How-to guide: How to determine and apply relevant US privacy laws to your organization (USA)

Introduction

This How-to guide is designed to outline a process that in-house counsel, private practice lawyers, and compliance professionals can follow to identify and apply US privacy laws to their organizations. This guide provides an overview of privacy considerations and a framework for analyzing and applying US privacy laws and best practices.

This guide covers the following sections:

Overview
Determine which federal privacy laws apply to your organization
Determine which other laws and risks are applicable to your organization
How to conduct a privacy gap analysis
Key areas that every organization should address to ensure privacy compliance and risk reduction

This guide should be read in conjunction with How-to guide: How to develop, implement and maintain a US information and data security compliance program and Checklists: Completing a data privacy risk assessment and Understanding privacy laws in the US.

Section 1 – Overview

1.1 Patchwork of laws

There is no single source of privacy law in the United States. Privacy laws and practices stem from an array of sources including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, public pressure to apply enhanced protections for credit card information). US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.

Currently, most privacy regulation is at the federal level, although several states have comprehensive privacy laws. Privacy law is an increasing focus for state legislatures. At the time of preparation of this guide, many states have proposed legislation that could impact privacy obligations for businesses operating within the United States.

As US privacy law is a complex medley of state and federal statutes and regulations, organizations must determine which laws apply to them on a case-by-case basis. US privacy law is also in a period of flux, so it is important to regularly check for changes.

1.2 Primary enforcers of privacy laws

At the federal level, the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) carry the bulk of responsibility for enforcing federal privacy laws. The FTC’s Privacy and Security Business Guidance page provides useful guidance on how to comply with privacy laws under its authority. The HHS’s Health Information Privacy homepage provides useful guidance on complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additionally, the Department of Education enforces the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records, giving parents and eligible students rights to access and request correction of records. The Consumer Financial Protection Bureau (CFPB) oversees compliance with the Fair Credit Reporting Act (FCRA), which regulates the collection and use of consumer credit information, ensuring accuracy and privacy for consumer data held by credit reporting agencies.

At the state level, each state attorney general usually enforces their state’s privacy laws. State enforcement is supplemented by private litigation, where permitted by state law.

1.3 Why privacy issues matter

Privacy concerns, especially those related to digital privacy, are an increasing focus of attention in the United States. Regulators, consumer watch groups, news publications, and even individuals are increasingly focused on privacy issues. Non-compliance with privacy laws and best practices can lead to fines from regulatory agencies, civil and criminal liability, as well as reputational damage. Businesses that handle personal data must adopt comprehensive privacy policies and regularly train employees on comprehensive data protection measures. Even if such measures and training are not legally required, they still are a part of any business's best practices for data protection. The continued evolution of technology, such as the widespread use of artificial intelligence (AI) and the increasing reach of the Internet of Things (IoT), further complicates the landscape, necessitating new proactive strategies to safeguard personal information. Moreover, consumers are increasingly demanding transparency and control over their personal data. This demand is driving legislative changes at both the state and federal levels.

Section 2 – Determine which federal privacy laws apply to your organization

At the federal level, the primary privacy laws tend to be sector specific. For example, HIPAA governs privacy in a health care context. However, privacy standards may also be woven into other laws and regulations. The following are some of the key federal privacy laws. They are not presented as an exhaustive list and organizations must research which federal laws apply to their organization.

For further information, please see Checklist: Understanding privacy laws in the US.

2.1 Health Insurance Portability and Accountability Act 1996

HIPAA (PL 104-191) and the privacy rules adopted under it (45 CFR Part 164) are enforced by the HHS and provide regulations for the privacy and security of personal health information.

HIPAA is an extensive law that applies to covered entities. Covered entities are health care providers, health plans, and health care clearinghouses. Examples of covered entities include doctors’ offices, health insurance plans, and health maintenance organizations (HMOs). Use the HHS’s Guide to HIPAA Covered Entities and Business Associates to determine whether an organization is a covered entity under the HIPAA.

For further information on the HIPAA, see the HHS’s HIPAA guidance for professionals.

2.1.1 HIPAA Privacy Rule

The HIPAA Privacy Rule, 45 CFR Parts 160 and 164 (Parts A and E), provides national standards for the protection of individuals’ Protected Health Information (PHI). It was the first US regulation of its kind. It remains a keystone regulation for the protection of health information privacy. The law’s framework is designed to protect PHI from unauthorized, inappropriate disclosure. It also ensures that information can be shared when needed to deliver health services (eg, between different medical providers). Covered entities are required to follow a detailed set of regulations governing the use, disclosure, access, notice, and other aspects of dealing with PHI.

