Is there a US Data Privacy Act?

Data is everywhere. So are the rules that guard it.

Businesses in the US are caught between growing consumer expectations, new data privacy laws and concerns about potential fines. Yet there is still no single federal data privacy act that lays out exactly how an organisation must handle personal or sensitive data.

Instead, they must comply with a mix of state rules, sector laws and guidance from different regulators, all while their teams need reliable data to make decisions. It’s confusing, and waiting for clarity can feel risky.

This article will explain the current US landscape, highlight key risks and opportunities for marketers and data analysts and show practical steps they can take now to prepare.

Is there a federal Data Privacy Act in the US?

The short answer is: no. There isn’t a single, comprehensive federal “Data Privacy Act” in the United States that governs how every organisation collects and uses personal data. In its place is a patchwork of sector- and state-based laws.

While this may seem appealing to those who favour less regulation, it makes it harder for marketers and analysts to do their job. They have to learn how different rules overlap, where they conflict and how they apply to their analytics tools, as well as maintain compliance with any laws in countries or regions where they do business internationally.

Sector-specific federal laws

At the federal level, the United States regulates personal data through industry- and use-specific statutes. A few of the most important examples are:

• Health data: The Health Insurance Portability and Accountability Act (HIPAA) sets strict rules for how covered entities handle protected health information. If campaigns touch hospitals, insurers or clinics, marketing teams need to understand how HIPAA shapes what can be tracked, stored and shared.
• Children’s data: The Children’s Online Privacy Protection Act (COPPA) regulates how websites and online services collect personal data from children under 13. It affects consent flows, tracking and the type of profiling they can run on younger audiences.
• Financial data: The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions safeguard consumer financial information. It has a direct impact on data security practices, internal access controls and some types of marketing based on financial history.

These sector rules sit alongside separate data breach notification laws and data security laws at the federal and state levels. As a result, two companies can face very different obligations depending on the type of consumer’s personal data they handle, even if they use similar analytics tools.

State-level privacy laws

Many states have started to build their own frameworks to protect their residents’ data. These data privacy laws give them specific consumer rights and place duties on each data controller that has controlled or processed their personal data.

A few of the key laws to know:

• California: The California Consumer Privacy Act (CCPA), as updated by the California Privacy Rights Act, gives broad consumer rights such as access, deletion and the right to opt out of the sale or sharing of personal data, requiring a visible “Do Not Sell or Share My Personal Information” link. It also covers rules for de-identified data, which affects how businesses anonymise identifiers used for analytics and measurement.
• Virginia: The Virginia Consumer Data Protection Act (VCDPA) sets out consumer rights and detailed controller obligations. It covers profiling, targeted advertising and sensitive categories like biometric data or precise geolocation data. Its rules often require businesses to perform protection assessments for higher-risk processing.
• Colorado: The Colorado Privacy Act (CPA) requires businesses to honour a universal opt-out mechanism for targeted advertising and the sale of personal data. That means they must respect a browser-level signal, instead of just their own consent banner.

This list is far from complete, as close to half of all US states have similar laws, including the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act and the Oregon Consumer Privacy Act.

Sector-level laws (e.g., HIPAA, COPPA and GLBA) and state-level laws (e.g., CCPA, VCDPA and CPA) exist, but there is not yet a single overarching federal law.

Together, these state-level privacy regulations form a moving target. Each one defines personal data slightly differently and draws its own line between categories like pseudonymous and de-identified.

For many teams that rely on analytics, tracking a visitor’s state is a necessity for compliance.

Data privacy risks and challenges for businesses

The biggest challenge in the United States isn’t one strict law. It’s the many different ones.

For businesses operating across state lines, compliance means tracking:

• How each state defines personal data
• Which consumer rights apply
• How to respect opt-outs from targeted advertising or consumer data sales

One resident might see a universal opt-out link, while another only has a basic cookie banner. If an organisation can’t prove that it followed these laws, an attorney general can open an investigation after a complaint or a breach.

Privacy notices and consent flows also vary by location.

Some states require clear “Do Not Sell My Personal Information” links. Others focus on how to handle sensitive categories, such as health or location data.

Organisations must know:

• Where data is stored
• Who has access to it
• How to respond in the event of a data breach

Without this, it becomes hard to honour deletion requests, manage de-identified data correctly or prove that they handled information responsibly.

The risk isn’t just regulatory. It impacts brand trust and reputation.

When the most frequently targeted data category is personally identifiable information, trust becomes a competitive factor. Organisations that apply consistent privacy protections across all states, not just when required, are often better positioned for long-term credibility (and future laws).

Preparing now with privacy by design

No one can control when or how a federal data privacy act will finally pass, but organisations can control how ready they are when it does. Privacy by design is the philosophy that teams build respect for personal information into every system from day one, instead of waiting for a new law or, worse, a data breach.

Watching pending federal proposals

Several proposals have tried to create a single national framework for personal data. The failed American Data Privacy and Protection Act and the American Privacy Rights Act serve as two examples.

They include provisions around consumer rights, limits on the amount of collectable data and stronger enforcement powers for the Attorney General’s office or the Federal Trade Commission.

While any future bill is likely to look different, it likely will:

• Give data subjects stronger privacy protections
• Set baseline rules for how a data controller uses sensitive information
• Expect businesses to run regular data protection assessments and show their data security practices are robust

By reviewing the protections granted in these bills and weighing them with those already passed in existing state- and sector-level legislation, organisations can future-proof their systems now and gain a competitive edge.

