A Consumer Guide to U.S. Data Privacy Laws

Consider how much data you leave behind every day as you work, shop, and scroll online. The digital world can capture every button you press, transaction you make, and message you send. It has never been easier to track someone’s activities — or violate their privacy.

The United States has no broad data privacy protection law. Instead, it has a patchwork of protected areas. Some of these laws only apply to one specific industry, while others protect certain people, such as minors under the age of 13.

This article focuses on data privacy laws and protections at the federal level. State law might provide some additional protections, depending on where you live and who collects your data. 

What Is Consumer Data Privacy?

Consumer data privacy refers to how the government, businesses, and organizations protect your personal information. By extension, consumer data privacy laws concern your rights to see and control information others have about you.

What Counts As Consumers’ Personal Information?

Virtually any piece of information about you may be personal data. Companies and organizations often use many data points to build profiles of individual consumers. Most of this data is now digital.

Examples of typical consumer data include:

• Names
• Addresses
• Driver’s license numbers
• Social Security numbers (SSNs)
• Financial information like credit card numbers and tax records
• Employment history
• Account details, such as passwords and biometric data
• Location and device data
• Online behavior and habits
• User opinions and preferences, such as political affiliation or religious beliefs

Personally identifiable information (PII) can enable services. For example, a car insurance company might need your driver’s license details to confirm your driving history before selling you a policy. An employer usually needs your SSN to run a background check before hiring you.

The problem arises when your information falls into the wrong hands for the wrong reasons.

Data Breaches Threaten Consumers

Hackers have stolen many Americans‘ names, addresses, and Social Security numbers. For example, they hacked the computer system of credit reporting giant Equifax in 2017. Equifax failed to update its computer security systems, and it stored usernames and passwords in unencrypted files.

Data breaches harm consumers, such as by enabling identity theft. Once your data is exposed, reversing the damage and regaining your privacy can be a long, difficult process. That’s why federal laws and regulators work to prevent data breaches in the first place.

Main Principles of Data Privacy Laws

Privacy regulations often relate to:

• Transparency: Consumers can better protect their privacy if they understand how the entity will use their information. For example, a privacy law may require a company to disclose whether it will share your data with third parties.
• Consent: How a business or the government obtains personal data matters. Laws determine when they need the consumer’s permission to collect and use data.
• Control: You might want to opt out, review, or delete your data. Privacy laws require data brokers and other entities to give consumers control methods.
• Cybersecurity: Systems that manage sensitive data must meet minimum standards. If a company neglects its duty to safeguard consumer data, it may be held accountable for any harm.
• Access: Laws may limit who can view, use, or change your data. For example, a hospital can’t share your medical records with a stranger.
• Data minimization: Businesses can protect consumers by collecting and keeping as little information as necessary to carry out business functions. This tactic can reduce the impact of a data leak.
• Enforcement: Violators may face consequences for illegal harvesting or sharing of personal data. This includes fines, limitations, or criminal penalties.

Consumer data privacy laws aim to ensure that anyone with your information will manage it responsibly.

The Federal Trade Commission Act

Privacy laws can only protect you if the government adequately supports and enforces them. The Federal Trade Commission (FTC) provides consumers with the most overall data protection.

The FTC does not focus solely on data privacy. Rather, its authority is focused on “unfair or deceptive” business practices under Section 5 of the Federal Trade Commission Act. This means that while the FTC can act when businesses use deceptive or unfair data practices, it may not intervene for other privacy violations. 

How Does the FTC Regulate Data Privacy?

The FTC can reach agreements with private companies to combat privacy issues. These agreements regulate the use of the data companies collect. The FTC can also take enforcement actions if a company violates its agreement.

For example, in 2011, it agreed with Facebook to create a compliance plan and formalize privacy practices. The FTC hoped that other internet companies would model their privacy and data collection policies on the agreement reached with Facebook.

The FTC investigates and prosecutes companies for issues such as:

• Deceptive data collection
• Misuse of consumer data
• Other violations of improper internet practices

One of the FTC‘s primary functions is to prevent identity theft. It built a complaint resource to help consumers with stolen identities. This report gathers information and then shares it with law enforcement.

