





























Data is everywhere. So are the rules that guard it.
Businesses in the US are caught between growing consumer expectations, new data privacy laws and concerns about potential fines. Yet there is still no single federal data privacy act that lays out exactly how an organisation must handle personal or sensitive data.

Instead, they must comply with a mix of state rules, sector laws and guidance from different regulators, all while their teams need reliable data to make decisions. It’s confusing, and waiting for clarity can feel risky.
This article will explain the current US landscape, highlight key risks and opportunities for marketers and data analysts and show practical steps they can take now to prepare.
The short answer is: no. There isn’t a single, comprehensive federal “Data Privacy Act” in the United States that governs how every organisation collects and uses personal data. In its place is a patchwork of sector- and state-based laws.
While this may seem appealing to those who favour less regulation, it makes it harder for marketers and analysts to do their job. They have to learn how different rules overlap, where they conflict and how they apply to their analytics tools, as well as maintain compliance with any laws in countries or regions where they do business internationally.
At the federal level, the United States regulates personal data through industry- and use-specific statutes. A few of the most important examples are:
These sector rules sit alongside separate data breach notification laws and data security laws at the federal and state levels. As a result, two companies can face very different obligations depending on the type of consumer’s personal data they handle, even if they use similar analytics tools.
Many states have started to build their own frameworks to protect their residents’ data. These data privacy laws give them specific consumer rights and place duties on each data controller that has controlled or processed their personal data.
A few of the key laws to know:
This list is far from complete, as close to half of all US states have similar laws, including the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act and the Oregon Consumer Privacy Act.

Sector-level laws (e.g., HIPAA, COPPA and GLBA) and state-level laws (e.g., CCPA, VCDPA and CPA) exist, but there is not yet a single overarching federal law.
Together, these state-level privacy regulations form a moving target. Each one defines personal data slightly differently and draws its own line between categories like pseudonymous and de-identified.
For many teams that rely on analytics, tracking a visitor’s state is a necessity for compliance.
The biggest challenge in the United States isn’t one strict law. It’s the many different ones.
For businesses operating across state lines, compliance means tracking:
One resident might see a universal opt-out link, while another only has a basic cookie banner. If an organisation can’t prove that it followed these laws, an attorney general can open an investigation after a complaint or a breach.
Privacy notices and consent flows also vary by location.
Some states require clear “Do Not Sell My Personal Information” links. Others focus on how to handle sensitive categories, such as health or location data.
Organisations must know:
Without this, it becomes hard to honour deletion requests, manage de-identified data correctly or prove that they handled information responsibly.
The risk isn’t just regulatory. It impacts brand trust and reputation.
When the most frequently targeted data category is personally identifiable information, trust becomes a competitive factor. Organisations that apply consistent privacy protections across all states, not just when required, are often better positioned for long-term credibility (and future laws).
No one can control when or how a federal data privacy act will finally pass, but organisations can control how ready they are when it does. Privacy by design is the philosophy that teams build respect for personal information into every system from day one, instead of waiting for a new law or, worse, a data breach.
Several proposals have tried to create a single national framework for personal data. The failed American Data Privacy and Protection Act and the American Privacy Rights Act serve as two examples.
They include provisions around consumer rights, limits on the amount of collectable data and stronger enforcement powers for the Attorney General’s office or the Federal Trade Commission.
While any future bill is likely to look different, it likely will:
By reviewing the protections granted in these bills and weighing them with those already passed in existing state- and sector-level legislation, organisations can future-proof their systems now and gain a competitive edge.
US organisations pivoting to a more privacy-friendly stance should also study the European Union’s GDPR. Many of them already follow it because they serve EU or EEA data subjects.
It has requirements pertaining to:
It also pushes organisations to document how they have controlled or processed the personal data of individuals.
A future US consumer data privacy act is unlikely to copy GDPR word-for-word, but it might borrow many of the same themes, particularly around data minimisation and combining multiple data sources.
The best strategy for companies is to prepare their analytics infrastructure now as if a unified federal law were already in place. That means they should:

Building privacy by design into your analytics infrastructure can be done by following the steps listed above.
These best practices turn privacy by design into something concrete. Teams still get the insight they need, but they do so within a framework that respects data subjects, aligns with emerging data security laws and reduces the risk of painful changes later when a national data privacy law finally lands.
Businesses based in states without strong data protection legislation are not exempt from compliance requirements if they conduct business across state lines.
That means an eCommerce company based in Wyoming collecting personal data from customers in states like California or Virginia must follow each state’s rules for every visit that makes its way into their analytics tools.
As both state- and sector-level regulations change, the privacy by design approach becomes more practical than not. At some point, any material advantages eked out by pulling more personal data are offset by the time and monetary costs of reconfiguring analytics tools.
A privacy-first platform helps teams:
It also gives a clear view of which data controller is responsible for what, how data subjects can exercise their consumer privacy rights and how teams can prove that they processed data lawfully.
Matomo is built on these ideas.
We’re an open source, privacy-first analytics suite that lets organisations own their data, deploy in the cloud or on-premise and configure tracking for compliance with strict regulations, like CCPA and HIPAA.
Features such as cookieless tracking, flexible consent tools and detailed access controls make it easier to align with state rules on personal data and consumer health data without losing sight of key metrics.
Matomo also avoids data sampling, which means compliance leads and analysts see the whole picture when they review behaviour or run data protection assessments. And it can track AI chatbot and AI agent traffic for free, something most tools can’t do.
Choosing privacy-first analytics now gives your team a stable base. As new state statutes arrive or a future national data privacy act takes shape, you can adapt settings rather than rebuild your measurement stack from scratch.
Personal data is everywhere, and the rules that guard it are only growing more complex. Even without a single federal data privacy act, state privacy laws and sector rules already shape how you collect, store and use personal data.
The most practical move now is simple: review your analytics stack and choose tools that support privacy by design as a default, instead of as an afterthought.
Start by mapping what you track, where it lives and which consent signals you respect, then phase out any platforms that cannot adapt to stricter requirements.
Matomo was built for this kind of future. Over a million websites trust Matomo for accurate, unsampled reporting, strong privacy controls and full data ownership.
Explore Matomo Cloud or On-Premise to prepare your organisation for whatever comes next.
H.R. 5807 from the 117th Congress (2021-2022), better known as the Digital Accountability and Transparency to Advance (DATA) Privacy Act, was a proposed federal bill to establish national data privacy standards in the United States.
Like the American Data Privacy and Protection Act and the American Privacy Rights Act, the DATA Privacy Act failed to pass. However, a bill like it may pass in the future.
As of early 2026, the following 20 states have data privacy regulations:
The following states have laws that will carry over or be introduced in 2026:
Alongside Washington, D.C., these states have no laws or current plans to enact them:
The Data Privacy Act is a Philippine law passed in 2012 that regulates the collection, processing, storage and sharing of personal data. It created the National Privacy Commission, the governing body responsible for its enforcement and applies to organisations operating in the Philippines, as well as those outside of the country working with the data of Philippine citizens and residents.
It’s similar in scope to the GDPR.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。