Is There a US Data Privacy Act? Understanding the State-by-State Patchwork

If you have ever tried to find the single American law that governs how companies collect and use personal data, you have probably come up empty-handed. That is because there isn't one. Unlike the European Union with its GDPR, the United States has no comprehensive federal data privacy act. Instead, it has a patchwork of sector-specific federal rules and a fast-growing list of state laws — and that patchwork shapes how every marketer, analyst and product team handles data.

This article is the first in our series on US data privacy. Here we map the landscape: what exists at the federal level, what the states are doing, why the fragmentation is so challenging, and which federal proposals are worth watching.

Is there a federal data privacy act in the US?

The short answer is no. There is no single, overarching federal statute that tells every organisation how to collect and use personal data. What exists instead are industry-specific laws that regulate particular kinds of information.

Sector-specific federal laws

A handful of federal statutes carry most of the weight:

• Health data — HIPAA. The Health Insurance Portability and Accountability Act sets strict rules for how covered entities handle protected health information. If your campaigns touch hospitals, insurers or clinics, HIPAA shapes what can be tracked, stored and shared.
• Children's data — COPPA. The Children's Online Privacy Protection Act regulates how websites and online services collect data from children under 13, affecting consent flows, tracking and profiling of younger audiences.
• Financial data — GLBA. The Gramm-Leach-Bliley Act governs how financial institutions safeguard consumer financial information, with direct effects on data security, access controls and finance-based marketing.

These sit alongside separate data breach notification laws and data security laws at both federal and state levels. The result: two companies using similar analytics tools can face very different obligations depending on the type of data they handle.

State-level privacy laws

Where the federal government has not acted, the states have. Many now run their own frameworks that grant residents specific consumer rights and place duties on every data controller that handles their information.

A few of the laws to know:

• California — CCPA/CPRA. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives broad rights including access, deletion and the right to opt out of the sale or sharing of personal data — and requires a visible "Do Not Sell or Share My Personal Information" link.
• Virginia — VCDPA. The Virginia Consumer Data Protection Act sets out consumer rights and detailed controller obligations covering profiling, targeted advertising and sensitive categories like biometric or precise geolocation data, often requiring assessments for higher-risk processing.
• Colorado — CPA. The Colorado Privacy Act requires businesses to honour a universal opt-out mechanism for targeted advertising and data sales, meaning they must respect a browser-level signal rather than only their own banner.

This list is far from complete. Close to half of all US states have similar laws — including the Texas Data Privacy and Security Act and many others — and the number keeps rising. As of early 2026, around twenty states already have comprehensive privacy laws in force, with more set to take effect.

Data privacy risks and challenges for businesses

The biggest challenge in the US isn't one strict law. It's the many different ones. For a business operating across state lines, compliance means continuously tracking:

• How each state defines personal data
• Which consumer rights apply
• How to respect opt-outs from targeted advertising or data sales

One resident might see a universal opt-out link while another only gets a basic cookie banner. Privacy notices and consent flows vary by location: some states require clear "Do Not Sell My Personal Information" links, others focus on sensitive categories like health or location data. To keep up, organisations must know where data is stored, who can access it, and how to respond to a breach. Without that, it becomes hard to honour deletion requests or prove that information was handled responsibly.

The risk isn't only regulatory. When personally identifiable information is the most frequently targeted category in breaches, trust becomes a competitive factor. Companies that apply consistent privacy protections across all states — not just where required — are better positioned for long-term credibility and for whatever laws come next.

Watching pending federal proposals

Several attempts have been made to create a single national framework. The failed American Data Privacy and Protection Act, the American Privacy Rights Act, and the proposed DATA Privacy Act (H.R. 5807) are all examples. None passed — but a future bill may. Such proposals typically include provisions around consumer rights, limits on how much data can be collected, and stronger enforcement powers for the FTC or state attorneys general.

Any future federal law is likely to:

• Give individuals stronger privacy protections
• Set baseline rules for handling sensitive information
• Expect businesses to run regular data protection assessments and demonstrate robust security

By reviewing what these bills propose and weighing them against laws already passed at state and sector level, organisations can future-proof their systems now — and gain an edge.

Where to go from here

The practical takeaway is simple: stop waiting for federal clarity and start treating consistent, privacy-first data handling as your default. The next article in this series compares the two most influential frameworks data teams encounter — see CCPA vs GDPR: How US and EU Privacy Laws Compare for Analytics. And to turn principle into practice, read Privacy by Design: Data Minimisation and Future-Proofing Your Analytics.

Want help mapping your obligations across states? Talk to our team or explore more guides on our blog.