Here is something frustrating about data privacy in America: there is no single, nationwide privacy law. Unlike Europe (which has GDPR), the US has a messy patchwork of federal laws, state laws, and industry-specific regulations. It is like trying to play a board game where every state has different rules — and the rules keep changing.
By 2026, at least 20 states have passed their own comprehensive privacy laws, with California leading the way through its powerful CCPA/CPRA. Meanwhile, federal laws like COPPA protect children online, and HIPAA covers health data. And Congress keeps debating whether to finally create a single federal privacy law.
Whether you are a student learning about your digital rights, a website owner trying to comply, or just someone who wants to understand how your data is protected (or not), this guide explains all the major US privacy laws in plain language.
Why Doesn't the US Have a Single Privacy Law?
If you are wondering why America does not just pass one big privacy law like GDPR, the answer comes down to three things:
- Political disagreements — Democrats and Republicans disagree on how strict the law should be and whether it should override state laws
- Industry lobbying — Big tech companies and data brokers spend hundreds of millions lobbying against strict privacy rules
- Federalism — States have historically regulated consumer protection, and many do not want a weaker federal law to replace their stronger state laws
The result? A confusing patchwork where your privacy rights depend heavily on where you live and what type of data is involved.
California's CCPA/CPRA: The Gold Standard
California's privacy law is the strongest in the nation — and it has become the model that other states follow. Originally passed as the California Consumer Privacy Act (CCPA) in 2018, it was significantly upgraded by the California Privacy Rights Act (CPRA) in 2023.
Your Rights Under CCPA/CPRA
| Right | What It Means | Added By |
|---|---|---|
| Right to Know | You can ask any business what personal information they have collected about you | CCPA (2020) |
| Right to Delete | You can request that a business delete your personal information | CCPA (2020) |
| Right to Opt-Out | You can tell a business to stop selling or sharing your data | CCPA/CPRA |
| Right to Non-Discrimination | A company cannot punish you for exercising your privacy rights | CCPA (2020) |
| Right to Correct | You can have inaccurate personal information fixed | CPRA (2023) |
| Right to Limit Sensitive Data Use | You can limit how businesses use your sensitive info (SSN, finances, location, etc.) | CPRA (2023) |
Who Does CCPA/CPRA Apply To?
CCPA/CPRA applies to for-profit businesses that do business in California AND meet at least one of these thresholds:
- Annual gross revenue over $25 million
- Buy, sell, or share the personal information of 100,000+ California consumers/households
- Earn 50% or more of annual revenue from selling or sharing personal information
Important: You do not need to be physically located in California. If your website collects data from California residents and you meet the thresholds, you must comply.
The Growing Wave of State Privacy Laws
Since California led the way, state after state has been passing privacy laws. While they share common features, each has unique twists that make compliance tricky for businesses operating nationwide.
What Most State Privacy Laws Have in Common
- ✅ Right to know/access — Consumers can ask what data a business has about them
- ✅ Right to delete — Consumers can request deletion of their personal data
- ✅ Right to opt out — Consumers can opt out of targeted advertising and data sales
- ✅ Right to non-discrimination — Businesses cannot punish consumers for exercising privacy rights
- ✅ Consent for sensitive data — Extra protections for health data, biometrics, geolocation, etc.
Key Differences Between State Laws
| Feature | California (CPRA) | Virginia (VCDPA) | Texas (TDPSA) |
|---|---|---|---|
| Revenue threshold | $25M or 100K consumers | 100K consumers or 50% revenue from data | None — all businesses |
| Enforcement | CPPA + AG + private right of action | Attorney General only | Attorney General only |
| Right to correct | Yes | Yes | Yes |
| Data broker rules | Yes — delete-on-request | Limited | Yes — registration required |
| Cure period | None (removed by CPRA) | 30 days | 30 days |
The lack of a cure period in California means regulators can immediately impose fines without giving companies a chance to fix the problem first — making California compliance especially important.
COPPA: Protecting Children Online
COPPA (Children's Online Privacy Protection Act) is the federal law that protects kids under 13 from having their data collected without parental consent. If you build apps, websites, or games that kids use, COPPA is extremely important — and the fines for getting it wrong are massive.
What COPPA Requires
- Verifiable parental consent — You must get a parent's permission before collecting any personal information from a child under 13
- Clear privacy notice — Your privacy policy must specifically explain what children's data you collect and how you use it
- Data minimization — Only collect what is reasonably necessary for the activity
- Data security — Protect children's data with reasonable security measures
- Parental access — Parents can review, delete, and refuse further collection of their child's data
- No conditioning — You cannot require children to give more information than necessary to participate in an activity
Biggest COPPA Fines
- Epic Games (Fortnite) — $275 million (2022) for collecting children's data and using deceptive design patterns
- Google/YouTube — $170 million (2019) for tracking children watching videos without parental consent
- TikTok (Musical.ly) — $5.7 million (2019) for failing to get parental consent for users under 13
- Microsoft (Xbox) — $20 million (2023) for collecting children's data through Xbox Live
The American Privacy Rights Act (APRA)
The American Privacy Rights Act (APRA) is the most serious attempt yet to create a single, comprehensive federal privacy law for the United States. Introduced with bipartisan support, it would establish nationwide privacy protections for the first time.
