In the United States, data privacy laws and compliance are no longer a legal-department footnote. They are a board-level risk tied to enforcement penalties, vendor exposure, and every system holding personal data. There is no single federal privacy statute. Instead, US organizations answer to a widening mesh of state consumer-privacy acts, sector rules like HIPAA, and a federal enforcer in the Federal Trade Commission. The result is a problem most executives are still mispricing: twenty separate state regimes are treated as twenty separate projects, when they should be run as one control set.
The Operating Model
This guide reframes the work. It is written for the leaders who sign the budget and carry the accountability: chief data officers, CIOs, and enterprise architects. It lays out the operating model EWSolutions uses to turn a fragmented obligation map into a single, auditable program.
It is educational and does not constitute legal, financial, or investment advice; treat it as a strategic frame, then pressure-test the specifics with counsel.
Why US privacy compliance is a data problem before a legal one
Data privacy compliance is the set of policies, controls, and evidence you use to prove, on demand, that your handling of personal data matches what the applicable statutes require: lawful collection, honored consumer rights, and defensible security. That definition is the easy part. The hard part is fragmentation.
Unlike the European Union, where one regulation sets the bar, the US has no single omnibus federal law. As the Congressional Research Service documents , rather than adopting one national consumer privacy statute, Congress has enacted sector-specific privacy laws that apply to particular industries and data types, so data privacy regulations accumulate state by state and industry by industry. Two organizations with identical data can face different data protection regulations simply because their customers live in different states. Congress has not moved to harmonize data protection laws into one national statute, which is why a coherent strategy starts by mapping obligations rather than reading a single law.
The US privacy map: federal floors, state pillars
The United States regulates privacy through a patchwork, not a single law: a federal baseline for specific sectors, topped by broad consumer-privacy statutes that vary state by state. Understanding the shape of that map is the first executive task, because it determines where your obligations stack.
The downstream effects compound beyond the headline numbers:
At the federal level, the rules are sectoral rather than universal:
02
The Gramm-Leach-Bliley Act covers financial institutions and requires them to safeguard the financial information they hold and explain their information-sharing practices.
03
The Children’s Online Privacy Protection Act requires verifiable parental consent before a business collects personal information online from children under 13; a growing number of states extend similar protection to student data.
04
The Privacy Act of 1974 governs how federal agencies maintain records in their systems of records.
Above all of these sits the Federal Trade Commission, which uses its Section 5 authority over unfair or deceptive business practices as a de facto national privacy enforcer . When a company misstates how it will protect consumer data, the FTC can treat that gap as a deceptive act.
The state laws driving the agenda
As of February 4, 2026, twenty states had broad consumer privacy laws in effect, according to the privacy tracker MultiState. That count includes Florida, whose law has a narrower scope than the others. New laws in Indiana, Kentucky, and Rhode Island took effect on January 1, 2026, and the year also brings amendments, expanded data broker registration, new consumer-health-data protections, and automated-decision-making rules rather than a wave of brand-new omnibus statutes, per MultiState’s 2026 analysis of state-level omnibus privacy acts. The laws that shape most enterprise programs include:
01
California
The California Consumer Privacy Act (CCPA), expanded by the California Privacy Rights Act, which protects California residents and is policed by a dedicated regulator, the California Privacy Protection Agency.
02
Virginia
Virginia’s Consumer Data Protection Act, the template many later laws followed.
+5
The Expanding Roster
The Connecticut Data Privacy Act , the Oregon Consumer Privacy Act , the Utah Consumer Privacy Act , the Nebraska Data Privacy Act , and the Rhode Island Data Transparency and Privacy Protection Act .
Many of these statutes use GDPR-like concepts such as access, correction, deletion, portability, opt-out rights, risk assessments, and purpose limits, without the single national scope of the European Union’s General Data Protection Regulation. The strategic mistake is to read this as twenty rulebooks. Read closely, the state laws rhyme, and that overlap is the opening EWSolutions builds the operating model around.