PHI is defined as individually identifiable health information (IIHI), with a few exceptions. IIHI is information that:

is created or received by a covered entity;
relates to an individual’s health;
relates to the provision of health care to an individual or payment for health care provided to the individual; and
identifies the individual or can reasonably be used to identify the individual.

The Privacy Rule has the following key elements.

Disclosure of PHI

The Privacy Rule permits, but does not require, covered entities to use or disclose PHI in certain circumstances, including:

in connection with a covered entity’s treatment of an individual, payment made for an individual’s treatment, or the entity’s health care operations; and
in many emergency situations, if the individual has provided their informal agreement or acquiescence.

Covered entities must disclose PHI in certain circumstances:

when an individual requests their own PHI; and
when the Secretary of the HHS requests it in connection with their investigation and enforcement of HIPAA compliance.

The general rules regarding use and disclosure of PHI can be found at 45 CFR section 164.502(a)(1) and 45 CFR section 164.502(a)(2).

Covered entities are prohibited from:

using or disclosing genetic information that meets the definition of PHI if the use or disclosure is for underwriting purposes; and
selling PHI, subject to limited exceptions set out in 45 CFR section 164.508(a)(4).

See 45 CFR section 164.502(a)(5).

Individual right of access

As noted above, individuals have a right to access their own PHI. See 45 CFR section 164.524. The right includes being able to inspect or obtain copies of their PHI. The right of access extends to a personal representative of the individual who is legally authorized to act on the individual’s behalf for health care matters. See 45 CFR section 164.502(g)(1). The individual’s right of access continues for as long as the covered entity maintains the PHI, or another business does so on the covered entity’s behalf.

A covered entity may require the individual to put their access request in writing, including electronic writing (ie, an appropriate electronic records request). See 45 CFR section 164.524(b)(1). It is good practice for covered entities to require a written record of the request.

Minimum necessary

Covered entities must comply with the ‘minimum necessary rule’ when using or disclosing PHI as permitted under the HIPAA Privacy Rule. The minimum necessary rule requires covered entities to make reasonable efforts to ensure that the disclosure is the minimum necessary to make the permitted or required use or disclosure. See 45 CFR section 164.502(b).

Administrative requirements

The Privacy Rule requires covered entities to implement certain administrative requirements to help protect PHI. See 45 CFR section 164.530. Below is a list of the administrative requirements.

Privacy policies and procedures – covered entities are required to develop and implement policies and procedures to ensure compliance with the HIPAA Privacy Rule. See 45 CFR section 164.530(i)(1). They must keep these policies and procedures up to date with current legal and regulatory privacy rules. See 45 CFR section 164.530(i)(2).
Privacy personnel – covered entities must designate a privacy official to implement privacy policies and procedures, and a contact person or office who can provide additional information regarding an individual’s rights under the entity’s privacy policy. See 45 CFR section 164.530(a).
Workforce training – covered entities must provide workforce training regarding PHI policies as necessary and appropriate and in accordance with the Privacy Rule’s timing requirements. See 45 CFR section 164.530(b). Appropriate sanctions must be taken against workforce members who do not comply with the entity’s privacy policies and procedures. See 45 CFR section 164.530(e). ‘Workforce’ is defined in the regulations as ‘employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.’ See 45 CFR section 160.103.
Safeguards – covered entities are required to implement administrative, technical, and physical safeguards to protect PHI. See 45 CFR section 164.530(c). The safeguards standard under the Privacy Rule is flexible, allowing covered entities to fashion appropriate safeguards in light of their own business operations. The Security Rule, discussed below, provides more detailed, though still flexible, safeguard standards for PHI stored electronically.
Complaint process – covered entities must establish a process for individuals to lodge complaints about the entity’s privacy practices and must document any complaints made and the disposition of those complaints, if any. See 45 CFR section 164.530(d).
Mitigation – covered entities must make efforts to mitigate harmful impacts arising from a use or disclosure of PHI in violation of the entity’s policies and procedures or the Privacy Rule. See 45 CFR section 164.530(f).
Retaliation and waiver – covered entities may not retaliate against individuals who exercise their privacy rights. See 45 CFR section 164.530(g). A covered entity may not require individuals to waive their privacy rights under HIPAA to receive medical treatment, enroll in a health plan, or be eligible for benefits. See 45 CFR section 164.530(h).
Document and retain records – a covered entity must maintain records for the following for six years from the latter of the date of creation or the date last in effect: privacy policies and procedures; privacy practices notices; disposition of privacy complaints; and documentation of other actions, activities, and designations that the Privacy Rule requires to be documented. For further guidance see 45 CFR section 164.530(j).

