Checklist: Understanding privacy laws in the US (USA)

Introduction

This checklist is designed to assist in-house counsel and private practitioners who are responsible for ensuring their organization’s compliance with US federal and state privacy laws. It provides an overview of the key considerations for ensuring compliance with the codified privacy laws and regulations applicable to businesses operating in the United States.

The checklist covers the following steps:

1. Evaluate Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule compliance
2. Evaluate HIPAA Security Rule compliance
3. Evaluate Gramm-Leach-Bliley Act (GLBA) (1999) compliance
4. Evaluate Federal Trade Commission (FTC) Red Flags Rule compliance
5. Evaluate FTC Disposal Rule compliance
6. Evaluate Children’s Online Privacy Protection Act (COPPA) compliance
7. Evaluate state privacy law compliance

This checklist is presented as a list of requirements that can be checked off as they are addressed. At the end of each step, there are explanatory notes corresponding with each requirement in the checklist.

This checklist may be used in conjunction with How-to guides: How to determine and apply relevant US privacy laws to your organization and How to develop, implement and maintain a US information and data security compliance program.

Step 1 – Evaluate Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule compliance

Step 2 – Evaluate HIPAA Security Rule compliance

Step 3 – Evaluate Gramm-Leach-Bliley Act (GLBA) compliance

Step 4 – Evaluate Federal Trade Commission (FTC) Red Flags Rule compliance

Step 5 – Evaluate FTC Disposal Rule compliance

Step 6 – Evaluate Children’s Online Privacy Protection Act (COPPA) compliance

Step 7 – Evaluate state privacy law compliance

Scope and use of checklist

US privacy law in its current state is a patchwork of laws, so not every privacy regulation will apply to every business. Thus, each step begins with determining whether the law being considered applies. If it does not, simply move on to the next step of the checklist.

Due to the nature of US privacy law regulations, the focus of this checklist is on federal laws with broadest applicability to businesses with US operations. Take care to determine whether other state or federal privacy laws are applicable based on your organization’s industry, product offerings, jurisdiction, or other factors.

Additionally, note that this checklist only covers codified privacy laws. Also consider the risk of common law privacy-related claims when developing a full-scope privacy compliance plan.

General notes

Legal framework

The current US privacy law environment comprises a patchwork of privacy and information security laws. Since much of the emphasis on privacy in the United States is on electronic privacy, both privacy and information security laws are relevant to privacy compliance by organizations in the United States.

At the federal level these laws are generally implemented through federal agency regulations and oversight. Multiple agencies may be responsible for making rules to implement a federal act. The privacy provision of the GLBA (15 USC section 6801, et seq) is an example of this. The privacy rules adopted by law (16 Code of Federal Regulations (CFR) Part 313) are enforced by the Federal Trade Commission (FTC), but other agencies, such as the Consumer Financial Protection Bureau and the Department of Education, participate in rulemaking and offer guidance on compliance with the rules for specific industries. Health information, financial information, and children’s information are subject to the most comprehensive privacy and security regulation at the federal level.

At the state level, California has been the most aggressive in developing privacy and information security laws, with other states beginning to follow suit. Privacy and data security laws are expected to continue to evolve at federal and state level.

Overview of key US privacy laws

The legal environment governing privacy in the United States is complex. The importance of independently researching and evaluating compliance based on an organization’s jurisdiction, industry, and other specifics cannot be overstated. However, some of the key privacy laws in the United States are listed below.

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (PL 104-191) and the privacy rules adopted under that Act (45 CFR Part 164) govern privacy and security of hard copy and electronic personal health information.
• The Gramm-Leach-Bliley Act of 1999 (GLBA) (PL106-102) governs financial institutions and provides privacy and security standards for the protection of non-public personal information.
• The Children’s Online Privacy Protection Act of 1998 (COPPA) (15 USC sections 6501, et seq) imposes privacy requirements for websites and online services that collect the data of children under 13 years of age.
• The Fair Credit Reporting Act (FCRA) (15 USC section 1681, et seq) regulates the collection, dissemination, and use of consumer credit information.
• The Electronic Communications Privacy Act of 1986 (ECPA) (18 USC sections 2510–2523) protects wire, oral, and electronic communications while being made, in transit, and when stored.
• The Family Educational Rights and Privacy Act (FERPA) (20 USC section 1232g) protects the privacy of student education records and grants specific rights to students and their parents.
• The FTC’s Disposal Rule (16 CFR Part 682) requires that reasonable measures are taken in the disposal of consumer report information.
• The FTC’s Red Flags Rule (16 CFR Part 681) requires financial institutions and creditors with covered accounts to create and implement a written identity theft prevention program.
• State consumer privacy laws typically govern the online collection and use of consumers’ personal information, such as the California Consumer Privacy Act (CCPA) provides California residents with rights regarding their personal information and imposes obligations on businesses handling that data.