The data these laws protect
Every US privacy program begins with one question: what personal data do we hold, and how sensitive is it? The laws draw a sharp line between ordinary personal data and sensitive categories that carry heavier duties.
Ordinary personal data, often called personally identifiable information, includes names, contact details, and most customer data tied to an identifiable person.
Sensitive personal data, sometimes written in statute as sensitive personal information, triggers stricter rules and usually a consent requirement before you collect it.
Under California’s definition, that sensitive tier includes :
Payment card data sits in its own regime: the PCI DSS security standard protects payment account data and applies to entities that store, process, or transmit cardholder data. Under most state laws the people this data describes, the data subjects, gain specific rights over it. The practical implication for the enterprise is blunt: you cannot protect, delete, or report on data you have not inventoried, and such data is exactly where regulators and attackers look first.
Shared obligations beneath the patchwork
The major US state privacy laws impose roughly the same families of duties, which is what makes a single control set possible. Map your program to these, and you cover most of the country at once. Connecticut’s law is a useful reference point, because its published obligations mirror what most states now expect:
7
Principles
3 Consumer rights fulfillment. Individuals can request access to their information, correct it, delete it, obtain a portable copy, and opt out of sale, targeted advertising, and certain profiling. California frames these as the rights to limit, opt out, correct, know, delete, and equal treatment, per the
California Privacy Protection Agency . You must answer those consumer requests within statutory windows – 45 days under both
California and Connecticut law – and prove you did.
Some states also regulate sharing directly. Selling personal information, and other cross-context sharing with third parties, triggers opt-out rights your systems have to honor in near real time.
Notice what this list is not. It is not a legal checklist. It is a data-management specification. Every duty depends on knowing what data you hold, where it lives, why you have it, and who can touch it. That is a metadata and governance problem before it is a legal one, which is precisely why privacy programs led solely from inside the law department tend to stall. Sound data handling, not legal language, is what regulators ultimately credit.
The operating model: one control set, many laws
EWSolutions runs US privacy compliance on a collect-once, comply-many operating model: a single governed control set mapped to the shared obligations above, with counsel validating state-specific exceptions, rather than a separate project per state. The logic is straightforward: if twenty laws demand the same handful of things, you build them once and maintain a thin mapping layer that shows each regulator how your controls satisfy its specific text.
The model rests on four layers:
A governed data inventory. Everything starts with an authoritative, metadata-driven map of personal and sensitive data across the estate – the single source of truth that consumer requests, retention rules, and breach response all draw from.
A unified control set. One set of policies and technical safeguards, from minimization and consent capture to access control, retention, and deletion, engineered to the strictest applicable standard, usually California’s.
A regulatory mapping layer. A maintained matrix that ties each control to the specific provision it satisfies in each state, so adding a new state law becomes a mapping exercise, not a rebuild.
An accountability and metrics layer. Defined ownership, audit-ready evidence, and a small set of metrics that prove the program works.
An enterprise scenario
Consider a retailer with operations across twelve states and a loyalty program holding biometric data, financial account credentials, and purchase history. Before the engagement, four teams ran four uncoordinated efforts, and a single deletion request could touch nine systems with no authoritative record of where the data lived. Under the strategic direction of David Marco, PhD, President & Executive Advisor, EWSolutions deployed its industry-proven methodology to consolidate the work into one governed inventory and one control set mapped across all twelve jurisdictions. Leveraging a track record of a 100% project success rate since its founding in 1997, EWSolutions implemented this framework to deliver a 91% reduction in ongoing program operational costs by collapsing redundant, project-by-project work into a single unified control set.
Who owns privacy in the enterprise
In the US, there is no general federal mandate that every company appoints a data protection officer, which makes accountability an executive design choice rather than a default. Because there is no single omnibus federal privacy law, that GDPR-style requirement does not apply across the board. Specific rules still impose role-based duties: HIPAA requires a covered entity to designate a privacy official , and Massachusetts requires organizations subject to 201 CMR 17.00 to designate one or more employees to maintain a written information security program.