Changes to the Privacy Rule in 2024

The Notice of Proposed Rule Making for the proposed HIPAA Privacy Rule changes were published in the Federal Register on January 21, 2021. Healthcare industry stakeholders were invited to submit comments on the 357-page proposal, with the deadline for submitting comments set as March 22, 2021. Proposed HIPAA Privacy Rule changes are extensive and may potentially impact many organizations that interact with the healthcare system. Because of the extent of the proposed HIPAA changes and potential impact, the deadline for submitting comments was extended to May 6, 2021. OCR has yet to provide a date for when the Final Rule will be issued, but per an update issued on June 27, 2025 in the HIPAA Journal it is likely to result in HIPAA changes in 2024, although the changes may not become enforceable until 2026 or later.

2.1.2 HIPAA Security Rule

The HIPAA Security Rule, 45 CFR Parts 160 and 164 (Parts A and C), provides national standards for the protection of individuals’ electronic PHI (ePHI). The HIPAA Security Rule has regulations designed to ensure that covered entities implement and maintain appropriate safeguards to protect the privacy of electronic PHI.

The Security Rule sets out the required standards for administrative, physical, and technical safeguards. Each standard is further broken down into ‘required’ and ‘addressable’ safeguards. Required safeguards must be included. Addressable safeguards are standards that should be considered in light of the particular covered entity, and if they are reasonable and appropriate for the entity, they must be implemented.

Safeguards

Key required administrative standards include the following:

security management processes;
assignment of security responsibility;
workforce security;
information access management;
security awareness and training;
security incident procedures;
contingency planning; and
evaluation to ensure requirements are met.

Key required physical standards include the following:

controls over facility access;
workstation use policies and procedures; and
physical workstation security measures.

Key required technical standards include the following:

technical policies and procedures to control ePHI access;
technical audit controls; and
authentication procedures for ePHI access.

See 45 CFR section 164.308, 45 CFR section 164.310 and 45 CFR section 164.312 for more details and for addressable administrative, physical, and technical safeguards.

In addition, there are two organizational standards under the HIPAA Security Rule:

the Business Associate Contracts and Other Arrangements standard requires a covered entity to have contracts or other arrangements to protect ePHI with business associates that will have access to the covered entity’s ePHI. See 45 CFR section 164.308(b); and
the Requirements for Group Health Plans standard requires a group health plan to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan. See 45 CFR section 164.314(b).

Policies, procedures, and documentation

Organizations must implement reasonable and appropriate policies and procedures for the use and disclosure of ePHI that comply with applicable HIPAA Security Rule standards. These policies must be written, retained for six years (from the latter of the date of creation or the date last in effect), made available to those who must implement them, and updated regularly. See 45 CFR section 164.316.

2.2 Gramm-Leach-Bliley Act 1999

The Gramm-Leach-Bliley Act of 1999 (GLBA) establishes privacy and security standards for the protection of non-public personal information that must be followed by the financial institutions covered by the Act. The term ‘financial institutions’ has a broad definition that extends the reach of the GLBA beyond traditional bank. Any company that is significantly engaged in providing financial products or services is covered. The FTC’s guidance mentions loans, financial or investment advice, and insurance as examples of such financial services and products.

The GLBA is enforced by multiple federal agencies including the FTC, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Consumer Financial Protection Bureau (CFPB).

2.2.1 GLBA Privacy Rule

The GLBA Privacy Rule, 15 USC section 6802(a), governs the use of non-public information (NPI) by financial institutions. It incorporates use restrictions as well as notice requirements.

NPI is personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service. See 15 USC section 6809(4). The Privacy Rule requires financial institutions to limit their use of NPI. They must also provide notice to their customers, and in some cases, to their consumers, regarding how they use NPI. Under the Rule, consumer is defined broadly, and customers are a subset of consumers.