Importance of privacy compliance

Privacy compliance is vitally important for businesses that operate in the United States for a variety of reasons, including:

• to avoid  the civil and criminal penalties that may be imposed by government agencies;
• to avoid civil liability from lawsuits brought by private litigants; and
• to maintain a favorable public image.

Key considerations

Due to the patchwork of laws, different regulatory bodies, and the frequency with which laws are being updated, privacy compliance in the United States can be challenging. To avoid penalties or legal liability, check regularly for legal updates, and review and update privacy and data security programs as needed to ensure compliance.

Step 1 – Evaluate HIPAA Privacy Rule compliance

1.1 Determine whether the HIPAA Privacy Rule applies

1.1.1 Purpose of the HIPAA Privacy Rule

The HIPAA Privacy Rule, 45 CFR Parts 160 and 164 (Parts A and E), sets national standards for the protection of individuals’ Protected Health Information (PHI). It was the first US regulation of its kind. It remains a keystone regulation for protection of the privacy of health information. The law is designed to protect PHI from inappropriate, unauthorized disclosure. The law also allows the sharing of information in certain circumstances to deliver health services, for example, between different medical providers.

1.1.2 Determine whether your organization is covered by the HIPAA Privacy Rule

The HIPAA Privacy Rule applies to ‘covered entities.’ These are defined as:

• health plans;
• health care clearinghouses; and
• any health care providers that transmit health information in electronic form in connection with transactions for which the Secretary of the Department of Health and Human Services (HHS) has adopted standards under HIPAA.

Use the HHS’s Guide to HIPAA Covered Entities and Business Associates to determine whether an organization is a covered entity under HIPAA.

1.1.3 What information is covered by the HIPAA Privacy Rule?

The HIPAA Privacy Rule covers PHI. It defines PHI as individually identifiable health information (IIHI), with a few exceptions. IIHI is information:

• created by a covered entity;
• related to an individual’s health;
• related to the provision of health care to an individual, or payment for health care provided to the individual; and
• identifies the individual or can reasonably be used to identify the individual.

1.2 Evaluate compliance with use, disclosure, and access rules

It is important to evaluate compliance with use, disclosure, and access rules. These rules are very detailed. You can find the majority at 45 CFR section 164.502 – 514 and 45 CFR section 164.522.

For further guidance, consult the HHS’s Guide to Understanding Some of HIPAA’s Permitted Uses and Disclosures and see How-to guide: How to determine and apply relevant US privacy laws.

1.3 Review notice of privacy policies for compliance

Subject to some exceptions, covered entities must provide individuals with notice regarding how they will use and disclose the individual’s PHI as well as informing the individual of their rights. See, 45 CFR section 164.520. The timing and form of notice depend on the type of covered entity and the situation.

The HIPAA Privacy Rule regulations, 45 CFR section 164.520(b), set out in detail what must be included in the notice. The regulations are subject to change and to reinterpretation, so covered entities and business associates must monitor continuously the regulations and HHS bulletins for updates to notice requirements to ensure compliance. Be aware of the following key requirements:

• use this wording as the header, ‘THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY’;
• provide a statement of the individual’s rights and how they may exercise them;
• describe how the covered entity may or must use or disclose PHI, along with at least one example;
• make a statement of the covered entity’s legal duties and privacy practices;
• explain how complaints about privacy violations may be made to the covered entity and the Secretary of HHS;
• provide contact information for requesting additional information about the notice; and
• supply an effective date of the notice.

1.4 Evaluate compliance with administrative requirements

The HIPAA Privacy Rule requires covered entities to implement certain administrative requirements to help protect PHI. See 45 CFR section 164.530. HHS allows covered entities to use discretion in analyzing their specific needs and implementing appropriate measures to meet the administrative requirements.

