Skip to content
LegalVision

Navigating Privacy and Data Protection Laws in the United States

Avatar photo

By Stephen Drysdale
Practice Leader

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

In a fast-moving digital landscape, the protection of individual privacy is of paramount concern to customers. Getting it wrong can be detrimental to the success of your business. This article explores the privacy and data protection framework in the United States.

Front page of publication
Expanding to the USA: Understanding Business Structures

This factsheet outlines the key features and the pros and cons of four common business structures: sole traders, partnerships, limited liability companies (LLCs), and corporations.

Download Now

Overview of the U.S. Privacy Law Landscape

Unlike most countries with a unified privacy law framework, the United States relies on a mix of federal and state laws for privacy and data protection. Federal laws typically apply to specific industries and cover all businesses within those sectors, regardless of location. In contrast, state laws govern personal information of residents or activities occurring within that state.

Federal Privacy Laws

At the federal level, Congress has passed various laws to protect individuals’ personal information. Some of the most common laws that businesses encounter are set out below.

CAN-SPAM Act

This federal law regulates how businesses send commercial emails, such as marketing content. Businesses that send such communications must clearly identify themselves and how the recipient can opt out of receiving future communications. It violates the CAN-SPAM Act to send a commercial email to someone who has previously opted out of receiving them or fail to explicitly identify the message as an advertisement.

Children’s Online Privacy Protection Act (COPPA)

COPPA applies to operators of websites or online services targeted towards children younger than 13 years old or operators who know that they are collecting personal information online from a child under 13 years of age. This federal law is designed to give parents the ability to control what information can be collected from their children. It is also supplemented by the COPPA Rule published by the Federal Trade Commission. Key compliance obligations include:

  • having a COPPA-compliant privacy policy; and 
  • providing notice to parents requesting their consent before collecting information from their children.

Health Insurance Portability and Accountability Act (HIPAA)

For health organisations, or anyone working with health organisations, HIPAA is a key federal law to be aware of. The purpose of HIPAA is to protect patient health information while improving healthcare efficiency and portability of information. Under HIPAA, a health organisation must abide by the:

  • administrative; 
  • physical; and 
  • technical safeguards in the ‘Security Rule’ for electronic health information. 

Furthermore, health organisations engaging contractors with access to health information must enter into written agreements, known as ‘business associate agreements’. This is to ensure those contractors are subject to the obligations of HIPAA. In turn, contractors must also enter into business associate agreements with any subcontractors they need to work with.

Gramm-Leach-Bliley Act:

For businesses in the financial services industry, the Gramm-Leach-Bliley Act requires them to respect the privacy of, and to protect the security and confidentiality of, their customers’ non-public personal information. In addition, financial services businesses must establish appropriate:

  • administrative;
  • technical; and 
  • physical safeguards to protect against the unauthorised access to or use of such information.

If you are a financial institution, financial advisor, broker, dealer, or the provider of insurance or investment products, then this federal law might apply to you.

Federal Trade Commission Act

The Federal Trade Commission (FTC) can take action against businesses that engage in unfair privacy and data security practices. This includes cases where a business misleads consumers by making false statements in its privacy policy or handles personal information in a way that is not clearly disclosed in its policy.

Continue reading this article below the form
Loading form

State Privacy Laws

While there may not be a single privacy framework across the United States, there have been rapid developments in privacy law at a state level ever since California implemented the California Consumer Privacy Act in 2018. Since then, nearly 20 states have followed suit, with more on the way. However, each state typically has a threshold before the law applies. For example, California’s privacy law only applies to organisations that do business in California and who meet one of the following criteria:

  1. Have a gross annual revenue of over US$25 million;
  2. Buy, sell or share the personal information of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling California residents’ personal information.

State privacy laws typically give individuals the following rights:

  • the right to know what information is being collected, why it is being collected, and who it is being disclosed to;
  • the right to request that a business delete their information (except where information must be retained by law);
  • the right to opt out of having their information sold or shared;
  • the right to request correction of inaccurate information; and
  • the right to limit the use and disclosure of sensitive personal information (such as social security numbers, financial account information, geolocation data, or genetic data).

Key Takeaways

When considering privacy compliance, you should:

  • ensure that your privacy policy is a true and accurate reflection of your privacy and data security practices;
  • seek legal advice as to which federal and privacy laws (if any) apply to your business; and
  • if you are a ‘business associate’ under HIPAA, enter into business associate agreements with your customers and your subcontractors.

If you would like to understand your privacy obligations in the United States, or require assistance in preparing your privacy compliance documents, call us today on 1300 544 755 or send us an enquiry

Frequently Asked Questions

What is the main privacy law in the United States?

The U.S. does not have a single, unified privacy law. Instead, it relies on a mix of federal and state laws. Federal laws apply to specific industries, while state laws regulate personal data within their jurisdictions.

What does the CAN-SPAM Act require from businesses?

Businesses must clearly identify themselves in commercial emails, provide recipients with an opt-out option, and avoid sending messages to people who have unsubscribed.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Stephen Drysdale

Stephen Drysdale

Practice Leader | View profile

Stephen is a Practice Leader in LegalVision’s Corporate and Commercial team. He works closely with startups, SMEs and enterprise clients to provide commercially pragmatic advice and also assists them in complying with regulations that apply to their businesses. He is qualified and has a practising certificate in New Zealand, Australia and California.

Qualifications: Bachelor of Laws (Hons), University of Waikato.

Read all articles by Stephen

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Intellectual Property Protection in the United States

Legal Considerations for eCommerce Businesses in the United States

Barbie and Her Intellectual Property

Employment Law Considerations for Australian Businesses in the US: Hiring, Workplace Policies, and Compliance

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards