Complete Guide to US Data & Information Privacy Laws

By MatrixPoint

The United States has a vast range of federal privacy laws in place to keep up with the ever-growing privacy concerns across the country.

Modern-day consumers have become increasingly conscious of their rights – especially the right to privacy. This has resulted in the documentation and implementation of various laws that govern the right to consumer privacy.

Adding to their complexity, many businesses often violate these laws unknowingly.

For you to understand the different data privacy laws in the US, we’ve compiled a quick guide to explain the intricacies of each privacy law — and all you need to know to keep yourself and your business secure.

MatrixPoint can help your business with data privacy matters – from complying with changing regulations to avoiding hefty penalties in case of non-compliance, MatrixPoint can assist you in streamlining your business operations.


List of United States Data Protection Laws

Here’s a list of various consumer privacy acts still used in the United States:

US Privacy Act

The US Privacy act was introduced to balance the government’s need to maintain information on citizens and the people’s right to protect their data from invasion.

The act restricts the disclosure of personally identifiable information maintained by the government, and grants people access to these records.

Citizens can also file for amendments in the records if they are inaccurate, irrelevant, or incomplete.


The Health Insurance Portability and Accountability Act (HIPAA) provides data privacy provisions to keep patients’ medical information safe.

The act also protects health insurance coverage for people who change or lose their jobs. Group health plans cannot refuse to cover individuals who suffer from pre-existing conditions or set limits on lifetime coverage.

HIPAA directs the US Department of Human Services and Health on standardizing mechanisms for electronic data interchange when processing or submitting insurance claims all over the US.


The Gramm-Leach-Bliley Act (GLBA) is a US federal law that ensures transparency in how financial institutions maintain personal information and handle the United States data protection laws.

Additional privacy and security regulations are issued by the Privacy Rule – created under GLBA – to enforce institutions to implement the law’s requirements.

The Federal Trade Commission enforces GLBA on federal regulatory authorities, insurance oversight agencies, and national banking institutions.   


The Fair and Accurate Credit Transactions Act aims to strengthen safeguards to avoid identity theft.

The act gives people unrestricted access to their credit card reports. People can now request their credit card reports from Equifax, TransUnion, and Experian once a year for free.

Mortgage lenders are now required to release information on credit scores and how they determine mortgages.


The Federal Trade Commission Act created the FTC and gave the government tools to tackle deceptive practices in the marketplace.

The act aims to encourage fair competition practices among businesses and protects consumers against fraud.

The FTC Act allows institutions accused of fraudulent practices to enter a consent agreement with the institution, where they confess to the wrongdoing and agree to steer clear from any fraudulent practices in the future.


The California Consumer Privacy Act (CCPA) is a response to growing concerns on the extent of sensitive data tech companies collect and sell.

The CCPA incorporates the essentials from the data privacy requirements in the General Data Protection Regulation Act.

The act requires businesses to respond to customer queries, demanding reasons for collecting information, and whether it is sold or disclosed to third parties.


The Children’s Online Privacy Protection Act safeguards the privacy of children under the age of 13. It requires websites to obtain parental consent before using a child’s information on the Internet.

The act was passed in response to an increase in online marketing campaigns that began to target children who were not aware of USA data privacy laws.


Wi-Fi Protected Access (WPA) is designed to create secure wireless networks. Similar to the Wired Equivalent Privacy, WPA aims to improve the handling of security keys and user authorization.

WPA uses Temporal Key Integrity Protocol, which actively changes the key systems use. This makes it nearly impossible for hackers to create a match for the network’s encryption key.

Safe Harbor

The Safe Harbor Privacy Principles prevent private businesses – within the European Union or the US – from accidentally disclosing personal information on customers.

Alaska Personal Information Privacy Act

The Alaska Personal Information Protection Act enforces several regulations to protect personal information.

The act requires businesses to notify consumers in case of a data breach and allows customers to freeze their credit reports to protect their personal information.

Consumers can also restrict the use of their social security number and regulate the disposal of personal information records.

Ohio Data Protection Act

The Ohio Data Protection Act aims to protect businesses against threats and cyberattacks. The act addresses the consequences of a data breach for companies and consumers.

Unlike cybersecurity laws in other states, the Ohio Data Protection Act is voluntary. Businesses must ensure compliance with their own written cybersecurity program to protect personal data.

Massachusetts Data Privacy Law

The Massachusetts Data Privacy Law obliges companies to have dedicated staff running data security programs and to hold regular employee training on data security.

The law also requires companies to take the necessary precautions to ensure third-party data handlers can protect the consumer’s personal information.

The USA data protection act ensures confidentiality and protects personal information including social security numbers, driver’s license, and other sensitive information that can be used to access financial information.  

New York Privacy Act

The New York Privacy Act allows people to inquire about the data businesses collect on them and who it is shared with.

Consumers can now request companies to remove incorrect data – and even choose not to have their data shared with third parties.

Businesses are required to protect personal information against threats. It gives consumers the right to sue companies for privacy violations, instead of leaving it up to the FTC.

Hawaii Consumer Privacy Protection Act

The Hawaii Consumer Privacy Protection Act covers digital and paper records of personal information. All agencies that compile data on consumers need to notify their consumers.

The act states that reasonable measures must be taken to safeguard against unauthorized access to personal information. The law also applies to the residents of Hawaii in other states.

Maryland Online Consumer Protection Act

The Maryland Online Consumer Protection Act expands on the CCPA: Businesses need to disclose all useful information to consumers.

When it comes to disclosing third-party involvement, companies have to disclose all information passed on to third parties.

The act also protects children by prohibiting websites from intentionally releasing personal information collected on children.  


How Information Privacy Laws in the US Could Apply To Your Business

HIPAA violations can result in fines of up to 1.5 million dollars, along with criminal charges.

As the United States data privacy laws and cybersecurity landscape changes with each passing law, the increasing cost of penalties may not be a kind imposition on your business.

The legal jargon of laws can often be a challenge to understand and interpret concerning your business.

If your business is concerned about compliance with US data protection laws, schedule a consultation with MatrixPoint to learn more about our data privacy management solutions.

Ready to get started?
Get in contact with us
Get Started