Data Privacy Rights for US Consumers

US consumers hold a fragmented but expanding set of legally enforceable rights over how businesses collect, store, share, and delete their personal information. These rights are defined by a combination of federal sector-specific statutes and state-level comprehensive privacy laws, creating a layered regulatory environment with no single unifying federal framework. This page maps the structure of those rights, the agencies and statutes that define them, how enforcement mechanisms operate, and the boundaries that determine which protections apply to a given consumer or data type. For a broader orientation to the cybersecurity services landscape, see the Cyber Safety Listings.

Definition and scope

Data privacy rights for US consumers refer to the legally recognized entitlements of individuals to control the collection, processing, and disposition of their personal information held by private-sector and certain government-adjacent entities. These rights exist at two regulatory levels: federal sector-specific statutes and state comprehensive privacy laws.

At the federal level, no omnibus consumer data privacy statute exists as of the date this reference was compiled. Instead, sector-specific laws govern discrete data categories:

At the state level, at least 13 states had enacted comprehensive consumer privacy statutes as of 2024, with California's framework — the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — serving as the broadest and most frequently cited model (California Civil Code §1798.100).

How it works

Consumer data privacy rights are not self-executing. They operate through a defined sequence of mechanisms involving disclosure obligations, individual request rights, and enforcement channels.

1. Notice and disclosure
Covered businesses must provide clear, accessible privacy notices explaining what data is collected, the purposes for processing, and with whom data is shared. Under the CCPA/CPRA, notices must appear at or before the point of collection (California Civil Code §1798.100(b)).

2. Individual rights requests
Consumers may submit formal requests to exercise enumerated rights. The CCPA/CPRA framework includes:
- Right to know — what personal information has been collected and from which sources
- Right to delete — request erasure of personal information subject to statutory exceptions
- Right to correct — request correction of inaccurate personal data
- Right to opt out of sale or sharing — restrict transfer of personal information to third parties for cross-context behavioral advertising
- Right to limit use of sensitive personal information — restrict processing of data categories such as precise geolocation, biometric data, and health information
- Right to non-discrimination — prohibition on penalizing consumers for exercising privacy rights

Businesses subject to the CCPA/CPRA must respond to verified consumer requests within 45 calendar days, with a single 45-day extension permitted if notice is provided (California Civil Code §1798.130).

3. Enforcement pathways
Enforcement operates through two channels: regulatory action and, under limited circumstances, private right of action. The California Privacy Protection Agency (CPPA) holds rulemaking and enforcement authority under CPRA. The Federal Trade Commission (FTC) enforces federal privacy statutes and pursues unfair or deceptive data practices under Section 5 of the FTC Act (FTC Section 5 authority).

Common scenarios

The regulatory framing above translates into distinct operational situations that consumers and organizations encounter across sectors. Understanding these scenarios helps clarify which statute applies and what rights attach. Professionals navigating these questions can consult the Cyber Safety Directory Purpose and Scope for additional context on the service provider landscape.

Healthcare data requests
A patient seeks access to records held by a hospital. HIPAA grants a right of access to PHI under 45 CFR §164.524, with covered entities required to provide access within 30 calendar days of a request (HHS HIPAA Right of Access). This right is distinct from, and narrower than, CCPA rights — HIPAA-covered entities are partially exempt from CCPA obligations for data processed under HIPAA.

California vs. Virginia framework comparison
The CCPA/CPRA and Virginia's Consumer Data Protection Act (CDPA, effective January 1, 2023) both recognize rights to access, delete, and opt out, but differ structurally. The CCPA/CPRA applies to for-profit businesses meeting revenue or data volume thresholds and includes a limited private right of action for data breaches. Virginia's CDPA applies to entities processing data on 100,000 or more Virginia consumers and provides no private right of action — enforcement rests exclusively with the Virginia Attorney General (Virginia CDPA, Va. Code §59.1-577).

Financial institution data opt-out
A consumer receiving a GLBA privacy notice from a bank may opt out of certain third-party data sharing under the Notice and Opt-Out provisions of 16 CFR Part 313. The opt-out right does not extend to sharing required by law or for processing the consumer's transaction.

Children's data removal
A parent requests deletion of a child's data from an online platform covered by COPPA. Operators are required to delete the data upon verified parental request under 16 CFR §312.6 (FTC COPPA Rule).

Decision boundaries

Determining which privacy rights apply requires resolving threshold questions about entity type, data type, consumer residency, and applicable statute. The How to Use This Cyber Safety Resource page provides additional guidance on navigating the directory framework for professional and regulatory inquiries.

Does a business qualify as a "covered business" under CCPA/CPRA?
Three threshold criteria apply independently (California Civil Code §1798.140(d)):
1. Annual gross revenue exceeding $25 million
2. Annual buying, selling, or sharing of personal information from 100,000 or more consumers or households
3. Deriving 50% or more of annual revenue from selling or sharing consumers' personal information

A business meeting any one criterion is covered. Nonprofit organizations and most government entities are excluded from CCPA/CPRA.

Which statute governs when multiple laws overlap?
Sector-specific federal statutes generally create safe harbors from state law obligations for the specific data they govern. HIPAA-covered data is partially exempted from CCPA/CPRA obligations. GLBA-regulated financial data is similarly carved out. However, data outside those specific categories held by the same entity may still fall under state law.

Does a right to delete override all retention?
Deletion rights are not absolute. Businesses may retain data subject to statutory exceptions, including completing a transaction, complying with a legal obligation, detecting security incidents, or exercising free speech. The CCPA/CPRA lists nine categories of exceptions to the deletion obligation (California Civil Code §1798.105(d)).

Does federal law preempt state privacy statutes?
Federal preemption of state privacy law is statute-specific. HIPAA preempts state laws that are less protective but preserves more protective state requirements. COPPA expressly preempts inconsistent state laws governing online data collection from children. No federal statute currently preempts comprehensive state consumer privacy laws.

References

📜 11 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified... Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. How to Use This Cyber Safety Resource The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page...