Administrative requirements include the following:

• privacy policies and procedures;
• privacy personnel;
• workforce training;
• safeguards;
• complaint process;
• mitigation;
• prohibition against retaliation for exercising privacy rights;
• no waiver of rights as a condition of receiving treatment, care, or benefits; and
• documentation of procedures and policies and retention of the records of the procedures and policies.

See further How-to guide: How to determine and apply relevant US privacy laws to your organization.

1.5 Schedule periodic re-evaluation

The health care privacy environment in the United States is dynamic and the financial cost of non-compliance is high. Organizations should evaluate compliance with the HIPAA Privacy Rule at least annually, and any time there are relevant legal or organizational changes.

Step 2 – Evaluate HIPAA Security Rule compliance

2.1 Determine whether the HIPAA Security Rule applies

The HIPAA Privacy Rule provides standards for protection of PHI, and the HIPAA Security Rule, 45 CFR Parts 160 and 164 (Parts A and C), provides national standards for the protection of individuals’ electronic PHI (ePHI). The regulations in the HIPAA Security Rule are designed to ensure that covered entities implement and maintain appropriate safeguards to protect the privacy of ePHI.

2.1.1 Determine whether your organization is covered by the HIPAA Security Rule

Like the Privacy Rule, the HIPAA Security Rule applies to covered entities (see Section 1.1.2 above). The Centers for Medicare & Medicaid Services have a Covered Entity Decision tool that can be used to determine whether an organization is a covered entity.

2.1.2 What information is protected under HIPAA Security Rule?

The Security Rule applies only to the electronic transmission, storage, and use of health records.

2.1.3 Difference between required and addressable safeguards

The Security Rule sets out required standards for administrative, physical, and technical safeguards (see sections 2.2 – 2.4 below). Each standard is further broken down into ‘required’ and ‘addressable’ safeguards. Required safeguards must be included. Addressable safeguards are standards to consider in light of the particular covered entity and must be implemented if they are reasonable and appropriate for the entity.

2.2 Review and implement administrative safeguards

Key required administrative standards include the following:

• security management processes;
• assignment of security responsibility;
• workforce security;
• information access management;
• security awareness and training;
• security incident procedures;
• contingency planning; and
• evaluation to ensure requirements are met.

See 45 CFR section 164.308 for more details and for the addressable administrative safeguards.

2.3 Review and implement physical safeguards

Key required physical standards include:

• controls over facility access;
• workstation use policies and procedures;
• physical workstation security measures;
• device and media controls.

See 45 CFR section 164.310 for more details and for the addressable physical safeguards.

2.4 Review and implement technical safeguards

Key required technical standards include:

• technical policies and procedures to control electronic PHI access;
• technical audit controls;
• authentication procedures for electronic PHI access; and
• security measures for electronic PHI transmitted over an electronic communications network.

See 45 CFR section 164.312 for more details and for the addressable technical safeguards.

2.5 Evaluate compliance with organizational requirements

Under the HIPAA Security Rule, relevant organizations must meet two organizational standards:

• business associate requirements (for business associate contracts, business associate contracts with subcontractors, or other arrangements), to ensure that business associates and their subcontractors are in compliance with the Security Rules; and
• group health plan requirements (to include the manner of implementation of the administrative, technical, and physical safeguards that must be incorporated in group health plan documents).

'Business associates' are third parties that provide services to the organization that involve access to PHI. Use the HHS’s Business Associates Guidance to learn more.

Review each and, if applicable, comply with it. See 45 CFR section 164.314.

2.6 Implement policies and procedures and maintain documentation

Organizations must implement ‘reasonable and appropriate’ policies and procedures for the use and disclosure of ePHI that comply with applicable HIPAA Security Rule standards. These policies must be written, retained for six years from the latter of the date of creation or the date last in effect, made available to those who must implement them, and updated regularly. See 45 CFR section 164.316.

2.7 Schedule periodic re-evaluation

Due to the health care privacy environment in the United States being dynamic and the financial cost of non-compliance being high, organizations should evaluate compliance with the HIPAA Security Rule at least annually, and any time there are relevant legal or organizational changes. The HHS website has a number of HIPAA News Releases & Bulletins, current through June 30, 2025. 

Please see the News Release and Bulletins page for more information on these and other HIPAA developments.

