There is no single regulation like the GDPR that uniformly regulates privacy and data protection in the United States. Instead, states themselves are the pioneers in laws protecting consumer information and creating causes of action these consumers can use to hold businesses accountable. California, Colorado, and Massachusetts, for example, have established their own general privacy and data protection requirements, while Illinois has a law specifically regulating collection and use of biometric information.
Outside of state law, there are a number of federal laws that impact how businesses collect, store, and use information about individuals and households. These laws apply to specific industries, consumers, or situations. For example, the Federal Trade Commission Act protects consumers against deceptive practices in collecting/using their personal information; the Children’s Online Privacy Protection Act (COPPA) sets privacy and data protection standards for collecting information from children under thirteen online; the Graham-Leach-Bliley Act (GLBA) addresses use and disclosure of consumer information by financial services companies; and the Health Insurance Portability and Accountability Act (HIPPA) sets standards for handling health information.