The Right to Remain Private: Where U.S. Law Lets You Down

With no law like Europe's GDPR to protect personal data, Americans have to rely on a patchwork of regulations

conceptual illustration of person watching screen in shape of eye Giacomo Bagnara

“There are shockingly few legal privacy protections in the United States,” says Maureen Mahoney, a policy analyst at Consumer Reports.

No federal law provides the kind of broad consumer rights granted in 2018 by the European Union’s General Data Protection Regulation. But scandals involving Facebook, Google, and other tech giants are helping to raise interest in such legislation.

For instance, 63 percent of Facebook users say the company shouldn’t be allowed to collect data on them when they’re not using Facebook, according to a January 2019 CR nationally representative survey of more than 2,000 U.S. adults.

“We still have a long way to go nationally,” Mahoney says. “But a number of state legislatures have stepped up and passed privacy laws of their own.” (See details, below.)

For now, the following national laws provide some protections for consumers.

Federal Trade Commission Act

This law prohibits “unfair or deceptive” business practices. That means companies are prohibited from making misleading statements about how they handle your data.

More on Privacy

But as long as they adhere to the terms in their privacy policies and user agreements, which can be vague and filled with jargon, the companies are mostly free to collect and use information as they see fit.

It wasn’t the voluminous data gathering or the way information was shared that led to Facebook’s recent $5 billion settlement with the FTC. It was the misleading statements the company made about the control that consumers had over that personal information.

Health Insurance Portability and Accountability Act

HIPAA limits what healthcare providers can do with your medical data, preventing doctors, insurance companies, and billing firms from disclosing that info without permission. But it doesn't necessarily protect info collected by a smartwatch, reproductive health app, or direct-to-consumer genetic testing service. Unless the info ends up in a healthcare provider’s files, it has the same limited protections as other data about you.

Children’s Online Privacy Protection Act

COPPA requires companies to get verifiable parental consent before collecting info from children younger than 13. Firms must also explain how the data might be used, properly secure the information, and provide parents with the means to delete it. Yet once consent is granted, such data is fair game, albeit generally off-limits to third parties. The problem is that digital toys and apps are often useless without a quick sign-off. Additionally, YouTube has been accused of violating COPPA. Despite its many child-oriented videos, YouTube says in its terms of service that the site is intended for teens and adults.

What's Next?

A number of states are pressing ahead with laws that could become models for national legislation. Here are a few examples:

The California Consumer Privacy Act is on track to become the country’s most sweeping privacy law when it takes effect Jan. 1. The law gives consumers the right to access, delete, and opt out of the sale of personal data.

The Biometric Information Privacy Act, passed in 2008, governs companies that collect and use fingerprints and facial recognition data. Amazon, Facebook, Google, and Six Flags have been sued over alleged violations. Texas and Washington have similar laws, minus the individual’s right to sue.

The Act to Protect the Privacy of Online Customer Information, signed into law this year, places new restrictions on the state’s internet service providers. They generally can’t use or sell residents’ personal information unless the customer opts in. And they can’t charge people more for refusing.

HB 2395 mandates “reasonable security features” for most products that connect to the web. That can include supplying unique passwords or requiring users to create one, practices that could help prevent malicious strangers from hijacking baby monitors and home security cameras.

Act 171 of 2018 is the country’s only law to specifically regulate data brokers, those companies that stealthily collect and monetize people’s personal information. The firms are required to register with the state and provide annual updates on their business practices.

Concerned about who's watching you? CR shares easy and effective ways to take more control of your digital privacy.

Editor's Note: This article also appeared in the October 2019 issue of Consumer Reports magazine.

Headshot image of Electronics editor Thomas Germain

Thomas Germain

I want to live in a world where consumers take advantage of technology, not the other way around. Access to reliable information is the way to make that happen, and that's why I spend my time chasing it down. When I'm off the clock, you can find me working my way through an ever-growing list of podcasts. Got a tip? Drop me an email ( or follow me on Twitter ( @ThomasGermain) for my contact info on Signal.