In today’s digital economy, almost every organization, whether a global bank, a healthcare provider, or a start-up, relies on the collection and analysis of personal data. In fact, data privacy and security have become central to how businesses earn and maintain public trust. The importance of these issues is only compounded by what Gary Chodes of The National Law Review refers to as “the pressure of modern compliance,” noting that it “adds to the intensity of every process, from how companies handle customer data to how they disclose breaches.” This ‘intensity’ is why understanding the patchwork of US and state laws is critical for any organization handling personal information.
Data Privacy vs. Data Security
While data privacy and data security overlap, they are distinct concepts. However, as Kathryn Nadro of Levenfeld Pearlstein LLC notes, “Privacy can’t exist without strong security.”
Data security focuses on keeping data safe from unauthorized access or alteration; think firewalls, encryption, and multifactor authentication. ‘Data privacy,’ on the other hand, governs how organizations collect, use, and share that information in a responsible and lawful way. Regulators increasingly expect businesses to demonstrate not just technical defenses but also ethical intent, showing that privacy is built into design, not bolted on later.
What Counts as Personal Information?
One of the trickiest parts of compliance is understanding what counts as ‘personal information.’ Under US law, the term varies widely.
‘Personally Identifiable Information’ (PII) usually refers to data that directly identifies someone, i.e., name, Social Security number, driver’s license number, etc. However, broader definitions, like those in California’s Consumer Privacy Act (CCPA), include indirect identifiers such as IP addresses, online tracking cookies, and purchasing histories.
‘Sensitive personal information’ can include race, religion, sexual orientation, financial account details, or biometric data like fingerprints and facial geometry. Each new category brings its own risks. For example, an employer that uses facial recognition for time tracking may trigger obligations under Illinois’s Biometric Information Privacy Act (BIPA).
Companies often underestimate how much data they hold that qualifies as regulated personal information, so it is incredibly important to understand what data you hold and which regulations apply.
The Patchwork Problem
Unlike the European Union’s General Data Protection Regulation (GDPR), the US lacks a single, overarching privacy law. Instead, it relies on a patchwork of state and sector-specific regulations. For businesses operating nationally, that patchwork means navigating multiple, sometimes conflicting, rules.
Federal Frameworks
The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions, broadly defined. A financial institution, in this case, is not just a bank; it could be any company engaged in lending or financial services. GLBA’s Privacy Rule and Safeguards Rule require those entities to protect non-public personal information and issue annual privacy notices to consumers. The Federal Trade Commission (FTC) enforces many of these provisions and has increased penalties for violations.
The Health Insurance Portability and Accountability Act (HIPAA) applies to entities like healthcare providers, insurers, and clearinghouses that handle protected health information.
State and Sector-Specific Laws
Currently, 20 states have comprehensive data privacy laws on the books, each with unique definitions, opt-out rights, and enforcement mechanisms.
“There’s a lot of latitude in this space. For example, some states fold biometrics into privacy laws, others make it stand-alone,” notes Alex Sharpe of Sharpe Management Consulting LLC.
This inconsistency means a company might be compliant in one state but in violation in another. For instance, a company based in Arizona but serving New York customers must still comply with the New York SHIELD Act.
When Things Go Wrong
When a breach occurs, response time is everything. Every state now mandates prompt notification of affected individuals, and many require reporting to regulators. The SEC’s 2023 cybersecurity rules now require public companies to disclose ‘material’ incidents within four business days, adding immense pressure to act quickly when breaches occur. In some cases, however, law enforcement agencies may delay public reporting to investigate national security implications, as was the case with the 2022 AT&T breach.
Building a Culture of Compliance
Even if penalties and fines are manageable in the wake of a breach, customer trust once lost is nearly impossible to regain, with reputational harm exceeding legal liability. That’s why organizations handling data should consider adopting a culture of compliance. To do this, companies should establish written information security programs (WISPs), audit their vendors, and require privacy clauses in contracts. Training employees regularly is crucial. Some organizations conduct ‘tabletop exercises’ and incident response drills, ensuring they’re not improvising in a crisis. Frameworks like NIST, ISO 27001, and the newer ISO 42001 (focused on AI governance) can provide structure for companies just getting started.
The Road Ahead: Toward a National Standard
There’s a growing call for a unified federal privacy law to replace the current maze of state regulations. Proposals like the American Data Privacy and Protection Act (ADPPA) have gained traction, but political gridlock has delayed any comprehensive reform. Until Congress acts, companies will need to track state updates regularly. With the advent of AI, there is an added sense of urgency to build ethical frameworks before technology outpaces law.
Ultimately, compliance is only part of the story. Protecting privacy is about protecting people. Companies that treat personal data as a trust rather than a transaction will not only avoid penalties; they’ll stand out in a market where integrity is the rarest currency of all.
To learn more about this topic, view Introduction to US Privacy and Data Security Regulations and Requirements. The quoted remarks referenced in this article were made either during this webinar or shortly thereafter during post-webinar interviews with the panelists. Readers may also be interested to read other articles about cybersecurity.
This article was originally published on November 4, 2025 here.
