Data Privacy Law for U.S. Businesses

Data privacy law in the United States governs how businesses collect, store, process, transfer, and delete personal information belonging to individuals. Unlike the European Union's unified General Data Protection Regulation (GDPR), U.S. privacy law operates through a fragmented patchwork of federal sector-specific statutes, state comprehensive privacy laws, and Federal Trade Commission enforcement authority. This page covers the structural mechanics of that framework, the regulatory bodies involved, classification boundaries between covered and non-covered entities, and the practical tensions businesses face when operating across multiple jurisdictions.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and Scope

Data privacy law, as applied to U.S. businesses, encompasses the legal obligations that govern the lifecycle of personal information — from the point of collection through destruction or de-identification. "Personal information" or "personally identifiable information" (PII) is defined differently across statutes, but the National Institute of Standards and Technology (NIST) in Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity."

The scope of U.S. data privacy law is determined by three overlapping factors: the sector in which a business operates, the type of data processed, and the geographic location of the individuals whose data is collected. A healthcare provider handling patient records falls under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), administered by the U.S. Department of Health and Human Services (HHS). A financial institution managing consumer credit data must comply with the Gramm-Leach-Bliley Act (GLBA), enforced partly by the Federal Trade Commission (FTC). A business collecting data from children under age 13 triggers the Children's Online Privacy Protection Act (COPPA), also enforced by the FTC.

State-level comprehensive privacy laws expand this scope significantly. As of 2023, states including California, Virginia, Colorado, Connecticut, and Texas had enacted or were enforcing broad consumer privacy statutes (IAPP U.S. State Privacy Legislation Tracker). The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to for-profit businesses that meet one of three thresholds: annual gross revenues exceeding $25 million, annual buying or selling of personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenues from selling personal information (California Civil Code § 1798.100 et seq.).

Business regulatory compliance frameworks must account for all applicable layers simultaneously.

Core Mechanics or Structure

U.S. data privacy law operates through four principal structural mechanisms: notice and consent requirements, individual rights provisions, data security mandates, and enforcement mechanisms.

Notice and Consent. Most statutes require covered entities to inform individuals what data is collected, for what purpose, and with whom it is shared. The FTC's enforcement of Section 5 of the FTC Act (15 U.S.C. § 45) treats deceptive or unfair data practices as actionable regardless of whether a specific privacy statute applies. Privacy notices under GLBA must be delivered at the time a customer relationship is established and annually thereafter.

Individual Rights. State comprehensive laws grant consumers rights that federal sector law often does not: the right to know what data is collected, the right to delete it, the right to correct inaccurate data, the right to opt out of its sale, and in some states the right to data portability. Virginia's Consumer Data Protection Act (VCDPA), effective January 1, 2023 (Virginia Code § 59.1-575 et seq.), includes all five rights for covered consumers.

Data Security Mandates. The FTC's Safeguards Rule under GLBA (16 C.F.R. Part 314), updated in 2021, requires financial institutions to implement a written information security program with specific administrative, technical, and physical safeguards (FTC Safeguards Rule). HIPAA's Security Rule establishes equivalent requirements for electronic protected health information (ePHI).

Enforcement. Federal enforcement rests primarily with the FTC, HHS Office for Civil Rights (OCR), and sector-specific regulators. Civil monetary penalties under HIPAA reach up to $1.9 million per violation category per year (HHS HIPAA Enforcement). COPPA violations carry civil penalties up to $51,744 per violation as adjusted for inflation (FTC COPPA Rule, 16 C.F.R. Part 312).

Causal Relationships or Drivers

The fragmented structure of U.S. data privacy law is the direct product of a sectoral legislative philosophy adopted by Congress beginning in the 1970s. Rather than enacting omnibus privacy legislation, Congress responded to specific industry abuses — medical record leaks, credit reporting errors, video rental disclosures — with targeted statutes. The Fair Credit Reporting Act (FCRA) of 1970, HIPAA in 1996, COPPA in 1998, and GLBA in 1999 each addressed a discrete problem sector.

State legislative activity accelerated after the FTC repeatedly declined to recommend comprehensive federal privacy legislation and Congress failed to pass a unified standard. The California Consumer Privacy Act of 2018, driven partly by a ballot initiative threat from privacy advocate Alastair Mactaggart, became the first state-level comprehensive privacy statute and catalyzed parallel legislation in 18 additional states as of 2024 (IAPP State Law Tracker).

High-profile data breaches also function as causal drivers. The Equifax breach of 2017 exposed personal information of approximately 147 million individuals and preceded renewed congressional scrutiny of credit bureau data practices. The FTC's $5 billion penalty against Facebook (Meta) in 2019 (FTC v. Facebook consent order) established a ceiling for FTC enforcement and signaled that behavioral advertising practices would face sustained regulatory pressure.

Intellectual property law for businesses and trade secret law intersect with data privacy where proprietary data assets overlap with personal information.

Classification Boundaries

U.S. data privacy law draws four primary classification boundaries that determine which statutes apply.

Sector-Based Coverage. Covered entities under HIPAA are limited to health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically, plus their business associates. Businesses outside healthcare — even if they process health-related data — generally do not fall under HIPAA unless they are business associates of a covered entity (45 C.F.R. Parts 160 and 164).

Data Type Classification. Sensitive categories of personal information trigger heightened obligations under state comprehensive laws. The CPRA identifies sensitive personal information to include Social Security numbers, precise geolocation data, racial or ethnic origin, biometric data, and health information. Processing these categories generally requires opt-in consent rather than opt-out.

