend event to experience what's next and learn how to build it.

Navigate the US Privacy Patchwork

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the “sectoral” and “patchwork” approaches to US privacy.
  • List key federal privacy laws and the industries they regulate.
  • Identify the main enforcers of US privacy laws.
  • Describe the growing state-level privacy movement and its business impact.

The US Privacy Landscape

Unlike the unified approach of the EU’s GDPR, the United States takes a sectoral and state-driven path. Hoping for one single, giant law that covers all privacy in the US, we have some news: it doesn’t exist yet. Think of it as a quilt made up of individual squares, each state and each industry stitches its own piece. The result: a patchwork of laws that vary depending on who holds personal data and where they operate.

At the federal level, personal data is protected based on industry and data type. But many other areas—like retail, marketing, and technology—are governed mainly by state legislation. Understanding both layers is key to navigating privacy compliance in the US. Here are some cornerstone statutes shaping this sectoral framework:

Law

Year

Industry/Focus

Key Protections

Fair Credit Reporting Act (FCRA)

1970

Credit reporting

Regulates the collection and use of consumer credit information; ensures fairness and accuracy.

Family Educational Rights and Privacy Act (FERPA)

1974

Education

Protects the privacy of student education records and gives parents and eligible students rights to access and correct them.

Electronic Communications Privacy Act (ECPA)

1986

Communications

Restricts unauthorized interception or access to electronic communications, such as emails and stored data.

Health Insurance Portability and Accountability Act (HIPAA)

1996

Healthcare

Sets national standards for safeguarding Protected Health Information (PHI). Requires patient consent and secure handling of sensitive data from Covered Entities (doctors, hospitals, insurance plans) and their Business Associates.

Children’s Online Privacy Protection Act (COPPA)

1998

Online services for children

Protects the privacy of children under 13 by requiring verifiable parental consent before collecting or sharing a child’s information.

Gramm-Leach-Bliley Act (GLBA)

1999

Financial services

Requires financial institutions to explain how they collect, share, and protect consumer financial data, and to limit disclosure without consent.

Together, these laws show the federal emphasis on protecting sensitive data within specific contexts, rather than a single, all-encompassing framework.

The Rise of State-Level Laws

Because federal laws leave many gaps, states have stepped in to fill them. These are evolving at a rapid rate.

The movement began with California’s Consumer Privacy Act (CCPA) in 2018. This was later strengthened by the California Privacy Rights Act (CPRA), which created the first dedicated privacy regulator: the California Privacy Protection Agency (CPPA).

Since then, nearly 20 states have passed comprehensive privacy laws, including Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Delaware, New Jersey, and Montana, with additional states actively considering legislation.

An AI generated image of a dark blue map of the United States, including Alaska and Hawaii, with a light blue wave across the mainland containing icons representing privacy topics such as state privacy laws, consumer rights, biometrics, AI, data brokers, and children’s privacy.

Despite differences, most of these laws share a common framework for handling personal data:

Common Consumer Rights

  • The right to know what an organization collects and why.
  • The right to access and correct.
  • The right to delete.
  • The right to opt out of “sales” or targeted advertising.
  • In many states, the right to limit the use of sensitive data.

Common Controller (Business) Obligations

  • Provide transparent privacy notices clearly explaining data practices.
  • Collect and use only the data necessary for stated purposes (data minimization and purpose limitation).
  • Conduct data protection assessments for high-risk processing activities.
  • Maintain contracts with processors (service providers) that restrict secondary uses of data.
  • Implement reasonable security measures to prevent breaches.
  • Provide breach notification to individuals and regulators when certain types of personal data are involved in a security incident. Importantly, a “breach” isn’t limited to malicious attacks; accidental disclosures—such as emailing customer data to the wrong recipient—may also qualify. Each state has its own criteria for what counts as a notifiable breach, which means a single incident can trigger multiple, differing requirements.
Note

With 50 state breach-notification laws, this area is one of the earliest and clearest examples of how fragmented the US privacy system can be.

But the details matter:

  • Terms like personal data, sale, and targeted advertising are defined differently across states.

