If your company collects, stores, analyzes, shares, or monetizes personal information — and most modern software products do — privacy law is already part of your operational environment. The challenge is usually not whether privacy obligations exist, but which laws apply, where your users are located, what kinds of data you handle, and how your product actually works.
The United States does not currently have a single comprehensive federal privacy law. Instead, privacy obligations come from a combination of sector-specific federal laws and a rapidly expanding set of state privacy statutes. Other jurisdictions, including the European Union, impose their own rules that can apply even when a company is based entirely in the United States.
In practice, the most important laws often depend on your users and your data. GDPR may apply if your product has users in the EU. CCPA/CPRA governs many businesses handling data from California residents, and its framework has heavily influenced newer state privacy laws across the United States. HIPAA can apply when handling certain health information, while COPPA regulates online services directed to children under 13.
These issues are no longer limited to large technology companies. Small SaaS businesses, AI-powered tools, ecommerce stores, automation agencies, analytics platforms, and even vibe-coded applications may all trigger privacy obligations once they begin collecting user information, behavioral data, or customer content. Building privacy considerations into products and workflows early is usually far easier, and far less expensive, than trying to retrofit compliance later.
Federal
Children's Online Privacy Protection Act
COPPA — 15 U.S.C. §§ 6501–6506
Prohibits unfair or deceptive practices in the online collection of personal information from children under 13. Requires parental consent before collecting, using, or disclosing a child's data. Enforced by the FTC through the COPPA Rule (16 CFR Part 312), which specifies notice, consent, security, and data retention obligations for operators of child-directed websites and services.
Last updated May 31, 2026
Federal
DOJ Bulk Sensitive Data Rule
Implements Executive Order 14117 restricting the bulk transfer of Americans' sensitive personal data to countries of concern (China, Russia, Iran, North Korea, Cuba, Venezuela). Effective April 2025. Covers genomic data, biometric data, precise geolocation, health data, financial data, and certain government-related data. Tech companies handling large-scale personal data should evaluate whether their data flows implicate these restrictions.
Last updated April 6, 2026
Federal
Electronic Communications Privacy Act
ECPA — 18 U.S.C. §§ 2510–2522
Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.
Last updated May 31, 2026
Federal
FTC Act Section 5
FTC Act — 15 U.S.C. § 45
Section 5 prohibits unfair or deceptive acts or practices in commerce and serves as the FTC's primary authority for regulating deceptive AI claims, unfair automated systems, and problematic data practices. It applies broadly to technology companies making representations about AI capabilities, automation, security, personalization, or algorithmic decision-making.
Last updated May 31, 2026
Federal
Fair Credit Reporting Act
FCRA — 15 U.S.C. §§ 1681–1681x
Regulates the collection, use, and sharing of consumer credit and background information. Applies to any company using background checks, credit reports, or algorithmic consumer evaluations for employment, housing, or credit decisions.
Last updated May 31, 2026
Federal
Gramm-Leach-Bliley Act
GLBA — 15 U.S.C. §§ 6801–6809
Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.
Last updated May 31, 2026
Federal
Health Information Technology for Economic and Clinical Health Act
HITECH — 42 U.S.C. §§ 17931–17954
Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.
Last updated May 31, 2026
Federal
Health Insurance Portability and Accountability Act
HIPAA — 42 U.S.C. §§ 1320d–1320d-9
Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.
Last updated May 31, 2026
Federal
Video Privacy Protection Act
VPPA — 18 U.S.C. § 2710
The VPPA restricts the disclosure of personally identifiable information relating to a consumer's video viewing history without consent. Although originally enacted for video rental records, it is increasingly invoked in litigation involving online video platforms, embedded video content, tracking pixels, analytics tools, and advertising technologies that share user viewing activity with third parties.
Last updated May 31, 2026
The key variable across US state privacy laws is the applicability threshold — most laws only apply to companies above a certain volume of data processed or revenue derived from data sales. California's thresholds are the lowest and most frequently triggered. Most other state laws set higher thresholds, meaning smaller companies may only need to worry about GDPR (for EU users) and California. The EU's GDPR has no revenue threshold — if you process EU resident data, it applies, period. Understand your threshold exposure before assuming a law doesn't apply.
More articles coming soon.