Privacy Law for Government Data Collection

The Privacy Act of 1974 protects U.S. citizens from the misuse of their data by the federal government. It governs how federal agencies collect, maintain, and use information about people.

This law restricts how federal agencies use personally identifiable records. It doesn’t apply to private companies or state government agencies.

You have the right to access your federal record. You can also request to change the data if it isn’t “accurate, relevant, timely, or complete.”

The Privacy Act has significant limitations and exemptions that allow the federal government to share your data without informing you. For example, agencies can send your records to help with census and labor statistics. There are also exceptions for law enforcement. 

Privacy Law for Children Online

The Children’s Online Privacy Protection Act (COPPA) addresses data for minors under 13. It prohibits a website or online service provider directed at children from collecting PII without verifiable parental consent.

A business can collect this data if it gives notice of what information it will collect and how it will use it. COPPA also requires verifiable parental consent for any data collection.

Privacy Law for Your Health Information

Healthcare data is especially sensitive. The Health Insurance Portability and Accountability Act (HIPAA) protects your medical records.

This law regulates the use and disclosure of a person’s health information, including details like:

• Your diagnoses
• Your treatment plans and medications
• Your medical billing history and payment information
• Other personal data, such as your address and birthdate

Health providers can face civil and criminal penalties for failing to follow the privacy rule requirements of HIPAA.

Keep in mind that HIPAA only applies to “covered entities,” such as:

• Healthcare providers
• Health plans
• Healthcare clearinghouses

It does not protect health information held by employers, schools, or many apps and websites.

Credit Reporting Privacy Law

The Fair Credit Reporting Act (FCRA) protects your financial data. It regulates consumer reporting agencies like Equifax, TransUnion, and Experian.

The FCRA requires agencies to address data security in specific ways, such as:

• Notifying you when they disclose your credit report
• Placing fraud alerts for suspicious credit activity
• Providing free access to credit reports following a fraud alert

The Act is extensive and protects many consumer rights. It restricts the disclosure of credit reports and other consumer reports while working in conjunction with HIPAA to also protect medical information.

Financial Data Collection Privacy Law

The Gramm-Leach-Bliley Act (GLBA) protects your private financial information. The GLBA primarily regulates financial institutions. Banks and financial businesses must explain how they collect and use your information.

This law aims to ensure transparency and privacy when you use financial services, such as:

• Online banking
• Loan applications
• Insurance policies
• Investment services and investing advice
• Money transfers
• Online payment processing, such as online shopping checkouts

These services often need sensitive data like your financial account numbers and personal details about your identity. Before using a financial service, you should understand what details it will gather and whether it will share them with third parties.

Legal Safeguards Against Marketing Spam

In the early 2000s, consumers fought a barrage of unwanted email advertisements. Many of these emails contained explicit sexual content. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) to reduce these emails.

CAN-SPAM established requirements for sending unsolicited commercial email. The law also regulates other fraudulent activities associated with electronic mail. Unfortunately, online spam continues to take advantage of consumers’ data.

Privacy Law Against Digital Spying

In the days of telephones and telegraphs, the U.S. had a wiretap law. It banned eavesdropping and recording conversations through those methods.

Later, lawmakers expanded that law to address modern wireless communication. The Electronic Communications Privacy Act (ECPA) protects oral, wire, and electronic communications.

ECPA can prohibit intercepting messages in forms such as:

• Phone conversations, including landline and mobile phones
• Voicemail and private audio memos
• Email conversations
• Private direct messages on social media
• Text messages
• Private video calls

There are limits to how the ECPA can protect your communications. Exemptions are in place for law enforcement and publicly available communications. Granting a person or company permission to intercept your message also creates an exception to this law.

Anti-Hacking Legal Protection

The Computer Fraud and Abuse Act combats a hacker’s ability to control government and private computers. This law addresses hacking and data theft by illegally accessing computers and taking computerized data. Its protection extends to mobile devices like laptops, tablets, and smartphones.

Under this law, merely accessing a “protected computer” without authorization is illegal. Even if a hacker doesn’t steal data or information, breaking into it is a crime. Protected computers are generally those used by the government and financial institutions. It also covers voting system computers.

