United States

No single federal DPA. FTC has de facto authority through Section 5 (unfair/deceptive practices). California Privacy Protection Agency (CPPA) is the first dedicated state privacy regulator. State AGs enforce state privacy laws.

No universal consent requirement. CCPA uses opt-out model for data sales. COPPA requires parental consent for children under 13. Opt-in required for sensitive data under several state laws.

CCPA/CPRA provides: right to know, delete, correct, opt-out of sale/sharing, limit use of sensitive data, and non-discrimination. Other state laws provide similar but varying rights.

No general restrictions on international data transfers. EU-US Data Privacy Framework enables transfers from EU. Sector-specific requirements may apply (e.g., ITAR for defence data).

All 50 states have breach notification laws. Generally require notification to individuals and state AG. Timelines vary (24 hours to 60 days). No single federal breach notification law.

No general DPO requirement. HIPAA requires a Privacy Officer for covered entities. Some state laws encourage but do not mandate privacy officers.

COPPA requires verifiable parental consent for children under 13. FTC actively enforces. Several states (CA, CT, TX) have additional children's privacy laws. Age-appropriate design codes emerging.

FTC can impose unlimited penalties for violations. CCPA: $2,500/violation, $7,500/intentional violation. State AGs can pursue civil penalties. Private right of action for data breaches under CCPA.

HIPAA (health), GLBA (financial), FERPA (education), FCRA (credit reporting), ECPA (electronic communications). Most regulated sectors have specific data rules.

No federal cookie law. CCPA opt-out requirements effectively cover tracking for advertising. Some state laws address online tracking. Industry self-regulation through DAA principles.

No comprehensive federal AI law. Colorado AI Act (2024) regulates high-risk AI. NYC Local Law 144 requires bias audits for automated employment decisions. FTC scrutinising AI practices.

No general data localisation requirements. Sector-specific requirements for government data (FedRAMP) and some financial data.

No equivalent concept. Large data brokers subject to registration requirements in some states (California, Vermont).

Fourth Amendment protections. FISA and Executive Order 14086 govern intelligence community access. Privacy Act of 1974 governs federal agency data. State laws vary.