Data & Privacy Compliance

What data you collect, how you use it, and what the law requires

Overview ·Federal ·State ·International

Overview

If your product touches personal information — and virtually every software product does — data privacy law applies to you. The question isn't whether you have compliance obligations; it's which ones, in how many jurisdictions, and how strict they are. The US has no single federal privacy law. Instead, a patchwork of sector-specific federal laws and a growing number of state comprehensive privacy laws govern how companies collect, use, and protect personal data.

The most practically significant laws depend on who your users are and where they live. GDPR applies if you have users in the EU — regardless of where your company is located. CCPA/CPRA applies to California residents. A growing number of states now have their own comprehensive privacy laws that impose similar obligations with varying thresholds. HIPAA applies if you touch health data. COPPA applies if you knowingly collect data from children under 13. Getting this right requires understanding which laws apply to your specific situation before you design your data practices — retrofitting compliance is significantly more expensive than building it in.

Federal Laws

Children's Online Privacy Protection Act

Governs the collection of personal information from children under 13. Requires verifiable parental consent before collecting, using, or disclosing a child's data — any site or service directed at children or with actual knowledge of child users must comply.

DOJ Bulk Sensitive Data Rule

Implements Executive Order 14117 restricting the bulk transfer of Americans' sensitive personal data to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Effective April 2025. Covers genomic data, biometric data, precise geolocation, health data, financial data, and certain government-related data. Tech companies handling large-scale personal data should evaluate whether their data flows implicate these restrictions.

Electronic Communications Privacy Act

Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.

FTC Act Section 5

Prohibits unfair or deceptive acts or practices in commerce. The FTC's primary enforcement tool against privacy violations, misleading marketing, security misrepresentations, and dark patterns — applies to nearly every business.

Fair Credit Reporting Act

Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.

Gramm-Leach-Bliley Act

Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.

Health Information Technology for Economic and Clinical Health Act

Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.

Health Insurance Portability and Accountability Act

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

Browse by State

California Colorado Connecticut Delaware Florida Illinois Indiana Iowa Kentucky Maryland Minnesota Montana Nebraska New Hampshire New Jersey New York Oregon Rhode Island Tennessee Texas Virginia Washington

Browse by Country

Australia Brazil Canada Cross-Border France Germany India Ireland Israel Italy Japan Mexico Netherlands New Zealand Poland Singapore South Korea Spain Sweden United Arab Emirates United Kingdom

How Jurisdictions Differ

The key variable across US state privacy laws is the applicability threshold — most laws only apply to companies above a certain volume of data processed or revenue derived from data sales. California's thresholds are the lowest and most frequently triggered. Most other state laws set higher thresholds, meaning smaller companies may only need to worry about GDPR (for EU users) and California. The EU's GDPR has no revenue threshold — if you process EU resident data, it applies, period. Understand your threshold exposure before assuming a law doesn't apply.

Official Resources

Related Articles

More articles coming soon.