World Watch/United States/Data & Privacy
Language:EnglishSpanishFrenchGermanPortugueseHindi

Data & Privacy · United States

Data & Privacy - United States

Sectoral rulesPatchwork of federal sector-specific laws (HIPAA, GLBA, COPPA, FERPA, FCRA) enforced by the FTC and sector regulators, plus 20+ state comprehensive privacy laws led by California's CCPA/CPRA. No omnibus federal law is in force as of May 2026.

The United States has no single comprehensive federal data-protection statute equivalent to the EU GDPR. At the federal level, protection derives from sector-specific statutes and FTC Section 5 unfair-practices authority. In the absence of federal action, at least 20 states have enacted comprehensive consumer privacy laws, with new ones (Indiana, Kentucky, Rhode Island) taking effect January 1, 2026. A new federal bill, the SECURE Data Act, was introduced in the House in April 2026 but remains in early legislative stages.

No federal omnibus law

Congress has not enacted a comprehensive national data privacy statute. The American Privacy Rights Act (APRA) expired at the end of the 118th Congress in January 2025 without passing. The US relies on a patchwork of sector-specific federal statutes rather than a unified GDPR-style regime.

source 1source 2
SECURE Data Act (proposed, 2026)

On April 22, 2026, House Republicans introduced the SECURE Data Act (H.R. 8413) in the 119th Congress — the first major federal omnibus privacy attempt since APRA. It would create a uniform national standard preempting state laws and be enforced by the FTC and state AGs, but does not include a private right of action. The bill is in early committee stages and is not yet law.

source 1source 2
Key federal sector-specific laws

Major sectoral statutes include: HIPAA (health data, enforced by HHS); GLBA (financial data, enforced by FTC/banking regulators); COPPA (children under 13, enforced by FTC — rules significantly updated effective June 23, 2025); FERPA (student records); and FCRA (consumer credit data). The FTC enforces against unfair or deceptive privacy practices under Section 5 of the FTC Act across all sectors.

source 1source 2
20+ state comprehensive privacy laws

At least 20 states have enacted comprehensive consumer privacy laws as of 2026. Indiana, Kentucky, and Rhode Island joined on January 1, 2026. California's CCPA/CPRA remains the most expansive, with 2025 amendments adding rules on automated decision-making, high-risk data processing, cybersecurity audits, and data-broker obligations.

source 1source 2
FTC as de facto lead regulator

The Federal Trade Commission is the primary federal privacy enforcement authority, acting under Section 5 of the FTC Act and sector statutes. As of 2025–2026, the Republican-majority FTC (Chairman Andrew Ferguson) has focused enforcement on children's privacy, sensitive data sales, data broker practices, and cybersecurity deficiencies. The Take It Down Act (effective May 19, 2026) also grants the FTC new authority over non-consensual intimate image sharing on platforms.

source 1source 2
State enforcement center stage in 2026

With no new state comprehensive laws enacted in 2025, state attorneys general and dedicated privacy agencies (notably the California Privacy Protection Agency) shifted focus to enforcement and refinement of existing laws. Nine states amended their existing privacy laws in 2025. State-level class actions and AG enforcement actions are expected to increase significantly through 2026.

source 1source 2

Machine-assisted translation · verified 5/24/2026 · orientation, not legal advice. English version →