The Privacy Rule is implemented by multiple regulatory bodies that govern the financial institution. The Consumer Financial Protection Bureau (CFPB)’s implementing regulations, 12 CFR section 1016.1, et seq, have the broadest reach, so this guide focuses on these regulations. Institutions subject to a different regulator should check the applicable regulations.

The proposed changes to the HIPAA Privacy Rule are as follows:

allowing patients to inspect PHI in person and take notes or photographs of their PHI;
changing the maximum time to provide access to PHI from 30 days to 15 days;
restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an electronic health record (HER);
confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual;
stating when individuals should be provided with ePHI without charge;
requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy;
the Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded;
a definition has been added for EHRs;
wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is ‘seriously and reasonably foreseeable.’ (currently it is when harm is ‘serious and imminent.’);
a pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities;
covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices;
HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures;
HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI;
the definition of healthcare operations has been broadened to cover care coordination and case management;
covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access;
covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual; and
the addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

HIPAA developments may be monitored via the HIPAA News Releases & Bulletins webpage.

Obligations

Key Privacy Rule obligations under the GLBA include those listed below.

Privacy notices – financial institutions must give their customers, and certain consumers, notice of their privacy policies. The timing and content of the notices depend on the recipient and what the institution does with the NPI at issue. Financial institutions are prohibited from disclosing NPI unless they have provided the required privacy notices. See 15 USC section 6802(a); 12 CFR section 1016.4 – 1016.5.
Opt-out notices – subject to certain exceptions explained below, financial institutions may not disclose a consumer’s NPI unless they first:
- provide the required initial privacy notices;
- provide the consumer the opportunity to opt out of the disclosure; and
- explain to the consumer how they can exercise their opt-out authority.

See 15 USC section 6802(b); 12 CFR section 1016.10. Opt-out notices must provide adequate notice of the ability to opt out, as well as reasonable means to opt out. See 12 CFR section 1016.7.

The key exceptions to notice and opt-out requirements are found in 12 CFR sections 1016.13 – 1016.15. Generally, the opt-out requirements do not apply where an institution provides NPI to a non-affiliated third party to perform services for, or functions on the behalf of, the institution, so long as the institution meets the obligations under 12 CFR sections 1016.13(a)(i)-(ii).

Limits on reuse and redisclosure

The Privacy Rule greatly restricts the reuse and redisclosure of NPI that is obtained from non-affiliated financial institutions (ie, a party not associated by means of corporate control or common ownership with the financial institution). See 15 USC section 6802(c). A number of factors, including whether the information was received under an exception, the purpose of the disclosure of the NPI, and the originating financial institution’s policies, impact whether and to what extent the NPI can be reused and redisclosed. See 12 CFR section 1016.11.

2.2.2 GLBA Safeguards Rule

The GLBA Safeguards Rule, 15 USC section 6801, and the regulations implementing it, require financial institutions to implement a written information security program. This program should have administrative, technical, and physical safeguards to ensure the confidentiality of customer information, protection against security threats, and prevention of unauthorized access to customer information.

The administrative, technical, and physical safeguards must be appropriate given the institution’s size and activities, and the sensitivity of the customer information at issue.

The general flexibility of the Safeguards Rule is tempered by certain minimum requirements for security programs. See 16 CFR section 314.4. The Rule requires an organization to:

designate a qualified person to oversee and implement the program;
require the qualified person to report, at least annually, to the board or governing body regarding the information security program;
base its security program on a written risk assessment;
include safeguards that target the risks uncovered in the risk assessment;
incorporate regular testing and monitoring to ensure each safeguard’s effectiveness to detect actual and attempted attacks and intrusions into information systems;
have policies and procedures for personnel;
oversee service providers;
be evaluated and adjusted in response to testing and monitoring, business changes, and any other material impacts on the program;
have a written incident response plan; and
require the designated qualified person to report regularly to the organization’s board of directors.

See 16 CFR section 314.4.

Financial institutions with fewer than 5,000 customers are exempt from certain requirements. In particular, they are not required to conduct a written risk assessment, prepare written annual reports for governing bodies, or engage in certain monitoring and assessment activities.

See 16 CFR section 314.6

The FTC announced revised provisions related to reporting data breaches and security incidents under the Safeguards Rule last year, but gave businesses six months to get ready for the changes that took effect on Monday, May 13, 2024. The amendment to the Rule requires covered companies to report certain data breaches and other security events by ‘financial institutions’, defined broadly to include '13 different kinds of businesses – mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren't required to register with the SEC'. This list, however, is not exhaustive and the document FTC Safeguards Rule: What Your Business Needs to Know provides informal staff guidance to assist in determining if the Rule applies to your organization.