Step 3 – Evaluate Gramm-Leach-Bliley Act (GLBA) compliance

3.1 Determine whether GLBA applies

The GLBA and its implementing regulations generally apply to financial institutions and cover privacy and security standards for the protection of non-public personal information. See 15 USC section 6801 and 12 USC section 1843(k). It defines financial institutions broadly as institutions engaged in activities that are financial in nature or that are incidental to such financial activities. See 15 USC section 6809. This definition brings under the GLBA's scope businesses that may not traditionally have been considered financial institutions, such as some insurance providers.

3.2 Evaluate applicability of, and compliance with, the GLBA Privacy Rule

3.2.1 Privacy Rule generally

The GLBA Privacy Rule, 15 USC section 6802(a) and implementing regulations, apply to financial institutions that do or may possess non-public personal information (NPI). NPI is personally identifiable financial information ‘that a financial institution collects about an individual in connection with providing a financial product or service.’  See 15 USC section 6809(4). The Privacy Rule requires financial institutions to limit their use of NPI. They must also provide notice to their customers, and in some cases, to their consumers, regarding how they use NPI (see section 3.2.2 below). Under the GLBA Privacy Rule, a ‘consumer’ is defined broadly, and customers are a subset of consumers.

The GLBA Privacy Rule is implemented by multiple regulatory bodies that govern each different type of financial institution. The Consumer Financial Protection Bureau (CFPB)’s implementing regulations, 12 CFR section 1016.1, et seq, have the broadest reach. Thus, this checklist focuses on these CFPB regulations, which are also known as ‘Regulation P’. Institutions subject to a different regulator should check the applicable regulations.

3.2.2 Ensure compliance with Privacy Rule obligations

Key Privacy Rule obligations under the GLBA include the following:

• privacy notices; and
• opt-out notices.

For further information on these, see further How-to guide: How to determine and apply relevant US privacy laws to your organization.

Limits on reuse and redisclosure

The GLBA Privacy Rule greatly restricts reuse and redisclosure of NPI that is obtained from non-affiliated financial institutions (ie, a party not associated by means of corporate control or common ownership with the financial institution). See 15 USC section 6802(c). A number of factors, including whether the information was received under an exception, the purpose of the disclosure of the NPI, and the originating financial institution’s policies, impact whether and to what extent the NPI can be used and redisclosed. See 12 CFR section 1016.11.

Disclosure of account numbers prohibited

Subject to minimal exceptions, disclosure of account numbers is prohibited. See 12 CFR section 1016.12.

3.3 Evaluate applicability of, and compliance with, the GLBA Safeguards Rule

3.3.1 Safeguards Rule generally

The Safeguards Rule, 15 USC section 6801, and the regulations implementing that rule, require financial institutions to implement a written information security program. This program should have administrative, technical, and physical safeguards to ensure confidentiality of customer information, protect against security threats, and prevent unauthorized access to customer information.

The Safeguards Rule involves multiple regulatory bodies. The FTC has implemented regulations for the Safeguards Rule that apply to all financial institutions not subject to another regulator’s authority. This checklist focuses on the FTC’s enforcement of the Safeguards Rule. Institutions under the jurisdiction of a different regulator should check the applicable regulations.

3.3.2 Ensure compliance with Safeguards Rule obligations

Institution of appropriate program

Under the Safeguards Rule, financial institutions must develop security programs to achieve goals with administrative, technical, and physical safeguards that are appropriate given the institution’s size, activities, and the sensitivity of the customer information at issue.

The Safeguards Rule’s general flexibility is tempered by certain minimum requirements for security programs. See 16 CFR section 314.4. Security programs must have certain elements. These are detailed in How-to guide: How to determine and apply relevant US privacy laws to your organization.

In October 2023, the FTC announced revised provisions related to reporting data breaches and security incidents under the Safeguards Rule, but gave businesses six months to get ready for the changes that took effect on Monday, May 13, 2024. The amendment to the Rule requires covered companies to report certain data breaches and other security events to the FTC. The Rule applies to ‘financial institutions’ which is defined broadly to include 13 different kinds of businesses – mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors. This list, however, is not exhaustive and the document FTC Safeguards Rule: What Your Business Needs to Know provides informal staff guidance to assist in determining if the Rule applies to your business.

