The United States has about 20 sector specific or medium specific national privacy or data security laws, and hundreds of such laws among its 50 states. (California alone has more than 25 state privacy and data security laws). These laws address particular problems or industries. They are too diverse to summarize fully in this volume

In addition, the large range of companies regulated by the Federal Trade Commission ("FTC") are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement minimal data security measures or fail to live up to promises in privacy policies.


Varies widely by regulation.


Varies widely by regulation.


No official national authority. However, the FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (e.g. for telemarketing, spamming, and children's privacy). The FTC uses its general authority to prevent unfair and deceptive trade practices to bring enforcement actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices. State Attorneys General typically have similar authority and bring some enforcement actions.

In addition, a wide range of sector regulators, particularly those in the health care and financial services sectors, have authority to issue and enforce privacy regulations.


There is no requirement to register databases.


With the exception of entities regulated by HIPAA, there is no requirement to appoint a data protection officer, although appointment of a chief privacy officer and an IT security officer is a best practice among larger organisations.


US privacy laws and self-regulatory principles vary widely, but generally require pre-collection notice and an opt out for use and disclosure of regulated personal information.

Opt in rules apply in special cases involving information that is considered sensitive under US law, such as for health information, use of credit reports, personal information collected online from children under 13 (see below for the scope of this requirement), video viewing choices, and telecommunication usage information. The FTC interprets as a "deceptive trade practice" failing to obtain opt in consent if a company engages in materially different uses or discloses personal information not disclosed in the privacy policy under which personal information was collected.

States impose a wide range of specific requirements, particularly in the employee privacy area.

The US regulates marketing communications extensively, including telemarketing, fax marketing and email marketing (which is discussed below).


No geographic transfer restrictions apply in the US, except with regard to accountants transferring tax preparation materials. The Commerce Clause likely bars US states from imposing data transfer restrictions and there are no other such restrictions in US national laws.

By contrast, some European data protection authorities take the position that personal data transferred to the United States under the US EU Safe Harbor principles may not be transferred outside the US without another valid legal basis.


Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information (e.g. health or financial information, telecommunications usage information, or information that would require security breach notification). A few states have enacted laws imposing more specific security requirements for data elements that trigger security breach notice requirements. For example, Massachusetts has enacted regulations, which apply to any company that collects or maintains sensitive personal information on Massachusetts resident. Among other things, the Massachusetts regulations require regulated entities to have a comprehensive, written information security program; the regulations also set forth the minimum components of such program. HIPAA regulated entities have much more extensive data security requirements, and some states impose further security requirements (e.g. for payment card data, for social security numbers, or to employ secure data destruction methods). HIPAA security regulations apply to so-called "covered entities" such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their "business associates" which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity.


Security breach notification requirements are a US invention. 46 US states and most US territories require notifying state residents of a security breach involving residents' name plus a sensitive data element – typically, social security number, other government ID number, or credit card or account number in combination with any security code or password that would permit access to a financial account. Notice of larger breaches is typically required to be provided to credit bureaus, and in minority of states, to State Attorneys Generals, and in rare cases to other state officials. National laws require notification in the case of breaches of health care information, breaches of information from financial institutions, and breaches of government agency information.


Violations are generally enforced by the FTC, State Attorneys General, or the regulator for the industry sector in question. Civil penalties are generally significant. In addition, some privacy laws (for example, credit reporting privacy laws, electronic communications privacy laws, video privacy laws, call recording laws, cable communications privacy laws) are enforced through class action lawsuits for significant statutory damages and attorney's fees, and defendants can be sued for actual damages for negligence in mishandling personal information such as payment card data.


The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.

E-mail: The CAN-SPAM Act is a federal law that applies labelling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender's contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. Not only the FTC and State Attorneys General, but also ISPs and corporate email systems can sue violators. Furthermore, knowingly falsifying the origin or routing of a commercial email message is a federal crime.

Text Messages: Federal and state regulations apply to the sending of marketing text messages to individuals. Generally, express, opt-in consent is necessary to send marketing text messages and applicable regulations also specify the form of consent.

Telemarketing: In general, federal law applies to most telemarketing calls and programs, and a state's telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing. For example, national ("federal") and state rules address calling time restrictions, honouring do-not-call registries and opt-out requests, mandatory disclosures to be made during the call, requirements for completing a sale, executing a contract or collecting payment during the call, restrictions on the use of auto-dialers and pre-recorded messages, and record keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.

Callers generally must scrub their calling lists against both a national and multiple state do-notcall registries, as it is prohibited to place a telemarketing call to a number listed in a do-not call registry unless a specific exemption applies. The national do-not-call rules (and several state rules), for example, exempt calls to existing business customers who have purchased a product or service in the last 18 months from the company on whose behalf the call is placed, as long as the customer has not specifically opted out of receiving telemarketing calls from the company. The use of auto-dialers to send pre-recorded messages generally requires affirmative opt-in consent of the recipient.

Fax Marketing: Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient hasn't opted out of receiving fax advertisements and has provided their fax number "voluntarily," a concept which the law specifically defines. The law also requires that each fax advertisement contain specific information, including (i) a "clear and conspicuous" opt out method on the first page of the fax; (ii) a statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful; and (iii) a telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week.


Cookies: There is no specific federal or state law that regulates the use of cookies, web beacons, Flash LSOs and other similar tracking mechanisms. However, undisclosed online tracking of customer activities poses class action risk. The use of cookies and similar tracking mechanisms should be carefully and fully disclosed in a website privacy policy. Furthermore, it is a best practice for websites that allow behavioural advertising on their websites to participate in the Digital Advertising Alliance code of conduct, which includes displaying an icon from which users can opt-out of being tracked for behavioural advertising purposes.

Location Data: Privacy requirements of location-based apps and services is in flux and is a subject of extensive interest and debate. Federal Communications Commission regulations govern the collection and disclosure of location information by telecommunications carriers, including wireless carriers. Further, any location service that targets children under the age of 13 or has actual knowledge that it is collecting location information from children under age 13 must comply with the requirements of the Children's Online Privacy Protection Act (COPPA) Rules – including obtaining prior verifiable parental consent in most circumstances. Both the Federal Trade Commission and California Attorney General's Office have issued best practices recommendations for mobile apps and mobile app platforms, and the California Attorney General has entered into an agreement with major app platforms in which they promise to prompt mobile apps to post privacy policies. Furthermore, a Department of Commerce-led multistakeholder negotiation to develop a code of conduct for mobile app privacy is well underway.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to