That freedom becomes a trap when it produces diffusion. Privacy work scattered across legal, security, marketing, and IT, with no single owner, is how obligations fall through the cracks and how enforcement begins. The operating model assigns clear lines:
The CDO or equivalent owns the data inventory and governance layer.
Security owns the technical safeguards and breach response.
Legal owns the regulatory mapping and interpretation, and the role of data controller for accountability purposes.
A named executive sponsor owns the program and reports its state to the board.
Accountability you can name is accountability a regulator will credit.
The real cost of non-compliance
For US organizations, privacy enforcement now carries seven-figure penalties, and the regulators have made their priorities explicit. Recent California actions show the exposure in concrete numbers:
CA Privacy Protection Agency
$1.35M
The California Privacy Protection Agency ordered Tractor Supply to pay a $1.35 million fine , the largest in the agency’s history, for failures that included disclosing personal information to other companies without privacy-protective contracts.
CA Attorney General
$1.55M
The California Attorney General secured a $1.55 million settlement from Healthline, its largest CCPA settlement to date, over tracking that could reveal a consumer’s medical condition.
Federal Trade Commission
$7.8M
The Federal Trade Commission required online-therapy provider BetterHelp to pay $7.8 million for consumer refunds after it shared sensitive health data with advertisers.
Penalties also compound by design. Under the CCPA, civil penalties are assessed per violation – not more than $2,663 per violation , rising to $7,988 for intentional violations or those involving consumers under 16. Those amounts can scale quickly when a single deficient practice affects many consumers.
Beyond fines sits the human cost regulators care about most: identity theft. When a data breach exposes Social Security numbers or financial account credentials, the downstream fraud is what turns a technical incident into a headline, and it is why strong encryption matters: applied well, it keeps exposed data unreadable to attackers.
Third-party risk and data processing agreements
Vendor and supply-chain exposure is a major source of privacy and security risk, and written agreements are central to controlling it. Every processor, analytics platform, and marketing tool that touches your records can inherit your obligations, and regulators hold the originating business accountable for how partners handle the data collected on its behalf – as the Tractor Supply action showed, missing vendor contracts were part of the violation.
State laws and HIPAA both require written agreements that bind third parties to defined standards. HIPAA obliges a covered entity to put a business associate contract in place, and the CCPA requires privacy-protective written contracts with service providers, contractors, and other recipients. A sound data processing agreement should:
Name the purpose limits, so a vendor cannot repurpose data you supplied for one service to train an unrelated product.
Require equivalent security measures and breach-notification timelines.
Grant audit and deletion rights, so you can prove the chain of custody during a regulatory review.
Flag any onward sharing, because cross-context sharing for advertising can convert a vendor relationship into a regulated sale.
The practical control is a vendor inventory tied to your data inventory: for each partner, what data they receive, under which agreement, and with what security posture. Without that map, third-party risk is invisible until it becomes a notification letter.
AI governance as the next privacy frontier
Artificial intelligence has turned every privacy program into an AI governance program, whether the organization has named it or not. The moment personal data flows into a model, whether as training input, a feature, or a prompt, the same data protection laws apply, and several states now single out profiling and automated decision-making for extra scrutiny. California regulations, for example, require risk assessments for higher-risk processing and add notice and opt-out rights for automated decision-making technology that take effect on January 1, 2027, per MultiState’s 2026 analysis of state-level consumer statutes.
Three questions decide whether your AI use is defensible:
Provenance. Can you show that the data collected to train or fine-tune a model was gathered lawfully and within its original purpose? Repurposing customer data for model training without a basis is a growing enforcement concern.
Consumer rights. When a data subject asks you to delete their information, can you account for systems where personal data has been embedded into a model or a vector store?
Automated decisions. Where models drive decisions about people, can you explain the logic, run bias and risk assessments, and offer the opt-outs that state laws increasingly require?
This is where governed metadata pays a second dividend. The same inventory that maps personal data for privacy compliance also tells your data science teams which fields they may lawfully use, turning AI governance from a blocker into a guardrail. Regulatory readiness and responsible AI are the same discipline viewed from two angles.