3.4 Evaluate applicability of, and compliance with, the GLBA Pretexting Rule

3.4.1 Pretexting Rule generally

The GLBA Pretexting Rule prohibits any person from using false pretenses to obtain a financial institution’s customer information. See 15 USC section 6821.

3.4.2 Ensure compliance with Pretexting Rule obligations

Financial institutions should ensure that there are appropriate policies requiring representatives from financial institutions to properly introduce themselves in communications with customers and consumers. Additionally, put security measures in place to prevent and detect pretexting. There are exceptions that allow financial institutions to use false pretenses to test their security systems. See 15 USC section 6821(d).

3.5 Schedule periodic re-evaluation

Schedule periodic re-evaluation of compliance with the GLBA to ensure compliance and avoid costly penalties or liabilities. This re-evaluation should occur at least annually.

Step 4 – Evaluate Federal Trade Commission (FTC) Red Flags Rule compliance

4.1 Determine whether the Red Flags Rule applies

The Red Flags Rule, 16 CFR Part 681, requires financial institutions and creditors with covered accounts (see section 4.2 below for a definition of what is a covered account) to create and implement a written identity theft prevention program (see section 4.3). Design this program to detect, prevent, and mitigate identity theft. The goal is to ensure covered entities have a system to identify the ‘red flags’ of identity theft.

See further How-to guide: How to determine and apply relevant US privacy laws to your organization for more information on who and what is covered.

A ‘red flag’ for the purposes of the rule is ‘a pattern, practice, or specific activity that indicates the possible existence of identity theft.’ See 16 CFR section 681.1(b)(9). For example, presenting identification that appears fake is a 'red flag'.

The first iteration of a Red Flags Rule was developed by the FTC in conjunction with other agencies. The FTC enforced the rule with respect to financial institutions and creditors.

The Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) were subsequently granted authority to develop rules for, and to enforce, Red Flags Rules for organizations under their jurisdiction. The Red Flags Rules enforced by each agency are substantially the same as the FTC Red Flags Rule and so are not separately discussed here. See, 17 CFR sections 162.30, 162.32, 248.201, and 248.202.

4.2 Periodically determine whether covered accounts are offered or maintained

Financial institutions and creditors must periodically determine whether they offer or maintain covered accounts. See 16 CFR section 681.1(c).

4.3 Ensure the organization maintains an identity theft program that complies with the Red Flags Rule

The FTC's, Fighting Identity Theft with The Red Flags Rule: A How-To Guide For Business is a comprehensive guide for developing a compliant Red Flags Rule program.

For further guidance on the required elements and administration requirements, see further How-to guide: How to determine and apply relevant US privacy laws to your organization.

4.4 Schedule periodic re-evaluation

To ensure compliance, schedule a regular re-evaluation of your organization’s Red Flags Rule identity theft protection program.

Step 5 – Evaluate FTC Disposal Rule compliance

5.1 Determine whether the FTC Disposal Rule applies

The FTC Disposal Rule, 16 CFR Part 682, requires covered organizations to take reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal.

The rule applies to any organization that maintains or possesses consumer information for a business purpose. See 16 CFR section 682.2. Consumer information is a record that constitutes a consumer report, is derived from a consumer report, or is a compilation of consumer report data. See 16 CFR section 682.1. For example, landlords who obtain credit reports as part of the applicant screening process must comply with the FTC Disposal Rule.

5.2 Ensure reasonable measures are taken to prevent unauthorized access to, or use of, consumer information during the disposal of such information

Those covered by the FTC Disposal Rule must take reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. See, 16 CFR section 682.3.

What will constitute the required reasonable measures is further detailed in How-to guide: How to determine and apply relevant US privacy laws to your organization.

5.3 Schedule periodic re-evaluation

As with all areas of privacy compliance, periodic re-evaluation of compliance with the FTC Disposal Rule is essential to ensure compliance and avoid costly penalties and legal liability. Re-evaluations should be conducted on at least an annual basis.

Step 6 – Evaluate Children’s Online Privacy Protection Act (COPPA) compliance

The FTC guide Children’s Online Privacy Protection Rule: A Six Step Compliance Plan for Your Business provides useful, detailed guidance to help ensure COPPA compliance.

6.1 Determine whether COPPA applies

COPPA, 15 USC section 6501, et seq, and the corresponding FTC COPPA regulations, 16 CFR sections 312.1, et seq, create a legal structure to guard children’s online privacy. It gives parents control over the information websites can collect from their children.

