United States Data Privacy Regulations
Overview
The United States lacks a singular federal data privacy law. Instead, it relies on sectoral federal laws (HIPAA for health, GLBA for financials) and comprehensive state-level privacy laws, most notably the California Consumer Privacy Act (CCPA).
Varies wildly. State laws generally apply to businesses meeting specific revenue thresholds or data volume thresholds operating in those states.
Key Rules & Obligations
Breach Notification
Varies by state (usually 30 to 60 days). HIPAA is 60 days.
Maximum Penalties
Under CCPA/CPRA: $2,500 per unintentional violation or $7,500 per intentional violation.
Data Transfers
Generally fewer restrictions on international data transfers compared to the EU, but businesses remain liable for third-party processing.
Individual Rights
- •Right to know
- •Right to delete
- •Right to opt-out of sale/sharing
- •Right to correct (CPRA)
- •Right to limit sensitive data use (CPRA)
Enforcement Authority
Federal Trade Commission (FTC), State Attorneys General, HHS/OCR
Contact: Varies by jurisdiction and sector
Notable Breaches in United States
Official Sources
- California Privacy Protection Agency (CPPA)Verified: 2024-03-01
- FTC Privacy and SecurityVerified: 2024-03-01
Frequently Asked Questions
Is the CCPA the same as GDPR?
No. While similar, CCPA traditionally relies more on an "opt-out" framework for data sales, whereas GDPR requires explicit "opt-in" consent for data processing.
Who regulates data privacy in the USA?
There is no central federal regulator. The FTC polices deceptive practices federally, while states enforce their own laws (e.g., California's CPPA).
How do I report a data breach in the US?
Reporting obligations vary by state law. Typically, the primary state attorney general and affected residents must be notified if thresholds are met.
Last updated: March 5, 2026
Notice an error? Report a correction