Online Privacy Fundamentals for US Consumers

Online privacy for US consumers spans a fragmented patchwork of federal statutes, sector-specific regulations, and state-level frameworks that collectively define what personal data can be collected, how it must be protected, and what rights individuals hold over it. This page maps the regulatory structure, operational mechanisms, and practical boundaries of consumer privacy as it functions across US digital services. Professionals navigating compliance, researchers assessing the regulatory landscape, and consumers seeking orientation in the service sector will find the structural classification and decision logic laid out here. For broader context on cybersecurity services and how this sector is organized, see the Cyber Safety Listings.

Definition and scope

Online privacy, in the US regulatory context, refers to the legal and technical frameworks that govern the collection, storage, processing, transfer, and disclosure of personally identifiable information (PII) generated through digital activity. The Federal Trade Commission (FTC) operationalizes this through its authority under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive practices — the primary enforcement instrument for consumer privacy at the federal level in the absence of a comprehensive federal privacy statute.

The scope of US consumer privacy law divides into three structural layers:

1. Federal sector-specific statutes — The Health Insurance Portability and Accountability Act (HIPAA, 45 CFR §160–164) governs protected health information. The Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312) applies to operators collecting data from children under 13. The Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §6801 et seq.) covers financial institutions' handling of nonpublic personal information.

2. State omnibus privacy laws — As of 2024, at least 13 US states have enacted comprehensive consumer privacy statutes, with California's CCPA/CPRA (California Civil Code §1798.100) serving as the most structurally influential model. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA) each impose distinct threshold criteria and consumer right enumeration.

3. Sector-agnostic enforcement posture — The FTC's Privacy and Security enforcement program applies across sectors where no specific statute applies, using consent decree authority and civil penalty powers under cognate statutes.

The boundary between "privacy" and "security" is regulatory, not technical: privacy law governs data use and disclosure rights; security law (including breach notification requirements under 47 state statutes) governs data protection and incident response obligations.

How it works

Consumer privacy protection operates through five discrete phases across the data lifecycle:

1. Notice and disclosure — Organizations must publish privacy notices specifying what categories of data are collected, for what purposes, and with which third parties they are shared. The FTC's Privacy and Security guidance establishes baseline expectations. Under CCPA/CPRA, this notice must appear at or before the point of data collection (CPPA rulemaking, 11 CCR §7012).

2. Consent and opt-out mechanisms — COPPA requires verifiable parental consent before collecting data from children under 13 (FTC COPPA enforcement). CCPA/CPRA requires a conspicuous "Do Not Sell or Share My Personal Information" link. GLBA mandates opt-out rights for sharing nonpublic personal information with nonaffiliated third parties.

3. Data minimization and purpose limitation — Emerging state statutes, led by the VCDPA (Virginia Code Ann. §59.1-578) and Colorado Privacy Act (C.R.S. §6-1-1308), require that data collection be limited to what is adequate, relevant, and reasonably necessary for disclosed purposes — a standard borrowed from GDPR Article 5 architecture.

4. Access, correction, and deletion rights — Consumers covered by CCPA/CPRA hold 8 enumerated rights, including the right to know, delete, correct, and opt out of automated decision-making. HIPAA grants patients access rights under 45 CFR §164.524.

5. Enforcement and redress — The CPPA holds administrative enforcement authority with civil penalties up to $7,500 per intentional violation (California Civil Code §1798.155). The FTC can seek civil penalties up to $51,744 per COPPA violation per day (FTC civil penalty adjustments, 87 Fed. Reg. 2078).

Common scenarios

Three operational scenarios define where consumer privacy obligations most frequently arise in practice:

E-commerce and behavioral advertising — Retailers and ad-tech intermediaries that deploy tracking pixels, cookies, and cross-site identifiers are subject to CCPA/CPRA if they meet the revenue or data-volume thresholds ($25 million annual gross revenue, or data on 100,000 or more consumers). The FTC's 2022 Commercial Surveillance ANPR signals federal rulemaking interest in this space.

Health and wellness applications — Mobile health apps that fall outside HIPAA's covered entity definitions — because they are not healthcare providers, health plans, or clearinghouses — still face FTC Act enforcement and, in some cases, the FTC Health Breach Notification Rule (16 CFR Part 318). The FTC's 2023 enforcement action against GoodRx illustrates this boundary: the company was fined $1.5 million for sharing health data with advertisers (FTC press release, Feb. 2023).

Employment and HR data — Employee monitoring, background screening, and biometric data collection trigger overlapping obligations under the Fair Credit Reporting Act (FCRA, 15 U.S.C. §1681), state biometric privacy laws (Illinois BIPA, 740 ILCS 14/1), and sector-specific EEOC guidance. These obligations run parallel to — and are not subsumed by — the consumer-facing CCPA/CPRA framework, which excludes employment context from some but not all of its provisions. For guidance on how to navigate cybersecurity-adjacent services, the Cyber Safety Directory Purpose and Scope page provides structural orientation.

Decision boundaries

The principal decision point in applying US consumer privacy law is whether a given data processing activity falls within a specific statute's threshold criteria or within the FTC's residual enforcement perimeter.

Statutory applicability matrix:

A second boundary separates privacy obligations from breach notification obligations. Breach notification is triggered by unauthorized access to specific categories of data, not by a failure of privacy practice. All 50 states maintain distinct breach notification statutes; the HIPAA Breach Notification Rule (45 CFR §164.400–414) governs healthcare specifically. These two legal tracks — privacy rights and breach response — operate concurrently but are administered through different enforcement bodies.

A third boundary distinguishes first-party data (collected directly by the operator from the consumer) from third-party data (obtained via data brokers, advertising networks, or data aggregators). State laws diverge on whether data broker obligations attach to first-party operators who license data outward or only to intermediary brokers. California's data broker registration requirement (AB 1202, Business and Professions Code §22757) creates a distinct registration and deletion-request infrastructure separate from the CCPA framework.

Professionals assessing multi-state compliance exposure should cross-reference the applicable state attorney general rulemaking registers and the IAPP US State Privacy Legislation Tracker. For context on how this site structures cybersecurity service categories, see How to Use This Cyber Safety Resource.

References

• Federal Trade Commission — Privacy and Security Enforcement
• [FTC — Children's Online Privacy Protection Rule (