COPPA applies to operators of commercial websites and online services (including games and digital applications) that collect or maintain information about their users if:

• the website or online service is directed at children under age 13 and the operator, or a third party on its behalf, collects personal information from children under 13; or
• the website or online service is directed to a general audience, but the operator has actual knowledge that personal information is collected from children under 13; and
• the operator has actual knowledge that it collects personal information from children under 13 through its use of an ad network, plug-in, or other third-party service. See 16 CFR section 312.2.

‘Personal information’ under COPPA means ‘individually identifiable information about an individual collected online.’ More information on what this includes can be found in the How-to guide: How to determine and apply relevant US privacy laws to your organization.

The factors that the FTC considers in determining whether a website or online service is directed at children under 13 are detailed in How-to Guide: How to determine and apply relevant US privacy laws to your organization.

On January 11, 2024, the FTC took steps to amend the Children's Online Privacy Protection Rule, consistent with the requirements of the Children's Online Privacy Protection Act. The modifications are intended to respond to changes in technology and online practices, and where appropriate, to clarify and streamline the Rule. Public comments were to be taken through March 11, 2024. The amended rule went into effect June 23, 2025, though regulated entities have until April 22, 2026, to comply with the amended rule for most provisions other than the provisions of the rule regarding safe harbor provision reporting, notices, and self-regulatory guidelines. See the final Children’s Online Privacy Protection Rule.

6.2 Ensure website or online service contains a COPPA-compliant privacy policy

Websites and online services covered by COPPA must have a clear, easy-to-read privacy policy for those using the website or service and that includes notice of:

• what information is collected from children under 13;
• how the collected information is used;
• disclosure policies for the collected information;
• the names of all operators collecting or maintaining personal information from children under 13;
• contact information for all such operators, or for one operator that has agreed to field COPPA inquiries for all connected operators;
• the parents’ right to review the collected information and have it deleted, and to refuse additional collection of information from their child; and
• how parents can exercise their parental rights.

See 15 USC section 6502 and 16 CFR section 312.4(d). The FTC advice is to display a prominent link to the organization’s privacy policy on the homepage and anywhere the organization collects information. The FTC warns that ‘[a] fineprint link at the bottom of the page or a link that isn’t distinguishable from other links on your site won’t do the trick.’ See FTC Guide: Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.

If an organization is not covered by COPPA, the current best practice is to include a line in the organization’s privacy policy indicating that the website or service is not directed at children under 13 and those under 13 are not permitted to use the site or service. For privacy and other reasons, many businesses go a step further and choose to apply these restrictions to all minors (ie, under 18).

6.3 Provide direct notice to, and obtain consent from, parents before collecting information

Covered operators must make ‘reasonable efforts, taking into account available technology’ to provide direct notice to parents before collecting information from any children under 13. An email to parents may be an appropriate way to provide direct notice. The notice must include all of the following information:

• a statement that the parents’ contact information was obtained to get their consent to collect personal information from their child;
• a statement that parental consent is required for the collection, use, and disclosure of the information;
• the specific personal information being sought and how it may be disclosed to others;
• a link to the online privacy policy;
• how consent can be given; and that if consent is not given within a reasonable time, the parents’ contact information will be deleted. See 16 CFR see 312.4(c).

Covered operators must also obtain verifiable consent from parents prior to collecting information from their children under 13. How the consent is obtained is left to the covered operator’s discretion. FTC-approved approaches include using facial recognition technology to verify a parents’ driver’s license or photo ID, or having a parent call a phone line staffed with trained operators. The term ‘trained operator’ is not defined in the regulation. See 16 CFR section 312.5(a).

6.4 Ensure reasonable procedures are in place to protect children’s information

In addition to all other requirements, those organizations governed by COPPA must develop, implement, and maintain reasonable procedures for the protection of the personal information of children. See 15 USC section 6502(b)(D).

6.5 Schedule periodic re-evaluation

Regular review of the organization's procedures for COPPA compliance, as well as of related notices, policies, and protocols, is recommended to ensure the organization remains in compliance. Such a review should be done at least annually.

Step 7 – Evaluate state privacy law compliance

7.1 Determine applicability of, and compliance with, state privacy laws

Many states have enacted privacy laws that may impose additional privacy obligations on organizations. When evaluating compliance with applicable state laws, it is important to determine the following:

• to whom the law applies; and
• what the key consumer rights are.