2.2.3 GLBA Pretexting Rule

The GLBA Pretexting Rule, 15 USC section 6821, prohibits any person from using false pretenses, or a ‘pretext,’ to obtain a financial institution’s customer information.

Financial institutions should ensure appropriate policies are in place that require financial institution representatives to properly introduce themselves in communications with customers and consumers. Additionally, put in place security measures to prevent and detect pretexting. There are exceptions that allow financial institutions to use false pretenses to test their security systems. See 15 USC section 6821(d).

2.3 Federal Trade Commission Red Flags Rule

The FTC Red Flags Rule, 16 CFR Part 681, requires financial institutions and creditors with covered accounts within the FTC’s enforcement authority to create and implement a written identity theft prevention program to identify ‘red flags’ of identity theft. Parallel Red Flags Rules exist for organizations that are within the SEC and CFTC’s enforcement authority.

The Rule defines a financial institution as a bank, savings and loan association, federal credit union, or a person that holds a consumer transaction account. A creditor is defined by their conduct. An organization is a creditor if it regularly extends, renews, or continues credit; or regularly arranges for the extension, renewal, or continuation of credit; or is an assignee of an original creditor who participates in the decision to extend, renew, or continue credit. See, 15 USC 1681a; 15 USC section 1681m(e)(4)(A).

The Rule defines a covered account as:

an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk from identity theft, including financial, operational, compliance, reputation, or litigation risks. See 16 CFR 681.1(b)(3).

A ‘red flag’ for the purposes of the Rule is ‘a pattern, practice, or specific activity that indicates the possible existence of identity theft.’ See 16 CFR section 681.1(b)(9). For example, presenting identification that appears fake is a 'red flag'.

Identity theft program the complies with the Red Flag Rule

The required identity theft program must be in writing and include policies and procedures designed to:

identify potential red flags for the organization’s covered accounts;
detect red flags;
prevent and mitigate identity theft through appropriate responses to red flags; and
regularly update the program to adapt to risk changes.

See 16 CFR section 681.1(d).

Administration of the program must include the following:

board or board committee approval;
board or senior level employee involvement in program administration;
staff training; and
oversight of third-party provider arrangements.

See 16 CFR 681.1(e).

2.4 FTC Disposal Rule

The FTC Disposal Rule, 16 CFR Part 682, applies to any organization that maintains or possesses consumer information for a business purpose. See 16 CFR section 682.2. Consumer information is a record that constitutes a consumer report, is derived from a consumer report, or is a compilation of consumer report data. See 16 CFR section 682.1. For example, landlords who obtain credit reports as part of the applicant screening process must comply with the FTC Disposal Rule.

Those covered by the FTC Disposal Rule must take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. See 16 CFR section 682.3.

What will constitute the required reasonable measures is determined on a case-by-case basis; however, the Rule provides some specific examples. See 16 CFR section 682.3(b). Examples of reasonable measures include:

policies and procedures requiring the physical destruction of documents;
policies and procedures requiring the erasure of electronic media in a manner so that the information cannot practicably be read or reconstructed;
after conducting due diligence, entering into a contract with a third party for the disposal of records.

See 16 CFR section 682.3(b).

2.5 Children’s Online Privacy Protection Act 1998 (COPPA)

The COPPA, 15 USC section 6501, et seq, and corresponding FTC regulations, 16 CFR sections 312.1 et seq, put protections in place to guard children’s online privacy and ensure that parents have control over what information websites can collect from their children.

COPPA applies to operators of commercial websites and online services (including games and digital applications) that collect or maintain information about their users if:

the website or online service is directed at children under the age of 13 and the operator, or a third party on its behalf, collects personal information from children under 13; or
the website or online service is directed at a general audience, but the operator has actual knowledge that personal information is collected from children under 13; and
the operator has actual knowledge that it collects personal information from children under 13 through its use of an ad network, plug-in, or other third-party service.

See 16 CFR section 312.2.