A breach-response playbook
Speed, not perfection, is what separates a contained incident from a regulatory event. All fifty states have breach-notification laws requiring disclosure to affected consumers, and many focus on unencrypted personal information, so the exact obligation depends on the jurisdiction and the data involved.
A tested playbook moves through four stages:
01
Detection and scoping.
Identify what personal data was exposed and whose – the inventory makes this a lookup, not a forensic dig.
02
Containment.
Isolate affected systems and confirm whether encryption applied. Where strong encryption was in place and the keys were not compromised, the data remains unreadable to attackers, and many state laws narrow or remove the duty to notify in that case – though obligations vary by state.
03
Notification.
Inform affected individuals and the relevant state Attorney General inside the statutory window, with clear guidance on identity theft protection where Social Security numbers or financial account credentials were involved.
04
Remediation and review.
Close the gap, document the response, and feed lessons back into your controls.
The deciding factor in all four stages is preparation. A business that already knows where sensitive data lives can scope a breach in hours; one that does not can take weeks, and regulators read that delay as a governance failure.
Regulatory readiness and board accountability
Privacy has become a standing board agenda item, and directors now expect a defensible answer to one question: are we ready? Regulatory readiness is not a binder that gets dusted off during an audit; it is a continuous posture, reported on a regular cadence with evidence behind it.
A board-ready reporting model gives directors four things each quarter: the current state of the data inventory, the status of open consumer requests against statutory deadlines, the results of recent risk assessments, and the trend in operating cost as the program consolidates. Framed this way, the conversation shifts from vague assurance to defensible return on investment – leaders can show exactly what the program reduces and what it returns.
That posture is also the best protection against expanding enforcement. As regulators move from California outward, the organizations that can document how they protect consumer data, evidence their consent records, and demonstrate disciplined data handling will absorb new state laws with minimal disruption. The rest will keep paying for the same work twice.
Priorities for the next two quarters
Before any new state law lands, three moves give US executives the most risk reduction per dollar. They are sequenced deliberately, because each one makes the next cheaper.
Commission a data inventory and risk assessment. Start with the systems holding sensitive categories – health, financial, biometric, and student data – where penalties are steepest. You cannot safeguard sensitive data you have not mapped.
Engineer to a high baseline. Building your control set to California’s bar can reduce duplicate work across states, because a program aligned with the CCPA already covers many common obligations. State-specific applicability, exemptions, cure periods, and enforcement procedures still require counsel review and per-state mapping.
Stand up the consumer-rights workflow. Access, correction, and deletion requests carry hard deadlines. A tested, automated workflow that intakes a request, verifies identity, and releases data only to the verified individual is one of the most visible signals of a working program.
Treat these as governance investments, not compliance costs. The same inventory that satisfies a regulator also supports cleaner analytics and faster audits, and it strengthens how you protect personal data at every stage.
How to measure privacy ROI
A privacy program earns its budget only if it produces metrics the board can read, so define them before you build. Track a short, honest set:
Coverage shows how much of the estate you actually govern – the percentage of systems reflected in the governed inventory.
Response time exposes whether your rights workflow holds up – average days to fulfill consumer requests against the statutory limit.
Risk burndown proves the program is moving – high-risk processing activities remediated quarter over quarter.
Operating cost wins the budget argument – total privacy spend as redundant, per-law work consolidates into the shared control set.
When compliance cost falls while coverage rises, privacy stops being a tax and starts being a return.
Request an Executive Briefing
The US privacy map will keep expanding: more states, more sector rules, more enforcement. The organizations that stay ahead will not be the ones with the largest legal teams; they will be the ones that built a governed data foundation once and let every new law map onto it.
If you want a clear read on where your program stands against the obligations above, request an EWSolutions Executive Briefing. In a focused working session, we benchmark your current data privacy practices, score your readiness against the state laws that apply to you, and hand you the governed-control-set framework as a working blueprint. Book your consultation and download the framework to turn data privacy laws and compliance from a recurring scramble into a measurable, board-ready program.