California’s privacy laws are the most robust to date. The states of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, have each enacted their own consumer privacy law. Dozens of other states have proposed consumer privacy legislation.

Although consumer privacy laws are typically the most robust state privacy laws, other state laws may impact privacy compliance. These include invasion of privacy laws, online privacy laws, computer crime laws, and genetic and biometric privacy laws.

7.1.1 State privacy law compliance example: California Consumer Privacy Act (CCPA)

The following example evaluates California’s consumer privacy law. You should undertake a similar approach to evaluate the state privacy laws in each state where your organization operates.

To whom the CCPA applies

The California Consumer Privacy Act (CCPA), Cal Civ Code 1798.100, et seq, applies to ‘for profit’ businesses that do business in California and that:

• exceed $25 million in gross revenue, to be adjusted every odd-numbered year to reflect any increase in the Consumer Price Index;
• buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
• obtain 50% or more of their revenue from selling the personal information of California residents.

A business that conducts business online with California residents is generally considered to be doing business in California. Given the large size of the California marketplace, the CCPA has broad coverage.

California voters have also approved the California Privacy Rights Act (CPRA), also known as Proposition 24, which came into effect in December 2020; however, the most of its provisions did not become effective until January 1, 2023. The CPRA amended the CCPA and expanded privacy regulations. It is frequently compared to the European Union’s General Data Protection Regulation (GDPR).  

Although the CPRA expanded privacy regulation, its scope will be more limited than the CCPA. THE CPRA applies to for profit businesses that do business in California, collect consumer information, and:

• exceed $25 million in gross revenue;
• buy, receive, or sell the personal information of 100,000 or more California residents or households; or
• obtain 50% or more of their revenue from selling California resident’s personal information.

Although it did not become effective until January 1, 2023, the CPRA will apply to the previous 12 months, meaning, data collected in 2022 must be compliant with the CPRA.

Key consumer rights

The CCPA provides consumers with privacy rights and requires businesses to provide consumers with notices regarding their privacy rights. The key rights provided under the CCPA are as follows:

• the right to request disclosure of what personal information is collected, how the information is used, and with whom the information is shared;
• right to notice at or before the point of collection of what categories of personal information the business is collecting and the purpose of the collection;
• the right to have personal information deleted in most situations;
• the right to opt out of the sale of personal information by the covered business;
• the right to not be discriminated against for exercising rights under the CCPA; and
• the right to bring a private cause of action for data breaches.

For further information regarding rights under the CCPA, see California Office of Attorney General: California Consumer Privacy Act (CCPA).

7.2 Schedule periodic re-evaluation

As with all US privacy compliance, scheduling periodic re-evaluation is essential to ensure compliance is up to date. A recurring review of your state privacy laws is particularly important when assessing the state privacy law environment, given that an increasing number of states are developing or modifying their privacy laws.

Additional resources

HHS’s guide to HIPAA Covered Entities and Business Associates
HHS’s guide to Understanding Some of HIPAA’s Permitted Uses and Disclosures
Fighting Identity Theft with The Red Flags Rule: A How-To Guide For Business
Appendix A to CFR 681.1: Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation
FTC Guide: Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business
California Office of Attorney General: California Consumer Privacy Act (CCPA)

Related Lexology Pro content

How-to guides:

How to determine and apply relevant US privacy laws to your organization 
How to manage your organization’s data privacy and security risks 
How to implement privacy by design within your organization 
How to develop, implement, and maintain a US privacy law compliance program 
How to develop, implement and maintain a US information and data security compliance program 
How to evaluate the effectiveness of a data security or data privacy compliance program 
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity 
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability 
Incident response plan readiness and identification of a reportable data breach 
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws 

Checklists:

Completing a data privacy risk assessment 
Drafting internal privacy policies and procedures 
Completing a data and information security risk assessment 
Drafting a consumer privacy policy 
Developing key privacy and data security contractual terms and provisions (B2C) 
Privacy and data security law training 
Completing a data incident response plan assessment 
Responding to a data breach 
Privacy and data security due diligence in M&A 

Quick views:

Key data privacy and data security terms 
Collection and use of non-consumer data 
Regulation of data brokers 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.