ClearBrief

Policy

Understanding Data Privacy Laws That Affect You

A plain-English overview of US data-privacy rules — federal, state, and sector-specific — and the rights that already apply to consumers in most states.

By Rachel LindqvistPolicy 3 min read 649 wordsFact-checked March 28, 2026
A laptop screen showing privacy preference toggles with a smartphone in the foreground.
A laptop screen showing privacy preference toggles with a smartphone in the foreground.

Originally published . Last reviewed and updated .

Contents(5 sections)
  1. 1. The federal floor
  2. 2. State comprehensive laws
  3. 3. Rights that apply in most states
  4. 4. Common rights and how to exercise them
  5. 5. When rules conflict or do not apply

There is no single US federal privacy law that covers most consumer data. Instead, Americans live under a patchwork: sector-specific federal rules for finance, health, and children's data; a growing set of state comprehensive laws; and FTC authority that has, in practice, served as the de facto enforcement backbone.

This article maps the patchwork, explains the rights most readers already have, and points to where to file when a company appears to ignore them.

The federal floor

Several federal laws cover specific categories of data. HIPAA covers health information held by covered entities and their business associates. The Gramm-Leach-Bliley Act covers financial institutions. COPPA covers children under 13. The FTC Act, through Section 5, gives the FTC authority over unfair or deceptive practices and is the legal basis for most privacy enforcement against companies that mishandle consumer data.

Outside these categories, there is no comprehensive federal privacy law as of this writing. Congress has considered several proposals; none have become law.

State comprehensive laws

A growing number of states have passed comprehensive privacy laws. California's CCPA/CPRA was first; Virginia, Colorado, Connecticut, Utah, Texas, and others have followed with broadly similar frameworks. The details differ — thresholds, sensitive-data definitions, opt-out mechanisms — but the basic rights tend to converge.

If you live in a state with a comprehensive law, you generally have the right to access the personal data a business holds about you, request deletion, correct inaccurate data, opt out of certain sales or sharing, and limit the use of sensitive data.

Rights that apply in most states

Even readers in states without a comprehensive law typically have meaningful rights through sectoral laws and through company privacy policies, which are enforceable representations under FTC law. If a company's privacy policy promises something and the company does not deliver, that is a potential deceptive practice the FTC can act on.

Consumers in any state can also file complaints with the FTC, with their state attorney general, and with the CFPB for financial data. Complaint records are reviewed in aggregate and inform enforcement priorities.

Common rights and how to exercise them

Most state laws require companies to provide a 'Do Not Sell or Share My Personal Information' link or a comparable opt-out mechanism. Many companies now honor the Global Privacy Control browser signal, which automates this opt-out across sites that support it.

Data-access and deletion requests are usually made through a form in the privacy policy or a dedicated portal. Companies typically have 45 days to respond. Keep records of your requests, including dates.

  • Access: ask what data is held about you
  • Delete: request removal of data, subject to legal exceptions
  • Correct: fix inaccurate personal data
  • Opt out: of sale, sharing, or targeted advertising
  • Limit: the use of sensitive categories of data

When rules conflict or do not apply

Federal sectoral rules generally preempt state law for the data they cover. HIPAA-regulated health data, for example, is not governed by your state's comprehensive privacy law in the same way. Employer-held data and certain B2B contexts often have separate rules.

When in doubt, the privacy policy of the company you are dealing with is the document that names your rights for that specific data set. If it does not list rights you believe you have, contact the state attorney general's office in your state of residence.

FrameworkScopeEnforcer
FTC Act, Section 5Unfair/deceptive practices generallyFTC
HIPAAHealth data held by covered entitiesHHS OCR
GLBAFinancial institutionsFTC, federal banking regulators
COPPAChildren under 13FTC, state AGs
State comprehensive lawsMost consumer data, state residentsState AGs (and CPPA in CA)
Common US privacy frameworks

Frequently asked questions

Does my state have a privacy law?
Check your state attorney general's website. The list of states with comprehensive laws is changing roughly each legislative session.
What is the Global Privacy Control?
A browser signal that automatically conveys an opt-out preference. Several state laws require businesses to honor it.
How do I file a privacy complaint?
The FTC accepts complaints at reportfraud.ftc.gov. State attorneys general have their own complaint portals.
Are companies actually fined for violations?
Yes — the FTC and state AGs have brought numerous high-profile cases. Enforcement is uneven, but it is real.
Does this article cover GDPR?
No. GDPR is the EU framework. It can affect US-based companies that handle EU residents' data, but it is not US law.

How we researched this

We reviewed primary sources, official guidance, and reporting from established outlets. Where data shifts quickly, we date each claim. ClearBrief editors fact-check every article before publication.

Sources

  1. FTC Privacy & Data Security Federal Trade Commission
  2. HIPAA for Individuals HHS OCR
  3. State Consumer Privacy Laws National Conference of State Legislatures
  4. Global Privacy Control GPC

Related reading

Found this useful? Share it with a friend.

This article is informational and not a substitute for professional advice. ClearBrief does not provide medical, legal, or financial services.