What I Learned About Privacy Laws in the US

Posted on Nov 28, 2022 by Kristin Hassel

US privacy laws in the world are improving constantly, but online privacy is still in its infancy. Despite the new legislation, Federal laws remain vague and State leaders have taken it upon themselves to try and fill the void — though many of them miss the mark. 

Get ready for a crash course for the current state of online privacy laws in the US, and a convincing argument for why we need to keep advocating for change. 

What Is Online Privacy & Why Is It Important?

The phrase ‘online privacy’ describes the level of data protection for personal and financial information, communications, preferences, and other data you share online. Without proper data protections in place, anyone with the skills, software, or access to your personal details can use them for a variety of purposes, including:

  • Stealing your identity and committing financial fraud
  • Overcharging for goods and services based on location and spending habits
  • Tracking frequented establishments to target you with specific ads
  • Harvesting your data and reselling it for a profit

Online privacy isn’t specifically included in the constitution, though amendments exist to protect online communications and prevent unlawful surveillance. The 4th Amendment protects your general right to privacy, but few laws place specific restrictions on whether and how online companies can collect, process, and store personal information.

Personal privacy is tremendously important to our everyday lives. We expect laws to protect us from being followed, watched, and even disturbed by others — and we have them for the physical world. So why aren’t we demanding the same level of privacy for our online information? Picture the following scenario:

You walk into a grocery store, grab a cart and proceed to pick up your groceries. Someone you don’t know follows closely behind you and writes down everything you bought along with quantity, prices, and the store location.

When you go to the checkout, your stalker isn’t far behind either. You hand your credit card to the cashier – they swipe it and give it to the individual following you. This person writes down the number, expiration date, and 3-digit code on the back. Then they accidentally drop it and the person behind them picks it up and uses it to pay for their groceries in the next lane.

Would you wait until the situation played out completely before doing something about it or would you alert the store manager the minute you noticed someone was following you around the store? 

This example may seem a little extreme, but millions of US citizens face this exact form of online privacy invasion daily. Information mishandling, data brokering, and location tracking are the most common ways sites and services compromise your online data.

Data Trading is Big Business in the US

Handling billions of data records is a never-ending, complicated task for companies. It doesn’t help the US doesn’t have a national standard for how companies should manage data. The lack of regulations and general mishandling of online data risks the privacy of your information.

The vague terminology used in most existing legislation leaves room for companies to interpret the laws in ways suiting their needs. Many parts of the US allow companies to sell or trade online data without your permission. Trading data has become big business, too. As you can see in the table below, data brokers make good money. 

Income Comparison for Types of Brokers in the US
*based on the national average per profession
Type Yearly* Hourly*
Stockbroker $59,000 $28
Mortgage broker
$124,000 $60
Insurance broker
$75,000-100,000 $42
Real-Estate broker
$46,000 $22
Data Broker
$71,00 $34

Comprehensive data privacy laws mean comprehensive change, and it will affect more than brokers. The relationship between the companies who trade online information, data brokers, and the entities buying the information is symbiotic. Each link in the data chain stands to lose revenue if new legislation imposes different rules for processing data.

The Current State of Online Privacy In the US

The good news is the US is starting to realize how important online privacy is to its citizens. In recent years, the US has developed more legislation that protects user data and mandates for sites or services to provide adequate data security. States like Utah, Nevada, Colorado, Virginia, and California have created legislation to provide harsh penalties for companies and services caught violating online privacy laws. 

But, it’s not all good news. Not every US state provides strong data protection laws, and current Federal laws don’t offer enough protection for online data. Federal government legislation has improved slightly where companies are concerned, but military and law enforcement entities are still allowed to perform mass surveillance with little to no reason. 

Let’s take a closer look at how individual states are stepping up to the challenge, and how the US compares with other countries regarding data privacy protections.

The US States with the Best Privacy Laws

California leads the way, having the most comprehensive data privacy legislation. The California Communications Privacy Act (CCPA) is the current standard for cohesive state legislation, which has led to other states following suit and tightening up online privacy laws. 

Colorado, Nevada, Connecticut, and Utah are working on or have already adopted laws similar to the CCPA. 

California is the best state for privacy, while Alaska makes the top of the worst list.

The California Age-Appropriate Design Code Act (CA-ADCA) restricts data collection from anyone 18 years old or younger. Effective June 2024, the CA-ADCA requires apps and services to follow set privacy requirements for youths.

For a more comprehensive view of where you get the best online data protections in the US, check out The Best and Worst States in America for Online Privacy.

