U.S. data privacy protection laws: 2025 guide
Growing concerns over the processing, storage and protection of personal data, plus the GenAI effect, are leading to the passage of new local and regional privacy regulations.
Dozens of laws, regulations, statutes and other guidance have been issued on data protection and privacy by the federal government, many states and local municipalities over the past several years. Considering the growing pressure on business leaders to protect the confidentiality, integrity and availability of personally identifiable information, it's essential that CIOs and other IT leaders are aware of and conform to the requirements in that legislation.
While there are many well-known standards for data security and privacy -- among them ISO/IEC 27001, ISO/IEC 27002 and NIST Special Publication 800-53 -- these standards only represent a small percentage of the regulations and legislation governing data privacy and security.
What are data privacy laws and regulations?
Consider how much data is generated every hour and how much of that data contains personally identifiable information (PII). Data with these unique characteristics, by their nature and criticality, must be secured from unauthorized access and kept from the general public. To that end, confidentiality, integrity and availability of data must be protected.
As a result, dozens of laws and regulations have been developed -- and continue to be developed -- that govern how data is collected, processed and stored. These statutes are meant to do the following:
- Ensure unauthorized access to personal and private data is prohibited.
- Protect against activities that might alter data without the owner's knowledge or approval.
- Establish access processes that prevent access to personal data other than by the owner(s).
- Ensure this access also makes it possible for owners to examine their data.
- Provide permissions for personal data to be collected.
- Prevent the selling or release of data to outside third parties without owner consent.
- Ensure owners can review their data to validate that it is correct.
- Permit owners to have data about them deleted.
- Ensure owners are notified if a security breach has compromised their data.
By complying with these guidelines, companies minimize the chances that they can be sued or fined and help reduce any effects created by negative customer fallout and reputational damage.
U.S. privacy legislation
While the U.S. currently doesn't have a national data privacy law, two initiatives have been developed:
- American Data Privacy and Protection Act. ADPPA was introduced during the 117th Congress (2021-2022). Although it has yet to receive a vote, its provisions could become law by being included in another bill.
- Executive order on protecting Americans' sensitive personal data. Issued by President Joe Biden on Feb. 28, 2024, the order authorizes the U.S. attorney general to prevent the large-scale transfer of sensitive American data to countries of concern.
The Federal Trade Commission is a key arbiter of assessing compliance with laws that affect data privacy. Its enforcement actions protect consumers from unfair or deceptive practices and enforce federal privacy and data protection regulations.
Additional agencies that exercise authority on privacy issues include the Office of the Comptroller of the Currency, Department of Health and Human Services, Federal Communications Commission, Securities and Exchange Commission, Consumer Financial Protection Bureau and Department of Commerce.
U.S. statutes that cover privacy issues include the following:
- Privacy Act of 1974. This law established a code of fair information practices to govern the collection, processing, management, dissemination and destruction of PII.
- Health Insurance Portability and Accountability Act. Enacted in 1996, HIPAA has two key sections: the Security Rule and Privacy Rule. These rules give protected health information providers and processors flexibility in how they protect user data. In addition, it's an important audit document. Compliance with the law and its many provisions is essential to avoid penalties and possible fines.
- Gramm-Leach-Bliley Act. Enacted in 1999, GLBA modernized compliance requirements for financial services and addressed concerns related to consumer financial privacy by requiring financial institutions to explain their information-sharing practices to customers and safeguard sensitive data.
- Children's Online Privacy Protection Act. COPPA aims to protect the privacy and PII of children under the age of 13 who use online services.
- Driver's Privacy Protection Act. DPPA governs the privacy and disclosure of personal information gathered by state-level motor vehicle departments.
- Video Privacy Protection Act. VPPA restricts the disclosure of rental or sale records of videos or similar audiovisual materials, including online streaming.
- Cable Communications Policy Act of 1984. This includes provisions dedicated to the protection of subscriber privacy.
- Fair Credit Reporting Act. FCRA restricts the use of information that addresses an individual's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living as part of efforts to determine eligibility for credit, employment or insurance.
- Telephone Consumer Protection Act. TCPA regulates calls and text messages to mobile phones and regulates calls to residential phones via automated dialing systems that are made for marketing purposes.
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003. The CAN-SPAM Act sets basic rules for sending commercial emails, including letting recipients opt out of further messages.
- Family Educational Rights and Privacy Act. FERPA lets students inspect and revise their student records for accuracy; it also prohibits disclosure of student records or other student PII without the student's or parent's consent.
State-level privacy legislation
While no national legislation exists, at least 15 states have enacted their own data privacy laws, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia. In addition, more than half of U.S. states have proposed or passed some form of targeted legislation citing the use of AI in political campaigns, schooling, crime data, sexual offenses and deepfakes. Be sure to read and fully understand the laws of each state.
