There is no single US federal privacy law that covers most consumer data. Instead, Americans live under a patchwork: sector-specific federal rules for finance, health, and children's data; a growing set of state comprehensive laws; and FTC authority that has, in practice, served as the de facto enforcement backbone.
This article maps the patchwork, explains the rights most readers already have, and points to where to file when a company appears to ignore them.
The federal floor
Several federal laws cover specific categories of data. HIPAA covers health information held by covered entities and their business associates. The Gramm-Leach-Bliley Act covers financial institutions. COPPA covers children under 13. The FTC Act, through Section 5, gives the FTC authority over unfair or deceptive practices and is the legal basis for most privacy enforcement against companies that mishandle consumer data.
Outside these categories, there is no comprehensive federal privacy law as of this writing. Congress has considered several proposals; none have become law.
State comprehensive laws
A growing number of states have passed comprehensive privacy laws. California's CCPA/CPRA was first; Virginia, Colorado, Connecticut, Utah, Texas, and others have followed with broadly similar frameworks. The details differ — thresholds, sensitive-data definitions, opt-out mechanisms — but the basic rights tend to converge.
If you live in a state with a comprehensive law, you generally have the right to access the personal data a business holds about you, request deletion, correct inaccurate data, opt out of certain sales or sharing, and limit the use of sensitive data.
Rights that apply in most states
Even readers in states without a comprehensive law typically have meaningful rights through sectoral laws and through company privacy policies, which are enforceable representations under FTC law. If a company's privacy policy promises something and the company does not deliver, that is a potential deceptive practice the FTC can act on.
Consumers in any state can also file complaints with the FTC, with their state attorney general, and with the CFPB for financial data. Complaint records are reviewed in aggregate and inform enforcement priorities.
Common rights and how to exercise them
Most state laws require companies to provide a 'Do Not Sell or Share My Personal Information' link or a comparable opt-out mechanism. Many companies now honor the Global Privacy Control browser signal, which automates this opt-out across sites that support it.
Data-access and deletion requests are usually made through a form in the privacy policy or a dedicated portal. Companies typically have 45 days to respond. Keep records of your requests, including dates.
- Access: ask what data is held about you
- Delete: request removal of data, subject to legal exceptions
- Correct: fix inaccurate personal data
- Opt out: of sale, sharing, or targeted advertising
- Limit: the use of sensitive categories of data
When rules conflict or do not apply
Federal sectoral rules generally preempt state law for the data they cover. HIPAA-regulated health data, for example, is not governed by your state's comprehensive privacy law in the same way. Employer-held data and certain B2B contexts often have separate rules.
When in doubt, the privacy policy of the company you are dealing with is the document that names your rights for that specific data set. If it does not list rights you believe you have, contact the state attorney general's office in your state of residence.