7.1 The US Patchwork — No Federal Law

If you have ever wondered why the United States has no single privacy law equivalent to Europe's GDPR, you are not alone. The answer lies in history, politics, and a deliberate preference for targeted, sector-by-sector rules — a patchwork that leaves significant gaps and confuses even specialists.

Why there is no federal baseline

Unlike the European Union, which adopted comprehensive data protection law at the regional level, the United States has traditionally regulated privacy through specific statutes tied to particular industries or harms. Congress has passed dozens of privacy-related laws since the 1970s, but no single measure governs the collection, use, and sharing of personal data across all sectors. Federal efforts at comprehensive legislation have repeatedly stalled, largely due to disagreements over whether states should be preempted (industry preference), whether individuals should have a private right of action (plaintiff bar preference), and what constitutional basis supports federal regulation.

The major sectoral statutes

HIPAA (Health Insurance Portability and Accountability Act, 1996) — Protects health information held by covered entities: healthcare providers, insurers, and their business associates. It dös not cover fitness apps or direct-to-consumer genetic testing services.

FERPA (Family Educational Rights and Privacy Act, 1974) — Protects educational records maintained by schools receiving federal funding. Gives students (and parents of minors) rights of access and correction.

COPPA (Children's Online Privacy Protection Act, 1998) — Requires verifiable parental consent before collecting personal data from children under 13 online. Administered by the FTC.

FCRA (Fair Credit Reporting Act, 1970) — Governs consumer credit reports: accuracy, access, and dispute rights. Applies to credit reporting agencies and their users.

GLBA (Gramm-Leach-Bliley Act, 1999) — Requires financial institutions to explain data-sharing practices and allow customers to opt out of sharing with certain third parties.

ECPA (Electronic Communications Privacy Act, 1986) — Governs government access to electronic communications and stored data. Widely criticised as outdated for the cloud era.

The FTC as de-facto privacy enforcer

In the absence of a federal privacy law, the Federal Trade Commission (FTC) serves as the primary US privacy regulator. Its authority comes from Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The FTC uses this authority to bring enforcement actions when companies collect data in ways that contradict their own privacy policies or harm consumers — but it cannot create substantive rules requiring companies to protect data proactively.

The ADPPA: a federal law in waiting

The American Data Privacy and Protection Act (ADPPA), introduced in 2022, is the most significant federal privacy bill to reach committee markup in decades. It would create a national data minimisation standard, consumer rights to access/delete/correct data, algorithmic impact assessments for high-risk AI, and a limited private right of action. As of 2024 it has not passed, stalled in part over preemption of state laws — particularly California's — and the scope of private litigation rights.

Your takeaway

Understanding the US patchwork matters for anyone who works with American companies or data subjects. The absence of a federal baseline means your privacy rights vary enormously depending on who collected your data, in which state you live, and what sector is involved.