California
California has been the leader in data privacy legislation, enacting more laws than any other state. The following are key examples:
- California Consumer Privacy Act. CCPA, in effect since Jan. 1, 2020, specifies that residents might ask businesses to disclose the type of information they collect, why they're collecting the information and the source of the data.
- California Privacy Rights Act. In effect since Jan. 1, 2023, CPRA amends and builds on CCPA by giving residents the ability to prevent businesses from sharing their personal data; request that personal data inaccuracies be corrected; and prevent companies from using sensitive PII, such as race and sexual preference.
- The California legislature passed several AI-related bills in 2024, defining AI and regulating the largest AI models, generative AI training data transparency, algorithmic discrimination and deepfakes in election campaigns.
Colorado
- Colorado was the first state to enact a broad-based regulation on AI usage, known as the Colorado Artificial Intelligence Act, which passed in 2024. AI systems developers are required "to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system."
- The Colorado Privacy Act, in effect since July 1, 2023, grants consumers rights to manage their personal data and specifies how businesses must protect personal data.
Connecticut
The Connecticut Personal Data Privacy and Online Monitoring Act -- also known as the Connecticut Data Privacy Act -- has been in effect since July 1, 2023. It specifies consumer rights related to personal data, online monitoring and data privacy.
Delaware
The Delaware Personal Data Privacy Act was signed Sept. 11, 2023, and goes into effect Jan. 1, 2025. It delineates consumer rights and requirements for the protection of personal data.
Florida
The Florida Digital Bill of Rights, effective July 1, 2024, applies to entities that generate more than $1 billion in gross revenue and at least 50% of their global annual revenues from the sale of online advertisements.
Indiana
The Indiana Consumer Data Protection Act goes into effect Jan. 1, 2026, and outlines consumer rights and requirements for data protection.
Iowa
The Iowa Consumer Data Protection Act was signed into law March 28, 2023, and takes effect Jan. 1, 2025. It describes consumer rights and requirements for data protection.
Montana
The Montana Consumer Data Privacy Act, effective Oct. 1, 2024, applies to entities that conduct business in Montana or provide products or services to Montana residents that might use personal data.
New Hampshire
The New Hampshire Privacy Act takes effect on Jan. 1, 2025. It applies to entities that conduct business in New Hampshire or create products or services that target New Hampshire residents.
New Jersey
The New Jersey Data Protection Act was signed into law Jan. 16, 2024, and takes effect on Jan. 15, 2025. It applies to entities that conduct business in New Jersey or create products or services that target New Jersey residents.
Oregon
The Oregon Consumer Privacy Act went into effect July 1, 2024. It outlines consumer rights and rules for data protection.
Tennessee
The Tennessee Information Protection Act was signed May 11, 2023, and goes into effect July 1, 2025. It governs data protection and data breach reporting.
Texas
The Texas Data Privacy and Security Act, effective July 1, 2024, describes consumer rights and data protection requirements for businesses.
Utah
The Utah Consumer Privacy Act has been in effect since Dec. 31, 2023. It provides consumer rights and emphasizes data protection assessments and security measures.
Virginia
The Virginia Consumer Data Protection Act has been in effect since Jan. 1, 2023. It grants consumers rights to access, correct, delete and post their personal data; mandates that businesses comply with data protection rules; and affects both government and nongovernment organizations that annually process specific quantities of personal data.
Local data privacy actions
Several major U.S cities have enacted local laws addressing personal data privacy and might also actively enforce state-level legislation on data protection.
New York City
The Stop Hacks and Improve Electronic Data Security Act specifies administrative, technical and physical safeguards for personal data.
Los Angeles and San Francisco
The cities actively enforce California statutes for data privacy and litigate organizations that violate these regulations.
Chicago and Washington, D.C.
These cities actively enforce privacy legislation by litigating organizations that violate regulations.
International privacy legislation
Among the most significant international data privacy laws is the General Data Protection Regulation (GDPR). Launched in May 2018, it was developed by the EU and European Economic Area. Any organization -- regardless of where it is headquartered -- that targets or collects data from people and businesses in EU member nations must comply with the law. Similar regulations have been enacted by many other countries, such as the U.K. and India.
In addition, the EU's recently enacted Artificial Intelligence Act attempts to provide greater clarity relating to AI practices, high-risk AI systems and other AI systems and models. More than 100 countries worldwide have currently enacted data privacy regulations. Each law addresses the fundamental issues concerning data creation and processing, data ownership and other criteria. The requirements of each country might differ, as do compliance requirements, but the message is clear: Protecting personal data is critical.
Future of U.S. data privacy laws
Given the importance of data privacy and protection, expect more states to enact data privacy laws, most likely built on the foundation laid by California and other states that have been at the forefront of consumer protection. In addition, more state legislatures should pass laws in the coming years. This patchwork of targeted U.S. state and local legislation could well lead to a broad-based bipartisan national data privacy law that also regulates -- or reins in -- the development, deployment and application of AI.
Editor's note: This article was updated from February 2024 to reflect some of the latest data privacy legislation.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.