The definition of “protected computer” has broadened over time. In 2008, it was expanded to cover computers “used in or affecting interstate or foreign commerce.” Courts have interpreted this to mean any computer with an internet connection. 

That doesn’t mean law enforcement will go after every person who steals their neighbor’s Wi-Fi. Enforcement of the CFAA is severely limited and focuses on unauthorized use carried out as part of another crime. 

Privacy Law for Educational Records

The Family Educational Rights and Privacy Act (FERPA) protects student records. These records include anything and everything about the student.

FERPA also controls parents’ and students’ access to educational records. The Act gives you the right to correct inaccurate information in your record and control who can view it.

This law ensures that schools keep student information confidential by taking proper data security measures. Under FERPA, schools’ systems, software, and faculty training must meet basic standards to protect student privacy. Adequate protection is a concern as schooling adapts to changing technology and a higher demand for online coursework.

State-Level Consumer Privacy Protections

Federal laws offer a basic framework for consumer privacy. You may also have additional protections under U.S. state law.

Some examples of state data privacy laws include:

• The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA)
• The Colorado Privacy Act (CPA)
• The Connecticut Data Privacy Act (CDPA)
• Delaware Personal Data Privacy Act (DPDPA)
• The Florida Digital Bill of Rights (FDBR)
• The Illinois Biometric Information Privacy Act (BIPA)
• The Maryland Online Data Privacy Act (MODPA)
• The Minnesota Consumer Data Privacy Act (MCDPA)
• The Montana Consumer Data Privacy Act (MTCDPA)
• The New Jersey Data Privacy Act (NJDPA)
• The New York Personal Privacy Protection Law (PPPL)
• The Oregon Consumer Privacy Act (OCPA)
• The Texas Data Privacy and Security Act (TDPSA)
• The Utah Consumer Privacy Act (UCPA)
• The Virginia Consumer Data Protection Act (VCDPA)
• The Washington Privacy Act (WPA)

Some states have far more comprehensive data privacy laws than others. For example, the CCPA gives California residents a private right of action (the right to sue) for certain data breaches involving unencrypted personal information.

Many people have looked to Europe as a model for solving data privacy challenges. The European Union operates under the General Data Protection Regulation (GDPR). Since its passage in 2016, the GDPR has often inspired elements of state laws.

Consumer rights can vary greatly among states. State attorneys general and related agencies typically manage consumer complaints. A local attorney can help you understand the specific protections that apply to you.

Consumer Privacy Law Developments

New technology drives many data privacy concerns. With the proliferation of tech such as biometric scanners and artificial intelligence (AI), consumers face new and challenging privacy risks. Companies, organizations, and even the government face new cybersecurity threats on a regular basis.

In response, privacy legislation is changing fast across the country. Many of the state laws listed above went into effect as recently as 2023 and 2024. Federal privacy law has been a growing focus as this patchwork of state laws continues to expand.

The law often struggles to keep pace with technology. Rulemaking takes time, especially at the federal level. Bills must pass both the House and Senate, and politics can cause delays.

Learn About Your Rights With a Data Privacy Lawyer

The federal government tries to prevent data theft through these laws, but it’s up to you to protect your data before a breach happens. 

Most federal data privacy laws don’t provide a private right of action. Consumers typically can’t sue directly for a breach or misuse of their data. However, state attorneys general and consumer protection offices often have processes in place to help residents report scams and fraud. You can also report fraud and identity theft to the FTC. 

If you’ve suffered financial losses from identity theft or data misuse, you should consult with an attorney about your legal options. Look for attorneys with experience in:

• Consumer protection law
• Privacy and data security law
• Class action litigation
• The specific area of law relevant to your concern (health care, financial services, etc.)

FindLaw’s directory of experienced consumer protection attorneys can help you get started. Start by searching for attorneys in your state, then you can narrow results by city, reviews, and more. 

Privacy law is rapidly evolving, and your options depend heavily on your specific circumstances, location, and the nature of the privacy concern. A qualified attorney can assess whether you have viable legal options and explain the realistic outcomes you might expect.