Moving closer to GDPR style frameworks

US organisations pivoting to a more privacy-friendly stance should also study the European Union’s GDPR. Many of them already follow it because they serve EU or EEA data subjects.

It has requirements pertaining to:

• Purpose limitation
• Clear legal bases
• Strict data breach notification requirements
• Careful handling of de-identified data

It also pushes organisations to document how they have controlled or processed the personal data of individuals.

A future US consumer data privacy act is unlikely to copy GDPR word-for-word, but it might borrow many of the same themes, particularly around data minimisation and combining multiple data sources.

Building privacy by design into analytics

The best strategy for companies is to prepare their analytics infrastructure now as if a unified federal law were already in place. That means they should:

• Collect only the personal data truly needed for measurement
• Separate sensitive categories (such as consumer health data) wherever possible
• Define clear internal rules for data retention, access and deletion
• Choose analytics tools that honour consent choices and opt-outs by region
• Keep an inventory of where data is stored for quick request and incident response

Building privacy by design into your analytics infrastructure can be done by following the steps listed above.

These best practices turn privacy by design into something concrete. Teams still get the insight they need, but they do so within a framework that respects data subjects, aligns with emerging data security laws and reduces the risk of painful changes later when a national data privacy law finally lands.

Support compliance efforts with privacy-first analytics

Businesses based in states without strong data protection legislation are not exempt from compliance requirements if they conduct business across state lines.

That means an eCommerce company based in Wyoming collecting personal data from customers in states like California or Virginia must follow each state’s rules for every visit that makes its way into their analytics tools.

As both state- and sector-level regulations change, the privacy by design approach becomes more practical than not. At some point, any material advantages eked out by pulling more personal data are offset by the time and monetary costs of reconfiguring analytics tools.

A privacy-first platform helps teams:

• Minimise the amount of consumer personal data they collect
• Respect consent choices by region
• Work more confidently with de-identified data

It also gives a clear view of which data controller is responsible for what, how data subjects can exercise their consumer privacy rights and how teams can prove that they processed data lawfully.

Matomo is built on these ideas.

We’re an open source, privacy-first analytics suite that lets organisations own their data, deploy in the cloud or on-premise and configure tracking for compliance with strict regulations, like CCPA and HIPAA.

Features such as cookieless tracking, flexible consent tools and detailed access controls make it easier to align with state rules on personal data and consumer health data without losing sight of key metrics.

Matomo also avoids data sampling, which means compliance leads and analysts see the whole picture when they review behaviour or run data protection assessments. And it can track AI chatbot and AI agent traffic for free, something most tools can’t do.

Choosing privacy-first analytics now gives your team a stable base. As new state statutes arrive or a future national data privacy act takes shape, you can adapt settings rather than rebuild your measurement stack from scratch.

Staying ahead of any future US data privacy act

Personal data is everywhere, and the rules that guard it are only growing more complex. Even without a single federal data privacy act, state privacy laws and sector rules already shape how you collect, store and use personal data.

The most practical move now is simple: review your analytics stack and choose tools that support privacy by design as a default, instead of as an afterthought.

Start by mapping what you track, where it lives and which consent signals you respect, then phase out any platforms that cannot adapt to stricter requirements.

Matomo was built for this kind of future. Over a million websites trust Matomo for accurate, unsampled reporting, strong privacy controls and full data ownership.

Explore Matomo Cloud or On-Premise to prepare your organisation for whatever comes next.

Frequently asked questions

What is the DATA Privacy Act?

H.R. 5807 from the 117th Congress (2021-2022), better known as the Digital Accountability and Transparency to Advance (DATA) Privacy Act, was a proposed federal bill to establish national data privacy standards in the United States.

Like the American Data Privacy and Protection Act and the American Privacy Rights Act, the DATA Privacy Act failed to pass. However, a bill like it may pass in the future.

Which US states have data privacy laws?

As of early 2026, the following 20 states have data privacy regulations:

• California
• Colorado
• Connecticut
• Delaware
• Florida
• Indiana
• Iowa
• Kentucky
• Maryland
• Minnesota
• Montana
• Nebraska
• New Hampshire
• New Jersey
• Oregon
• Rhode Island
• Tennessee
• Texas
• Utah
• Virginia

The following states have laws that will carry over or be introduced in 2026:

• Georgia
• Hawaii
• Illinois
• Maine
• Massachusetts
• Michigan
• Mississippi
• New York
• North Carolina
• Oklahoma
• Pennsylvania
• Washington
• West Virginia
• Vermont
• Wisconsin

Alongside Washington, D.C., these states have no laws or current plans to enact them:

• Alabama
• Alaska
• Arizona
• Arkansas
• Idaho
• Kansas
• Louisiana
• Missouri
• Nevada
• New Mexico
• North Dakota
• Ohio
• South Carolina
• South Dakota
• Wyoming

What is the Data Privacy Act of the Philippines?

The Data Privacy Act is a Philippine law passed in 2012 that regulates the collection, processing, storage and sharing of personal data. It created the National Privacy Commission, the governing body responsible for its enforcement and applies to organisations operating in the Philippines, as well as those outside of the country working with the data of Philippine citizens and residents.

It’s similar in scope to the GDPR.