Even the term consumer doesn’t mean the same thing everywhere. Some states, like California, include employee data, in addition to residents acting in a household or personal context, while other states may exclude employees or B2B contacts entirely.

  • Some states, like Colorado and Oregon, require opt-in consent for processing sensitive data, while California primarily uses an opt-out (Limit Use of Sensitive PI) model.
  • Applicability thresholds also vary by state. Most laws apply only to organizations that exceed certain revenue levels, process personal data about a minimum number of consumers, or meet other defined criteria. This means not every organization is covered by every state law—a key characteristic of the US system.

There is also a common misconception that nonprofits are automatically exempt from privacy regulations. Laws in Colorado, Delaware, Oregon, and New Jersey specifically include nonprofits within their scope, so checking state-specific exemptions is critical for nonprofit organizations.

Business Impact Example

Let’s look at how this may play out for a real organization. Imagine a cloud-software company operating nationwide:

  • In California, it must provide a “Do Not Sell or Share My Personal Information” link for users to opt out of data sharing.
Note

You will often hear the terms 'Sharing' and 'Targeted Advertising' used in similar contexts. Here’s the jist:

  • California calls it 'Sharing' (specifically for cross-context behavioral advertising).
  • Most other states call it 'Targeted Advertising.'

Regardless of the label, the intent is the same: giving users the power to say 'no' to having their data tracked across the web to serve personalized ads.

Explore the specifics of the CCPA further in the California Consumer Privacy Act Basics badge.

  • In Colorado, it also must gain opt-in consent before processing sensitive data, like geolocation or biometrics.
  • In Texas, specific disclosure and notice requirements must be met such as capitalized ‘NOTICE' language in your privacy statement if you sell sensitive or biometric data.
  • In Minnesota, data protection assessments must include a summary of your internal policies.

This means one company could face a different compliance checklist for each state in which it has customers. This is a key challenge motivating calls for a national privacy law.

Who Enforces US Privacy Laws?

Because the US system is so fragmented, enforcement happens through multiple agencies:

Enforcer

Scope

Role

Federal Trade Commission (FTC)

Broad consumer protection authority

The de facto federal privacy enforcer. Because there’s no single federal privacy law, the FTC often acts as the primary privacy enforcer in the US using its authority over unfair or deceptive business practices.

Department of Health and Human Services (HHS)

Health sector

Oversees HIPAA compliance and investigates breaches of medical data

Consumer Financial Protection Bureau (CFPB)

Financial services

Enforces privacy and fairness under FCRA and GLBA

State Attorneys General (AGs)

State-specific

Enforce state privacy laws and pursue violations affecting residents

California Privacy Protection Agency (CPPA)

California

The first independent state privacy regulator, with rule-making and enforcement powers

Most comprehensive state laws leave enforcement to Attorneys General, and don’t offer individuals the right to sue (private right of action). However, exceptions exist—primarily for data breaches (in California) or biometric violations (in Illinois), which have driven significant class-action litigation.

What’s Next? The Push for a Federal Law

With dozens of state laws now in effect or on the horizon, many organizations and policymakers are urging Congress to create a comprehensive federal privacy law that would:

  • Establish a single national standard
  • Simplify compliance across states
  • Strengthen consumer rights uniformly

Proposals such as the American Data Privacy and Protection Act (ADPPA) have sparked debate about federal preemption (whether a federal law would override state laws like California’s). For now, there’s no consensus, but the discussion reflects a growing recognition that privacy has become a national priority, not just a patchwork of local rules.

Looking Ahead

In the next unit, we’ll explore emerging privacy trends — from biometric data and Advertising Technologies (AdTech) to Artificial Intelligence (AI)— and how these evolving technologies challenge existing laws and principles.

Resources

Partagez vos commentaires sur Trailhead dans l'aide Salesforce.

Nous aimerions connaître votre expérience avec Trailhead. Vous pouvez désormais accéder au nouveau formulaire de commentaires à tout moment depuis le site d'aide Salesforce.

En savoir plus Continuer à partager vos commentaires