Excerpt: Privacy law in the United States is regulated at both the state and federal levels. Historically, federal privacy law has focused on specific industries and types of data, such as the Gramm-Leach-Bliley Act (GLBA) for financial institutions, the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry, and the Children’s Online Privacy Protection Act (COPPA) for online services that collect personal information from children under the age of 13.
Privacy laws at the state level, meanwhile, have historically focused on addressing specific areas of concern. For example, Illinois, Texas, and Washington have each passed some version of a biometric information privacy law, which requires businesses that collect face IDs, thumbprints, and other biometric identifiers to comply with certain notice and consent requirements. A number of states have passed laws regulating other categories of sensitive information, such as health information (e.g., California and Texas), genetic information (e.g., California, Utah, and Florida), and social security numbers. California and Vermont have also passed specific laws regulating data brokers (entities that buy and sell consumer personal data).