‘Personal information’ under COPPA means ‘individually identifiable information about an individual collected online,’ and specifically includes the following:

a first and last name;
a home or other physical address including street name and name of a city or town;
online contact information;
a screen or username where it functions in the same manner as online contact information;
a telephone number;
a Social Security number or other government-issued identifier;
a persistent identifier that can be used to recognize a user over time and across different websites or online services. Such persistent identifiers include a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
a photograph, video, or audio file where such file contains a child’s image or voice;
geolocation information sufficient to identify the name of a street, city or town;
a biometric identifier such as fingerprints, handprints, retina patterns, iris patterns, genetic data, voiceprints, gait patterns, facial templates, or faceprints; or
information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier listed above.

See 16 CFR section 312.2

The FTC considers multiple factors in determining whether a website or online service is directed at children under 13, including:

its subject matter, visual content, use of animated characters or child-oriented activities and incentives;
music or other audio content;
age of models, presence of child celebrities or celebrities who appeal to children;
language or other characteristics of the website or online service; and
whether advertising, promotions, or appearances on the website or online service are directed at children.

The FTC will also consider competent and reliable empirical evidence regarding audience composition, and will also consider evidence regarding the intended audience. See 16 CFR section 312.2.

In early 2024, the FTC proposed to amending the Children's Online Privacy Protection Rule, intending to respond to changes in technology and online practices, and where appropriate, to clarify and streamline the Rule. The amended rule went into effect June 23, 2025, though regulated entities have until April 22, 2026, to comply with the amended rule for most provisions other than the provisions of the rule regarding safe harbor provision reporting, notices, and self-regulatory guidelines. See the final Children's Online Privacy Protection Rule.

2.6 Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act (FCRA) protects information typically contained in a consumer report by prohibiting access to those that do not have a purpose specified in the Act. The Act applies to information collected by consumer reporting agencies such as credit bureaus, medical information companies, and tenant screening services. Companies that provide information to consumer reporting agencies also have specific legal obligations under the FCRA, including a duty to investigate disputed information. Further, in the event any adverse credit, insurance, or employment action is taken based upon information contained in these types of reports, the users of the information must notify the consumer of the negative action.

The FCRA was amended and bolstered by provisions added by the Fair and Accurate Credit Transactions Act (FACTA) in 2003, 15 USC section 1681 et seq. Some of these provisions help defend consumers against identity theft by allowing consumers to take measures such as placing alerts on their credit histories, and granting consumers the right to one free credit report a year from credit reporting agencies. For businesses and financial institutions, it established regulations on how personal financial information should be treated to prevent fraudulent use of consumer credit.

The Dodd-Frank Act transferred most credit-related privacy rulemaking and one ongoing study requirement under this Act to the Consumer Financial Protection Bureau, although the FTC retains responsibility for two other data security rules (relating to ‘red flags’ and ‘disposal’), as well as for all rulemaking under the Act with regards to certain motor vehicle dealers. The Consumer Financial Protection Bureau is able to provide guidance to businesses to help them stay in compliance with the FCRA.

2.7 Family Education Rights and Privacy Act

Enacted in 1974, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. FERPA applies to any public or private elementary, secondary, or post-secondary school, and to any state or local education agency that receives funds under an applicable program of the US Department of Education. In addition to giving students and parents more control over educational records, FERPA prohibits educational institutions from disclosing personally identifiable information contained in education records without the written consent of the eligible student’s parents (or the student if they have attained the age of 18 or if they attend a school beyond the high school level).

Under FERPA, parents or eligible students have the right to take the following actions:

inspect and review the student’s education records maintained by the school. Schools do not have to provide copies of records unless it is impossible for parents or eligible students to review the original records (e.g., they live far away).
request that a school correct records they believe to be inaccurate or misleading. If the school decides not to change the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to change the record, the parent or eligible student has the right to place a statement with the record that explains his or her view about the contested information.
stop the release of personally identifiable information.
get a copy of the institution’s policy concerning access to educational records.

Schools need written permission from the parent or eligible student to release any information from a student’s education record. Schools that do not comply with FERPA risk losing federal funding. 20 USC sections 1232g(a) and (b).

FERPA does allow schools to disclose some information from a student’s education record, without consent, under certain conditions, such as to school officials with a legitimate educational interest, or to comply with a judicial order or lawfully issued subpoena. 34 CFR section 99.31.

Section 3 – Determine which other laws and risks are applicable to your organization

Several states currently have comprehensive privacy laws, and that number is likely to change as many states are actively considering proposed privacy legislation, with a focus on consumer privacy laws. Due to these changes, it is important for organizations to stay up to date about changes in applicable state laws.

