Understand Your Rights. Solve Your Legal Problems
In 2025, nearly every click, swipe, or “accept cookies” pop-up adds another breadcrumb to our digital footprint. Our personal information—names, birthdays, addresses, photos, even the way we browse—can end up stored, shared, or sold in ways most of us never see. The question many Americans are asking is simple: What laws actually protect our data?
The short answer: The United States still doesn’t have a single, nationwide privacy law like Europe’s GDPR. Instead, Americans live under a patchwork of federal and state laws—some sector-specific, others state-specific—that together define how companies can use our personal information.
Let’s break it down.
Unlike the European Union, which enforces the sweeping General Data Protection Regulation (GDPR), the U.S. relies on a collection of privacy rules targeting certain industries or data types. This means your rights depend on who’s collecting the data, what kind it is, and where you live.
Passed in 1996, HIPAA protects the privacy of health information shared with doctors, hospitals, insurance providers, and similar entities. It gives patients the right to access, correct, and restrict use of their medical data. However, it doesn’t cover every health app or wearable device—only those connected to “covered entities” in the healthcare system.
This 1999 law applies to financial institutions such as banks, mortgage lenders, and investment firms. GLBA requires companies to safeguard customer data, issue privacy notices, and give consumers the option to “opt out” of sharing certain information with third parties.
Designed to protect kids under 13, COPPA forces websites and apps to get parental consent before collecting a child’s personal information. It also gives parents the right to review or delete their child’s data and limits how long that data can be stored.
Additional laws, like the Fair Credit Reporting Act (FCRA) for credit data and the Electronic Communications Privacy Act (ECPA) for stored communications, fill other gaps. But none of these create a unified national privacy framework.
Since Congress has yet to pass a federal privacy law, individual states have taken matters into their own hands. Beginning with California in 2018, a wave of states has enacted comprehensive consumer data privacy laws—many modeled after (and sometimes tougher than) the CCPA.
The California Consumer Privacy Act (CCPA)—amended and strengthened by the California Privacy Rights Act (CPRA)—is still the most well-known privacy law in the U.S.
It gives residents rights to:
Know what personal data a business collects and why
Delete their personal information
Opt out of the sale or sharing of data
Correct inaccuracies
Limit use of sensitive data (like geolocation or race)
California even created a dedicated agency, the California Privacy Protection Agency (CPPA), to enforce the law. A newer “Delete Act” now requires data brokers to remove information upon request and register publicly.
As of late 2025, at least 20 U.S. states have passed comprehensive privacy laws, many of which are already in effect. The list keeps growing each year.
| State | Law Name | Effective Date | Key Rights Granted |
|---|---|---|---|
| California | CCPA / CPRA | Jan 1 2023 (amended) | Access, delete, correct, opt-out, limit sensitive data |
| Virginia | VCDPA | Jan 1 2023 | Access, delete, correct, opt-out of sale/profiling |
| Colorado | CPA | July 1 2023 | Access, delete, correct, opt-out, data-impact assessments |
| Connecticut | CTDPA | July 1 2023 | Access, delete, correct, opt-out, recognition of browser “opt-out signals” |
| Utah | UCPA | Dec 31 2023 | Access, delete, opt-out (more limited scope) |
| Maryland | MODPA | Oct 1 2024 | Broad sensitive-data limits and children’s protections |
| Delaware | Delaware Personal Data Privacy Act | Jan 1 2025 | Access, delete, correct, opt-out |
| Iowa | ICDPA | Jan 1 2025 | Access, delete, opt-out (narrow business thresholds) |
| New Jersey | NJ Data Privacy Act | Jan 1 2025 | Access, delete, correct, opt-out |
| Nebraska | Nebraska Consumer Data Privacy Act | Jan 1 2025 | Access, delete, correct, opt-out |
| New Hampshire | NH Consumer Data Privacy Act | Jan 1 2025 | Access, delete, correct, opt-out |
| Minnesota | MCDPA | July 31 2025 | Adds limits on profiling and data-minimization duties |
(Source: IAPP State Privacy Legislation Tracker, October 2025)
Several more states—including Texas, Oregon, and Tennessee—have privacy laws set to take effect between 2026 and 2027.
While details vary, most of these new laws give consumers similar core rights:
Access to the personal data a company holds
Correction of inaccurate data
Deletion of data collected
Portability (to move your data elsewhere)
Opt-out of data being sold, shared, or used for targeted advertising
Transparency around how businesses use and protect your data
Businesses above certain revenue or data-processing thresholds must also:
Minimize data collection to what’s necessary
Conduct Data Protection Assessments for high-risk activities
Secure personal data with reasonable safeguards
Disclose data-collection practices clearly and promptly
In states like Connecticut and Colorado, web browsers can send “Global Privacy Control” (GPC) signals to automatically opt users out—one of the first steps toward a national standard.
Most state privacy laws are enforced by each state’s Attorney General, though California has its own dedicated privacy agency. Penalties can reach up to $7,500 per intentional violation, and enforcement actions have already begun against companies that fail to honor deletion or opt-out requests.
Consumers themselves generally can’t sue under these laws (except in limited data-breach cases), but regulators can issue large fines and require companies to fix their practices.
Several bipartisan proposals have been introduced in Congress, including versions of the American Data Privacy and Protection Act (ADPPA), but none have become law. Tech lobby groups and state-rights advocates disagree over how strict the rules should be and whether a federal law should override tougher state protections.
For now, companies must navigate a patchwork of compliance obligations—and consumers must learn which laws apply in their own states.
For the average person, these laws mean:
More control over your personal data (especially if you live in a privacy-law state).
Clearer privacy policies and the ability to request deletion or correction.
Less freedom for companies to sell or share your data without notice.
Still, gaps remain. Many apps and services outside regulated sectors can still collect vast amounts of behavioral data—especially when users give blanket consent through “agree to all cookies” pop-ups.
1. Does the U.S. have a federal data privacy law like Europe’s GDPR?
Not yet. Federal laws cover specific industries, but there’s no single nationwide privacy framework.
2. Which state has the strongest privacy law?
California remains the most influential, but newer laws in Maryland and Minnesota impose strict limits on sensitive data and profiling.
3. Can I tell a company to delete my personal data?
Yes—if you live in a state with a comprehensive privacy law (like CA, CO, CT, VA, UT, etc.), you can usually request deletion directly from the company.
4. What about data brokers?
California’s Delete Act (effective 2024–2026) forces registered data brokers to remove personal data upon request, and several states are considering similar laws.
5. How can I protect my data right now?
Use privacy settings on browsers and apps, opt out of targeted ads, enable “Global Privacy Control,” and be selective about what personal information you share online.
As of 2025, Americans enjoy more privacy rights than ever before, but there’s still no single law covering everyone, everywhere. Instead, protection depends on where you live and how your data is used.
The takeaway: U.S. privacy law is evolving fast—with California leading, more states joining in, and Congress inching toward a national standard. Until then, being aware of your rights (and using them) is the best defense against misuse of your digital footprint.
Follow up: The State of the States’ Consumer Privacy Laws - Rita W Garry, Shareholder Robbins, Solomon & Patt