Entity Size and Revenue Thresholds. The CCPA/CPRA exempts small businesses below the $25 million revenue threshold and below the 100,000 consumer data threshold. Virginia's VCDPA applies only to controllers that process data of 100,000 or more Virginia consumers annually, or 25,000 consumers if 50% or more of gross revenue derives from data sales.

B2B Exemptions. Several state laws temporarily or permanently exempt personal information collected in purely business-to-business transactions. The CPRA extended the CCPA's B2B exemption, though the contours of that exemption continue to be tested in enforcement.

Tradeoffs and Tensions

Compliance Cost vs. Small Business Capacity. State threshold exemptions are designed to protect small businesses, but companies that cross revenue or data volume thresholds face compliance costs estimated in the range of $50,000–$2 million for initial CCPA readiness, depending on data ecosystem complexity (California Attorney General economic analysis, 2019). For mid-market companies, the cost of building consent management platforms, conducting data mapping, and responding to individual rights requests is material.

Federal Preemption vs. State Innovation. A recurring tension in U.S. privacy policy is whether a federal omnibus law would preempt stronger state laws or establish a floor that states can exceed. The American Data Privacy and Protection Act (ADPPA), introduced in Congress in 2022, stalled partly over preemption language that California opposed. The absence of federal legislation leaves businesses managing 18 or more distinct state statutory regimes simultaneously.

Operational Data Use vs. Privacy Rights. Broad individual deletion rights conflict with business needs for fraud detection, audit trails, and contractual record retention. Most state laws carve out exceptions for legal compliance, but those carve-outs require documented analysis — creating administrative overhead even when deletion is ultimately refused.

Enforcement Asymmetry. Smaller businesses face proportionally heavier compliance burdens because fixed compliance costs do not scale with revenue the way penalties theoretically do.

Common Misconceptions

Misconception: HIPAA applies to any business that handles health information.
HIPAA coverage is entity-specific. A general technology company building a wellness app is not a HIPAA-covered entity unless it qualifies as a business associate of a covered entity under a written Business Associate Agreement. The HHS Office for Civil Rights has published guidance clarifying this boundary (HHS HIPAA for Professionals).

Misconception: A business that does not sell personal information has no obligations under state privacy laws.
"Sale" under the CCPA is defined broadly to include sharing personal information for cross-context behavioral advertising, even without monetary consideration (California Civil Code § 1798.140(ad)). A business running third-party advertising pixels may trigger opt-out obligations without any direct commercial transaction.

Misconception: Anonymized data is always outside the scope of privacy law.
Re-identification risk has caused regulators and courts to scrutinize anonymization claims. The FTC's 2012 privacy report identified re-identification as a concern and stated that de-identification must meet a reasonable standard, not merely strip obvious identifiers. "De-identified" data under the CPRA must meet specific technical and legal criteria including contractual controls on re-identification.

Misconception: A posted privacy policy satisfies all legal obligations.
A privacy policy satisfies notice obligations in certain frameworks but does not satisfy data security mandates, individual rights response obligations, data processing agreements, or breach notification duties. Privacy policy publication is one element of compliance, not a substitute for it.

E-commerce and digital business law addresses additional disclosure obligations specific to online commercial activity.

Checklist or Steps

The following is a structural framework for understanding the operational phases of data privacy compliance, presented as reference categories rather than legal instructions.

1. Data Inventory and Mapping — Identify all categories of personal information collected, processed, stored, or transmitted; document data flows including third-party processors and vendors.

2. Applicability Analysis — Determine which federal statutes (HIPAA, GLBA, COPPA, FCRA) apply based on sector and data type; determine which state statutes apply based on the geographic location of data subjects and applicable entity thresholds.

3. Sensitive Data Classification — Segregate sensitive categories (biometric, health, financial, geolocation, children's data) from general personal information; document the legal basis for processing each category.

4. Policy and Notice Development — Draft or update privacy notices to reflect actual data practices; ensure notices satisfy the specificity requirements of applicable statutes (e.g., CCPA-compliant privacy policy at collection, GLBA initial and annual notices).

5. Consent and Opt-Out Mechanism Implementation — Implement opt-out mechanisms for data sales and sharing under state law; implement opt-in mechanisms for sensitive data processing where required (e.g., Colorado Privacy Act, C.R.S. § 6-1-1308).

6. Individual Rights Response Infrastructure — Establish processes for receiving, authenticating, and responding to consumer rights requests within statutory timeframes (45 days under CCPA, extendable by 45 days with notice).

7. Vendor Contract Review — Review and execute data processing agreements, business associate agreements (HIPAA), and service provider agreements (CCPA) with all third parties receiving personal information.

8. Security Program Documentation — Document administrative, technical, and physical safeguards; conduct risk assessments as required under HIPAA Security Rule (45 C.F.R. § 164.308) and FTC Safeguards Rule.

9. Breach Response Planning — Establish written incident response and breach notification procedures; map notification deadlines by state (ranging from 30 to 90 days across state breach notification statutes).

10. Training and Ongoing Monitoring — Document employee training programs; schedule periodic reassessment of data practices against regulatory changes.

Reference Table or Matrix

References

• National Association of Home Builders (NAHB) — nahb.org
• U.S. Bureau of Labor Statistics, Occupational Outlook Handbook — bls.gov/ooh
• International Code Council (ICC) — iccsafe.org