It is also important for organizations to review state privacy laws in their home state as well as every state in which they do business, as state privacy laws often apply to businesses that target their state’s residents or have a certain level of global revenue.

3.1 State privacy law overview

To date, the states with the most developed privacy law frameworks are California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia. Other states continue to propose new privacy legislation and further develop their own privacy law frameworks. It is important for organizations to consider state laws in all states where they operate, and determine which privacy laws apply. A good resource for keeping up to date with the evolving state privacy landscape is the International Association of Privacy Professionals US State Privacy Legislation Tracker.

3.1.1 Types of state privacy laws

Although each state’s legal environment is different, sources of codified privacy laws at the state level may include the following:

invasion of privacy laws;
consumer privacy laws;
online privacy protection laws;
computer crime laws;
preservation of personal privacy laws;
genetic and biometric privacy laws; and
data breach notification laws.

3.2 Additional privacy laws

In addition to the laws mentioned above, organizations should determine whether there are any other sources of codified privacy obligations. Two common sources of additional obligations are industry-specific regulations or international privacy laws.

3.2.1 Industry-specific privacy laws

Industry-specific privacy laws incorporated into other laws may also apply to an organization as a whole or through individuals within an organization. For example, accountants and attorneys have professional and ethical obligations that make them subject to heightened privacy and confidentiality requirements.

3.2.2 International privacy laws

US organizations that conduct business activities outside of the United States must be mindful of the privacy laws of other countries. The General Data Protection Regulation (GDPR), the EU’s comprehensive data protection law, is a notable example of a transnational law that applies to many US-based businesses who process personal data relating to individuals in the EU.

3.3 Other privacy concerns

In addition to codified privacy laws, be aware of other sources of privacy risks. For more detailed guidance on evaluating privacy risk, see Checklist: Completing a data privacy risk assessment.

3.3.1 Common law claims

Consider possible common law tort claims, such as invasion of privacy, when developing a privacy compliance program.

3.3.2 Contractual privacy agreements

Organizations may have a contractual, as well as a legal, obligation to implement privacy measures. All contractual agreements should be reviewed carefully, as contractual obligations could be more onerous than the obligations imposed by federal and state laws.

3.3.3 Public relations

There is an increasing public demand for enhanced protection and transparency in the use of private information by organizations. Public relations may provide another justification for going beyond basic compliance with US privacy laws.

Section 4 – How to conduct a privacy gap analysis

A gap analysis is a mechanism for determining where there are gaps in an organization’s privacy compliance framework. Once identified, modifications can be made to close the gaps and reduce the risk of privacy-related issues.

4.1 Evaluate organization’s current privacy environment

Evaluation of an organization’s privacy environment involves a detailed look at what information the organization collects, how the data moves through the organization, and the measures taken to protect that data. Put differently, your organization is looking to get a full picture of how it currently manages data. The following are some key considerations for conducting this review but are not an exhaustive list of considerations. For further information, review Checklist: Completing a data privacy risk assessment.

4.1.1 Types and sources of data collected by organization

Inventory the type and sources of data collected by your organization. For the purposes of a privacy compliance gap analysis, focus on sensitive information.

In this guide, sensitive information refers to information that should be subjected to a heightened degree of safeguarding from unauthorized access due to its private, confidential, legally protected, or proprietary nature.

At the outset, determine what sensitive information is collected, and who is the subject of that data. Identify the sources of the data collected.

Commonly collected sensitive data includes the following:

health information;
financial information;
personally identifying information;
Social Security numbers; and
biometric information.

Common persons or organizations whose data is collected include the following:

customers;
employees;
business partners; and
third parties, such as prospective customers or employees.

Common sources of data include the following:

websites;
social media;
online forms;
digital applications;
technological monitoring;
information databases;
lists (purchased and developed); and
public records.

4.1.2 Data life cycle

Map the life cycle of sensitive data from the time it comes into the organization to its destruction. To adequately protect sensitive data an organization must know how it moves through the organization and when it is at the greatest risk.

For further guidance, see Checklist: Completing a data privacy risk assessment.

4.1.3 Privacy notices, policies, and procedures in place

Identify and review current privacy notices, policies, and procedures. Determine when these documents were last updated. Assess whether personnel are aware of these documents and how to use them.

