The United States regulates privacy sectorally (HIPAA, GLBA, COPPA) and as of this writing has no federal comprehensive privacy law, unlike most countries that follow a GDPR-style comprehensive model.
Most countries follow a comprehensive approach to privacy (often called data protection), and many are modeled on the EU's GDPR. The United States instead uses a sectoral approach, regulating privacy through laws aimed at specific sectors such as HIPAA (health), the GLBA (finance), and COPPA (children).
Despite decades of advocacy, no federal comprehensive privacy law exists as of this writing. One novel proposal under consideration would impose a data fiduciary duty on companies handling data, requiring them to act in good faith on behalf of consumers.
🔑 The gap states are filling
Because Congress has not enacted a comprehensive law, states stepped in. This is why a patchwork of state comprehensive laws exists - it is a direct response to federal inaction.
Key terms - quick answers
What is “Comprehensive privacy law”?
A law that protects all types of personal data across sectors, as opposed to a sector-by-sector approach.
What is “Sectoral approach”?
The U.S. model of regulating privacy through laws targeting specific industries or data types (e.g., HIPAA for health, GLBA for finance).
What is “GDPR”?
The EU's General Data Protection Regulation, the comprehensive data protection model that became effective in 2018 and on which many global and U.S. state frameworks are based.
What is “Data fiduciary duty”?
A novel proposed approach requiring companies that handle data to act in good faith on behalf of consumers.