What APRA Would Do
- Create national privacy rights — All Americans would get rights to access, delete, correct, and port their data, regardless of which state they live in
- Require data minimization — Companies could only collect data that is reasonably necessary for their services
- Ban targeted advertising to minors — No behavioral ads for anyone under 17
- Create a private right of action — Individual consumers could sue companies for privacy violations (not just the government)
- Regulate data brokers — Companies that buy and sell personal data would face new registration and transparency requirements
- Establish an FTC privacy bureau — A dedicated division within the FTC focused solely on privacy enforcement
Why APRA Has Not Passed Yet
The biggest fight is over preemption — whether APRA would replace state laws like California's CPRA. California lawmakers argue their law is stronger and should not be weakened by a federal standard. Industry groups want a single national standard to simplify compliance. This tension has stalled the bill in Congress.
Data Brokers: The Companies Selling Your Information
Data brokers are companies that collect, buy, and sell personal information about you — often without you knowing. They build detailed profiles from public records, social media, purchase history, and data breaches, then sell those profiles to advertisers, employers, landlords, and even law enforcement.
Some alarming facts about data brokers:
- The data broker industry generates an estimated $350 billion annually
- Companies like Acxiom, LexisNexis, and Oracle hold data on billions of people worldwide
- A single consumer profile can contain 1,500+ data points about you
- Your personal information can be purchased for as little as $0.01 per record in bulk
Several states now require data brokers to register with the state and allow consumers to request deletion of their information. California, Vermont, Texas, Oregon, and New Jersey have all enacted data broker regulations.
Privacy Policy Requirements Across US Laws
Almost every US privacy law requires businesses to have a privacy policy. But not just any privacy policy — it must clearly disclose:
- What categories of personal information you collect
- The purposes for which you use each category
- Whether you sell or share personal information (and with whom)
- The consumer rights available and how to exercise them
- Your data retention practices
- How you handle children's data
- How you notify consumers about changes to the policy
Pro tip: Do not just copy a privacy policy template. Regulators have specifically warned that generic, poorly customized privacy policies can themselves be violations since they do not accurately describe your actual data practices.
Multi-State Compliance Strategy
If your business operates nationwide, you need a strategy for complying with multiple state laws simultaneously. Here is the practical approach:
Option 1: Comply with the Strongest Law
The simplest approach is to comply with California's CPRA for all users, since it has the strictest requirements. If you meet CPRA's standards, you will generally satisfy the requirements of other state laws too. This is the strategy most businesses adopt.
Option 2: State-Specific Compliance
Larger organizations may choose to tailor their compliance based on each user's state. This approach is more complex but can be less restrictive for users in states with weaker laws. You will need:
- Geolocation or user registration to determine state of residence
- Different privacy policies or disclosures per state
- State-specific data subject request processes
- Legal review in each state where you operate
Practical US Privacy Compliance Checklist for 2026
No matter which state laws apply to you, this checklist covers the essentials:
- ✅ Map your data — Know exactly what personal information you collect, where it is stored, and who has access
- ✅ Write a clear privacy policy — Disclose your data practices in plain language, not legal jargon
- ✅ Implement opt-out mechanisms — Add "Do Not Sell or Share My Personal Information" links where required
- ✅ Honor Global Privacy Control (GPC) — California requires recognizing browser-based opt-out signals
- ✅ Build data subject request workflows — Have a process to handle access, deletion, and correction requests within required timeframes (typically 45 days)
- ✅ Verify children's ages — If you could have users under 13, implement age verification and COPPA compliance
- ✅ Review vendor contracts — Ensure data processing agreements are in place with every third party that handles your users' data
- ✅ Secure personal data — Implement reasonable security measures (encryption, access controls, breach detection)
- ✅ Create a breach response plan — Most states require notification within 30-72 hours of discovering a breach
- ✅ Train your team — Everyone who handles personal data should understand their privacy obligations
What to Expect in 2026 and Beyond
The US privacy landscape continues to evolve rapidly. Key trends to watch:
- More states will pass privacy laws — Expect 25-30 states to have comprehensive privacy laws by 2027
- AI regulation will intersect with privacy — States are beginning to regulate how AI systems use personal data, especially for automated decisions
- Children's privacy will expand — Multiple proposals aim to raise the COPPA age to 16 or 17, and new laws target social media's impact on minors
- Data broker accountability — More states will require data broker registration and give consumers stronger deletion rights
- Federal law remains uncertain — While APRA has momentum, the preemption debate continues to stall progress
Take Action on US Privacy Compliance
The US privacy landscape is messy and complicated — but ignoring it is not an option. With new state laws taking effect every year and enforcement getting stricter, the cost of non-compliance keeps rising.
The smartest approach? Comply with the strictest standard now (California's CPRA), and you will be ahead of the curve when federal legislation eventually passes. Start by mapping your data, writing a clear privacy policy, and building processes to handle consumer requests.
Your users' trust is worth more than the effort compliance takes. Companies that respect privacy build stronger relationships, avoid costly fines, and position themselves as leaders in a world that increasingly values data protection.