4.1.4 Information security measures in place

Evaluate what information security measures are currently in place to protect private information, and ensure you have considered any administrative, technical, and physical protections.

For more information, see Checklist: Completing a data privacy risk assessment.

4.1.5 Personnel tasked with privacy compliance

Identify the organizational personnel responsible for privacy compliance. For each person identified, include their role in the organization, their privacy-related responsibilities, which policies and procedures they must follow, and their managerial status.

4.2 Compare current environment against laws and best practices

4.2.1 Identify gaps in organization’s current environment and governing laws and best practices

Compare the organization’s privacy environment against the requirements of governing laws to identify gaps.

The analysis must address the specific requirements of applicable laws. For example, if an organization is subject to the HIPAA Privacy Rule, review each requirement of that rule against the organization’s policies, procedures, and training. A general assessment that the organization has ‘some’ policies or procedures related to HIPAA in place is insufficient to avoid privacy compliance issues.

Compare the organization’s environment against any other privacy concerns to identify any risks that are not guarded against in the current environment.

4.2.2 Develop a list of changes required for risk reduction

For each compliance and risk gap, identify what changes are required to bring the organization into compliance or reduce the risk.

After developing a list of changes, rank them according to priority. Changes that are required to bring the organization into legal compliance should be prioritized over best practices designed to reduce risk.

For each change, identify how it will be implemented, who will be responsible for implementation, as well as the timeline for implementation.

Section 5 – Key areas that every organization should address to ensure privacy compliance and risk reduction

Privacy compliance and risk reduction is very organization specific. However, the following are key areas of privacy compliance common to most effective privacy programs.

5.1 Accountability

Today, it is rare that accountability for US privacy compliance is vested in one individual or even one department. Instead, in most cases it is shared among multiple departments, with each department and individual’s responsibilities clearly set out.

5.2 Policies, procedures, and notices

5.2.1 External

A legally compliant privacy program typically requires the following external policies and procedures.

Privacy policy

Privacy policies set out an organization’s standards for the management of information such as how the organization collects, uses, and stores data as well as the rights of the individuals whose data is collected. Such policies may be in hard copy or electronic format, depending on compliance requirements and organizational goals. Some organizations may be required to have multiple privacy policies, for example, a website privacy policy as well as a HIPAA privacy policy. Make these policies publicly available, for example, by publishing them on the organization’s website.

Required notices

Notice requirements are standard in privacy regulations. For example, pursuant to the GLBA privacy provisions, a financial institution must provide notice of its privacy policies and practices to new customers. The institution must then continue to provide them on an annual basis. See 16 CFR sections 313.4; 313.5. Organizations may need to provide notice of certain privacy policies or rights in relation to the protection of an individual’s information.

5.2.2 Internal

A legally compliant privacy program typically requires internal policies and procedures that address the following:

data security;
data access;
data usage and disclosure;
privacy incident reporting;
data retention; and
data destruction.

5.3 Contract provisions

5.3.1 Compliance agreement provisions

Certain privacy laws, most notably the HIPAA, as well as the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA), require certain contract provisions to be included when an organization contracts with a third party. The required provisions include an agreement that the third party will not sell the private or confidential information that is disclosed to them as part of the transaction.

For further information, see How-to guide: How to manage third party supply chain data privacy, security risks, and liability.

5.3.2 Confidentiality provisions

In contracts under which sensitive data will be shared, include confidentiality provisions that require the person or entity with whom the organization is contracting to comply with the organization’s privacy requirements.

5.4 Privacy training

Include privacy training for all personnel in your organization’s privacy program. Tailor the training to the type of organization, the level of personnel, and the personnel’s function.

For further information, see Checklist: Privacy and data security law training.

5.5 Program review and revision

The US privacy landscape is evolving, and change, particularly at the state level, is constant. For this reason, it is essential for organizations to regularly review and revise their privacy programs to remain in compliance.

It is also important to assign responsibility to one or more persons for regularly tracking legal changes related to privacy. When assigning such responsibility, be as specific as possible. For example, one arm of an organization’s legal department can track changes to the HIPAA, while another can track changes related to consumer data collection online. Alternatively, a privacy team can be responsible for tracking all privacy-related changes.

Additional Resources

HHS’s HIPAA guidance for professionals
FTC GLBA Business Guidance
SEC GLBA Model Privacy Form Guidance
CFTC GLBA Guidance
CFPB GLBA Privacy Notices Guidance