In a fast-moving digital landscape, the protection of individual privacy is of paramount concern to customers. Getting it wrong can be detrimental to the success of your business. This article explores the privacy and data protection framework in the United States.

This factsheet outlines the key features and the pros and cons of four common business structures: sole traders, partnerships, limited liability companies (LLCs), and corporations.
Overview of the U.S. Privacy Law Landscape
Unlike most countries with a unified privacy law framework, the United States relies on a mix of federal and state laws for privacy and data protection. Federal laws typically apply to specific industries and cover all businesses within those sectors, regardless of location. In contrast, state laws govern personal information of residents or activities occurring within that state.
Federal Privacy Laws
At the federal level, Congress has passed various laws to protect individuals’ personal information. Some of the most common laws that businesses encounter are set out below.
CAN-SPAM Act
This federal law regulates how businesses send commercial emails, such as marketing content. Businesses that send such communications must clearly identify themselves and how the recipient can opt out of receiving future communications. It violates the CAN-SPAM Act to send a commercial email to someone who has previously opted out of receiving them or fail to explicitly identify the message as an advertisement.
Children’s Online Privacy Protection Act (COPPA)
COPPA applies to operators of websites or online services targeted towards children younger than 13 years old or operators who know that they are collecting personal information online from a child under 13 years of age. This federal law is designed to give parents the ability to control what information can be collected from their children. It is also supplemented by the COPPA Rule published by the Federal Trade Commission. Key compliance obligations include:
- having a COPPA-compliant privacy policy; and
- providing notice to parents requesting their consent before collecting information from their children.
Health Insurance Portability and Accountability Act (HIPAA)
For health organisations, or anyone working with health organisations, HIPAA is a key federal law to be aware of. The purpose of HIPAA is to protect patient health information while improving healthcare efficiency and portability of information. Under HIPAA, a health organisation must abide by the:
- administrative;
- physical; and
- technical safeguards in the ‘Security Rule’ for electronic health information.
Furthermore, health organisations engaging contractors with access to health information must enter into written agreements, known as ‘business associate agreements’. This is to ensure those contractors are subject to the obligations of HIPAA. In turn, contractors must also enter into business associate agreements with any subcontractors they need to work with.
Gramm-Leach-Bliley Act:
For businesses in the financial services industry, the Gramm-Leach-Bliley Act requires them to respect the privacy of, and to protect the security and confidentiality of, their customers’ non-public personal information. In addition, financial services businesses must establish appropriate:
- administrative;
- technical; and
- physical safeguards to protect against the unauthorised access to or use of such information.
If you are a financial institution, financial advisor, broker, dealer, or the provider of insurance or investment products, then this federal law might apply to you.
Federal Trade Commission Act
The Federal Trade Commission (FTC) can take action against businesses that engage in unfair privacy and data security practices. This includes cases where a business misleads consumers by making false statements in its privacy policy or handles personal information in a way that is not clearly disclosed in its policy.
Continue reading this article below the formState Privacy Laws
While there may not be a single privacy framework across the United States, there have been rapid developments in privacy law at a state level ever since California implemented the California Consumer Privacy Act in 2018. Since then, nearly 20 states have followed suit, with more on the way. However, each state typically has a threshold before the law applies. For example, California’s privacy law only applies to organisations that do business in California and who meet one of the following criteria:
- Have a gross annual revenue of over US$25 million;
- Buy, sell or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
State privacy laws typically give individuals the following rights:
- the right to know what information is being collected, why it is being collected, and who it is being disclosed to;
- the right to request that a business delete their information (except where information must be retained by law);
- the right to opt out of having their information sold or shared;
- the right to request correction of inaccurate information; and
- the right to limit the use and disclosure of sensitive personal information (such as social security numbers, financial account information, geolocation data, or genetic data).
Key Takeaways
When considering privacy compliance, you should:
- ensure that your privacy policy is a true and accurate reflection of your privacy and data security practices;
- seek legal advice as to which federal and privacy laws (if any) apply to your business; and
- if you are a ‘business associate’ under HIPAA, enter into business associate agreements with your customers and your subcontractors.
If you would like to understand your privacy obligations in the United States, or require assistance in preparing your privacy compliance documents, call us today on 1300 544 755 or send us an enquiry.
Frequently Asked Questions
The U.S. does not have a single, unified privacy law. Instead, it relies on a mix of federal and state laws. Federal laws apply to specific industries, while state laws regulate personal data within their jurisdictions.
Businesses must clearly identify themselves in commercial emails, provide recipients with an opt-out option, and avoid sending messages to people who have unsubscribed.
We appreciate your feedback – your submission has been successfully received.