States With the Worst Privacy Laws

Alaska has the worst data privacy protections in the US. It applies data disposal laws to corporations and government entities, but has no cohesive legislation regarding data brokers, children, citizens, or data security.  

Alaska isn’t the only state with holes in privacy legislation. Oregon requires companies to inform consumers of data breaches regarding their personal information, but the laws surrounding how companies should protect data are vague and open to interpretation in this jurisdiction as well.

Comparing US Privacy Laws to Other Countries

Currently, the EU has the most comprehensive online privacy legislation with the General Data Protection Regulation (GDPR). These regulations are among the strongest data privacy laws in the world and have extraterritoriality — meaning the GDPR includes cross-border restrictions for international companies. 

Any company in or outside the EU offering goods or services to EU residents must follow the GDPR. If a company violates the regulations, fines can reach up to 4% of its total global revenue or 20 million euros (whichever is higher). On top of these fines, victims may also seek individual compensation. Many countries outside the EU have used the policy as an example for their legislation, including Norway, Turkey, Iceland, Switzerland, and Liechtenstein. 

Canada enacted similar legislation with the Personal Information Protection and Electronic Documents Act (PIPEDA). This Federal law governs how private sector organizations collect, store, use, and disclose residents’ personal information.

The closest Federal law the US has to the GDPR is the American Data Privacy Protection Act (ADPPA), but it isn’t as all-encompassing. This Act limits data collection, processing, and transfer to what’s necessary to provide, improve, and maintain products and services. Unfortunately, the ADPPA uses vague terminology, and corporations get to determine most of what constitutes ‘required data.’

Protect Your Data in Any State

Until legislation offers a cohesive solution for protecting online privacy in the US (and even after) you need to take steps to protect your data

A few simple steps can help increase your online privacy.

PIA provides virtual IPs in all 50 States and DC to increase your online privacy anywhere in the nation. We also offer antivirus protection without tracking or logging to keep your device safe from harmful downloads. You can also stop ads, trackers, and malware at DNS level (before they infiltrate your device) with our all-in-one blocker MACE.

You need to keep your system software up-to-date to avoid creating backdoors for cybercriminals to access your sensitive data like location, network, and device information. 

When you sign into sites or services online, your habits and personal information are up for grabs. Use PIA to increase your online protection – we’ve got a 30-day money-back guarantee so it’s risk-free to test us out.

Increase Your Online Privacy In the US

Online privacy laws are slowly catching up to the times across most of the US, but several states still use inadequate legislation. Federal laws regarding online privacy protection lack straightforward descriptions of what is and isn’t legal. What’s more, many Federal laws are open to interpretation.

The primary thing I discovered about online privacy in the US is that it’s important to stay informed and to refresh your knowledge from time to time. Until US privacy laws meet the peoples’ demand for better legislation, PIA can help increase your online protection. What we can’t do is replace your voice. Stay active in the fight for online privacy, and advocate for policy changes on state and Federal levels. 


Does the United States of America have any online privacy laws?

Yes, but they need (a lot of) work. The most encompassing Federal law the US has for online privacy protection is the American Data Privacy Protection Act (ADPPA). And while it limits data handling to what is necessary to provide and maintain products and services, companies get to decide for themselves what is “necessary.”

Regardless of where you live in the US, you can use PIA to protect your online privacy. We include an automatic Kill Switch to prevent data leaks and offer an all-in-one ad, malware, and tracker blocker (MACE) to help you avoid malicious software. 

Which US States have implemented digital privacy laws?

All 50 states have some form of online privacy protection legislation, but only a few have truly adequate laws. California has the most comprehensive digital privacy laws, including the CCPA and CA-ADCA. Both of these laws include harsh penalties for violating regulations. Alaska, meanwhile, has the worst laws regarding online data privacy. 

Current Federal regulations don’t make up for states with lax policies either, so it’s crucial to take steps to protect your privacy.

What is the US Privacy Act?

The US Privacy Act, introduced in 1974, gave citizens the right to request their records and protects them from unlawful privacy invasion. It was amended twice – once by the Computer Matching and Privacy Act of 1988 and then again with the Computer Matching and Privacy Protection Amendments of 1990. These amendments include protection for online data, to help increase your online anonymity.

Does the EU have better privacy laws than the US?

Yes, the EU has better privacy laws than the US. It enacted the General Data Protection Regulation (GDPR) in 2016, providing a comprehensive solution for online privacy and offering cross-border protections for citizens and residents of the EU. Find out more about how US privacy laws compare to laws in other countries.