Who Regulates Whom? An Overview of the U.S. Privacy Regulatory Framework


In the United-States, both federal and state legislators have enacted privacy and security laws. While the Constitution does not contain the word privacy, the Supreme Courts has recognized individual privacy rights over personal issues. State Constitutions may – or may not – provide residents with stronger privacy rights than are provided by the Constitution. Both state and federal agencies regulate particular industries, such as financial institutions and healthcare providers. Aside from the government’s ability to create and enforce laws, self-regulatory regimes play a significant role in governing privacy practices in all industries.

This research paper provides a brief overview of the role of privacy regulators:

  1. What powers do regulators have?
  2. What policy goals are regulators trying to accomplish?
  3. Through what means are those goals accomplished?
  4. Who or what is being regulated?

Privacy Regulatory Overview

At the federal level, a number of agencies regulate privacy regulation. At the state level, State Attorney generals’ Offices bring a variety of privacy related enforcement actions. The goal of privacy and cybersecurity laws is to protect personal information contained in both paper and electronic records.

The Federal Trades Commission (FTC) is the leading privacy and security regulator. The FTC has authority over unfair or deceptive practices affecting commerce. The U.S. Department of Health and Human Services (HHS) has authority over healthcare information.

The Role of Privacy Regulators

Privacy laws in the United States are enacted based on particular types of information. (financial information, medical information, and children’s information). This is achieved by enacting new laws. For example, the U.S. Congress enacted the Children Online Privacy Protection Act (COPPA), which requires websites directed to children under the age of 13 years-old to obtain verifiable parental consent before collecting their information. COPPA provides the FTC with the authority to issue regulations that establish requirements for websites directed to children.

Regulatory Powers

Regulators implement laws by using the government’s police power. Aside from establishing rules and enforcing them, agencies provide guidance in the form of formal opinions. A consent decree is often entered between a regulator and a non-compliant entity. These consent decrees generally require the violator to pay money to the government and agree to not violate the relevant law in the future. It also requires that the violator take steps to improve privacy and security.

Regulated Entities

Organizations can determine what privacy law they a subject too by performing a data inventory to determine the type of information they collect. 

Federal Privacy Regulations

Educational privacy 

U.S. Department of Education regulates educational privacy through the Family Education Rights and Privacy Act (FERPA). FERPA is a federal statute that provides students with control over disclosure and access to their education records. FERPA applies to all educational institutions that receive federal funding (elementary schools, secondary schools, and post-secondary schools). FERPA provides students the right to:

  • Control the disclosure of their education records to others.
  • Receive annual privacy notice of their rights under FERPA.
  • File complaints with the U.S. Department of Education.

Medical Privacy 

The Office of Civil Rights (OCR) regulates medical privacy under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires covers healthcare providers, health plans and healthcare clearing houses. HIPAA protects the privacy and security of healthcare information. Protected Health Information (PHI) is defined as any individually identifiable health information that is transmitted or maintained in any form or medium and identifies individuals. 

Financial Privacy

In 2011, the Commodity Futures Trading Commission (CFTC) assumed enforcement authority of the Gramm-Leach-Bliley Act (GLBA). The GLBA Privacy Rule establishes a standard for privacy notices under which a financial institution must provide initial and annual privacy notices to consumers. privacy protection generally applies to consumers who obtain financial products or services from financial institution to be used primarily for personal, family or household purposes. Financial institutions included entities such as banks, insurance providers and securities firms. GLBA requires financial institutions to protect consumers’ nonpublic personal information. 


The FTC is an independent U.S. law enforcement agency charged with protecting consumers and enforces privacy and cybersecurity issues. Section 5 of the FTC Act regulates unfair and deceptive acts or practices in or affecting commerce. The FTC also enforces COPPA. Since 2000, the FTC has brought around 30 COPPA enforcement actions due to non-compliance with COPPA. 

State Privacy Regulations


The California Consumer Privacy Act of 2018 (CCPA) is the most comprehensive state privacy law in the United States. The CCPA is the first cross-sectoral state privacy and security law. Under the CCPA, California residents are guaranteed certain privacy rights if their personal information is collected. Under CCPA, a consumer has the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to “opt-out.[1]” The CCPA carries a private right of action which allows individuals to directly sue noncompliant firms.


The Massachusetts security law has generally been considered one of the strictest in the U.S. Under M.G.L.C.93H, every person or entity that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program. The definition of personal information includes biometric information. The Massachusetts law establishes minimum standards to protect personal information contained in both paper and electronic record.

New York

The New York Stop Hacks and Improve Electronic Data Security (SHIELD Act) went into effect in 2020. Under the SHIELD Act, any person or business that owns or licenses computerized data, which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that information. Any person or business which conducts business in New York, and which owns or licenses computerized data – which includes private information of NY residents – shall disclose any breach of the security of the system following discovery or notification of the breach to the New York Attorney General’s Office.


In response to the rapid uptick in breaches involving personal data, more privacy regulations are coming into effect at the local, state, federal, and international levels. As these privacy regulations come into effect, companies are quickly recognizing that effective privacy management is not just a key compliance activity but also a key factor in business enablement in the digital economy.

Figure 1. HIPAA Enforcement Action

Chart, bar chart  Description automatically generated

This bar graph shows a comparison of the complaints that OCR has investigated and resolved by calendar year according to the type of closure, and includes a bar reflecting the total closures.  The first bar in the group of three per year represents the complaints closed in which there was no violation, the second in which there was corrective action, and the third reflects the total closures[2].

Figure 2. Privacy Enforcement Action Financial Impact

Equifax experienced a data breach that affected more than 150 million people. The FTC filed a complaint against Equifax because they failed to properly secure information. 

Graphical user interface, text, application, chat or text message  Description automatically generated

On July 24, 2019, the FTC and the U.S. Department of Justice imposed a $5 billion penalty on Facebook for misrepresenting the control that users have over their information.

Graphical user interface, text, application, chat or text message  Description automatically generated

[1] Title 1.81.5. California Consumer Privacy Act of 2018 [1798.100-1798.199] Amended by stats. 2019, ch 757, Sec. 1. (AB 1355) Effective 1, 2020.)

[2] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html

Leave a Reply

Your email address will not be published. Required fields are marked *