The landscape of privacy laws in the U.S. today is characterized by a complex interplay of federal and state regulations, reflecting a growing concern among consumers about data privacy and the need for stronger protections.

Unlike many other countries with comprehensive national privacy laws, the U.S. has adopted a sector-specific approach at the federal level, supplemented by a growing patchwork of state laws.

This fragmented approach presents both opportunities and challenges for businesses and consumers alike.

The Federal Privacy Landscape

At the federal level, several laws address specific aspects of privacy, but no single overarching law governs the collection, use, and disclosure of personal data across all sectors. Some of the key federal privacy laws include:

• The Health Insurance Portability and Accountability Act (HIPAA): Enacted in 1996, HIPAA sets standards for the privacy and security of protected health information (PHI) held by covered entities such as healthcare providers, health plans, and healthcare clearinghouses. The HITECH Act of 2009 strengthened HIPAA’s enforcement provisions and increased penalties for violations. HIPAA safeguards and protections, medical data breaches have increased seventy percent since 2010.
• The Genetic Information Nondiscrimination Act (GINA): GINA, enacted in 2008, prohibits discrimination based on genetic information in employment and health insurance.
• The Children’s Online Privacy Protection Act (COPPA): COPPA, enacted in 1998, regulates the online collection of personal information from children under the age of 13.
• The Federal Trade Commission Act (FTC Act): The FTC Act empowers the Federal Trade Commission (FTC) to take action against companies that engage in unfair or deceptive trade practices, including those related to data privacy and security.
• The Fair Credit Reporting Act (FCRA): The FCRA regulates the collection, use, and disclosure of consumer credit information.

Despite these federal laws, significant gaps remain in the protection of personal data, particularly in areas not covered by sector-specific legislation. The U.S. came close to passing a comprehensive privacy law with the American Privacy Rights Act of 2024, but the effort was unsuccessful.

The recently formed Federal Congressional Comprehensive Data Privacy Working Group has several main goals, amongst them:

• Building a strong bipartisan coalition to address the growing need for comprehensive data privacy legislation.
• Developing a framework for comprehensive data privacy legislation that can successfully pass through Congress.
• Creating new Federal data privacy standards that will protect Americans’ rights online and maintain the United States’ global leadership in digital technologies, including artificial intelligence.
• Addressing the challenge of providing clear digital protections for Americans in the face of rapidly advancing technology and the complex web of existing state and federal data privacy laws.

And, including input from a broad range of stakeholders on various aspects of data privacy, including definitions of personal and sensitive information, interaction with existing laws, data security, and enforcement mechanisms.

All this could ultimately serve to potentially replace the current mishmash of State privacy laws with a uniform Federal standard, which could provide consistency and certainty for businesses and consumers.

State Privacy Laws

In the absence of a comprehensive federal privacy law, the individual states have taken the lead in enacting their own data privacy legislation. As of February 2025, 19 states have enacted comprehensive privacy laws. Some of the more notable key state privacy laws include:

• The California Consumer Privacy Act (CCPA): Passed in 2018 and amended in 2020 by the California Privacy Rights Act (CPRA), the CCPA was the first US state data privacy law and remains one of the strongest. California consumers are granted several rights, including the right to know what personal information businesses collect about them, the right to delete their personal information, and the right to opt-out of the sale of their personal information.
• The Virginia Consumer Data Protection Act (VCDPA): establishes consumer protections such as the right to confirm whether a controller is processing the consumer’s personal data; the right to access, correct, delete, or obtain a copy of that personal data; and the right to opt out of having their personal data processed for purposes of targeted advertising, profiling, or sale.
• The Colorado Privacy Act (CPA): The CPA was signed into law in July 2021 and includes civil penalties of up to $20,000 per violation.
• The Utah Consumer Privacy Act (UCPA): Utah’s Privacy Act applies to companies with annual revenues over $25 million that either process or control the personal data of at least 100,000 consumers in a year or process or control the personal data of at least 25,000 consumers in a year while deriving over 50% of their gross revenue from the sale of personal data.
• The Connecticut Data Privacy Act (CTDPA): applies to businesses that control or process the personal data of at least 100,000 consumers or 25,000 or more consumers while deriving over 25% of their gross revenue from the sale of personal data.
• The Iowa Consumer Data Protection Act (ICDPA): Iowa’s Act bars data controllers from processing personal data in violation of state and federal laws that prohibit unlawful discrimination.
• The Indiana Data Privacy Law (IDPL): The IDPL requires businesses to receive clear and informed consent from consumers before processing their sensitive data.
• The Montana Consumer Data Privacy Act (MCDPA): Montana’s Consumer Data Privacy Act requires compliance from companies that control or process the personal data of at least 50,000 state residents or control or process the personal data of at least 25,000 state residents while deriving more than 25% of gross revenue from the sale of personal data. Montana’s law is also distinct in that it is the first state data protection regulation to ban TikTok. The social media platform has appealed this decision, but it will be liable for a $10,000 fine for each use of the app in Montana if the appeal does not succeed.
• The Florida Digital Bill of Rights (FDBR): Florida’s Bill of Rights is unique among the state data privacy laws. Its threshold for applicability is higher than any other state’s to date; companies must generate more than $1 billion in gross annual revenue and meet several other specific requirements exclusive to tech giants.
• The Texas Data Privacy and Security Act (TDPSA): In Texas the Data Privacy and Security Act applies to almost any organization that is not a “small business” as defined by the United States Small Business Administration (SBA).
• The Oregon Consumer Privacy Act (OCPA): establishes similar consumer rights and data controller obligations as other state data privacy laws.
• The Delaware Personal Data Privacy Act (DPDPA): applies to organizations that control or process the personal data of at least 35,000 consumers or at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of personal data.
• The Tennessee Information Protection Act (TIPA): allows data controllers and processors to defend themselves against violations if they maintain a written privacy program that “reasonably conforms” to the current privacy framework set by the National Institute of Standards and Practices (NIST).

Some states have also enacted or are considering health data-specific legislation to protect consumer health data not covered by HIPAA. For example, the New York Health Information Privacy Act (NY HIPA), passed by the New York State legislature, would regulate the processing of consumer health data in non-traditional healthcare contexts.

Challenges and Opportunities

As mentioned, current privacy laws in the U.S. presents several challenges and opportunities. The different State laws have created a complex regulatory environment for businesses to negotiate, particularly those operating across state lines. Critics have argued that existing laws need more teeth and better enforcement to truly protect patient privacy but some stakeholders believe that privacy laws can stifle innovation in the healthcare industry in particular. Data privacy is a the growing concern for consumers, and building trust is essential for businesses to maintain access to the data they need for growth.

Several other trends are shaping the future of privacy laws in the U.S. With so many countries adopting their own privacy laws that mirror the EU General Data Protection Regulation (GDPR), and the U.S. is starting to face pressure to align its laws with international standards. Rapid technological advancements, such as AI accompanied by big data analytics, also pose new challenges for privacy protection.

Consumers are also becoming more aware of their privacy rights and demanding greater control over their personal data. This is accompanied by a growing emphasis on transparency and accountability in data practices, with businesses expected to be forthright about how they collect, use, and protect personal data.

Privacy laws in the U.S. particularly, continue to be a work in progress. The mix of federal and state laws reflects a growing recognition of the importance of data privacy but also presents significant challenges for businesses and consumers, no doubt tied to public action groups as well as advocates for and against more privacy.

As the technology that we use continues to evolve and our expectations shift, it is likely that privacy laws in the U.S. will continue to evolve as well, becoming ever more complex to navigate and consider.

Ensure compliance with the latest privacy laws and avoid costly penalties – contact us today to learn how Pretectum CMDM can help.