Data Protection in USA 2025 Comparison: HIPAA, CCPA/CPRA, TDPSA & Co.

Data Privacy Laws in the U.S.: How Companies Can Navigate the Patchwork in 2025

U.S. data privacy laws are becoming an increasingly complex challenge for businesses. While the GDPR provides a unified framework across Europe, the situation in the United States is markedly different: instead of one overarching federal law, there is a growing patchwork of state-level regulations—each with its own scope, obligations, and enforcement mechanisms.

One of the fundamental differences between European and U.S. privacy regulations lies in the concept of user consent. Europe follows a strict opt-in model, where users must actively give their consent before data can be processed. Most U.S. state laws, on the other hand, are based on an opt-out approach—data processing is generally permitted until the user chooses to object.

This opt-out model is relatively easy to implement, as it allows data collection by default. For EU-based companies, this might seem like an opportunity compared to the stricter opt-in model. However, complexity arises when businesses are required to implement both systems in parallel—depending on the markets they serve.

Moreover, many U.S. privacy laws apply extraterritorially. This means companies without a physical presence in the U.S. may still be subject to regulations from states like California, Colorado, or Virginia—adding another layer of compliance efforts.

To complicate matters further, many U.S. states still lack comprehensive privacy laws altogether. This creates legal uncertainty and forces companies to monitor regional differences closely and adapt their consent strategies accordingly.

But there is hope for a more unified approach: The proposed American Privacy Rights Act (APRA) is a promising piece of federal legislation that could establish nationwide standards—similar to the GDPR. Yet, questions remain: Will the bill pass? And how would it impact business operations?

In this article, we explore the evolving U.S. privacy landscape in 2025 and beyond, examine key laws, highlight the differences from the GDPR, and provide guidance on how to align your organization with current and upcoming regulations.

U.S. State Privacy Laws (2025/2026): A Comprehensive Overview for Businesses

The U.S. data privacy landscape is becoming increasingly complex. More and more states are enacting their own privacy laws—each with distinct scopes, enforcement timelines, and consent requirements. Depending on the jurisdiction, businesses may need to apply opt-in or opt-out mechanisms and implement technical standards such as Global Privacy Control (GPC).

The following overview lists all current and upcoming U.S. state privacy laws from 2019 through 2026—including abbreviations, effective dates, consent models, and key compliance requirements. It provides businesses with a clear roadmap of which laws they must prepare for.

Table 1: Overview of U.S. State Privacy Laws (2019–2026)

A defining feature of the U.S. approach to data privacy is the opt-out model: businesses are generally allowed to collect and process personal data unless the user explicitly objects. This stands in stark contrast to the opt-in model mandated by the GDPR, which requires active user consent before any data collection can take place.

It’s important to note that the opt-out model in the U.S. is not absolute. There are significant exceptions, especially for sensitive categories of data. For example, the Children’s Online Privacy Protection Act (COPPA) requires verifiable opt-in consent for data collected from children under 13. Similarly, certain types of health-related data are subject to stricter requirements and cannot be processed without explicit permission. These exceptions indicate a gradual shift toward stricter privacy standards in specific sectors—suggesting a possible convergence with international frameworks.

In the next section, we explain the mechanics of the opt-out model, how it can be implemented technically, and what businesses should keep in mind when designing compliant and user-friendly consent processes.

Opt-In, Opt-Out & GPC Explained: What Businesses Need to Know About Privacy Preferences in 2025 

At the heart of modern data privacy laws lies a fundamental principle: individuals have the right to control how their personal data is used. Globally, lawmakers distinguish between two core models: opt-in and opt-out. Whether users must actively give consent—or only need to object to data processing—has far-reaching implications, especially for international consent management strategies.

What Does Opt-In Mean?

Under the opt-in model, individuals must give explicit, affirmative consent before any data processing can take place. This approach is central to the General Data Protection Regulation (GDPR) and places high demands on transparency and user education.

Typical Opt-In Mechanisms:

• Cookie banners with an “Accept” button that users must click to provide consent

• Granular controls that allow users to choose specific purposes for data use (e.g., analytics, marketing, personalization)

• Mandatory disclosures about processing purposes, data recipients, retention periods, and the right to withdraw consent

• Linked documents such as privacy policies, cookie notices, and terms of service

Without valid consent, the processing of personal data is prohibited—non-compliance can result in substantial fines. A well-known example: Google Analytics may only be used within the EU if users have actively opted in.

What Does Opt-Out Mean?

The opt-out model, common in many U.S. privacy laws such as the CCPA (California) and CPA (Colorado), allows businesses to process personal data by default—unless the user actively objects.

Typical Opt-Out Mechanisms Include:

• “Do Not Sell My Personal Information” links on websites

• Browser signals such as Global Privacy Control (GPC), which automatically communicate user preferences

• Reject buttons in cookie banners that let users opt out of tracking

Unlike the GDPR, explicit consent is not required—unless the data in question is sensitive (e.g., health information) or involves minors under 16, in which case opt-in consent becomes mandatory.

A practical example: In California, retargeting via the Facebook Pixel is permitted without prior consent—but only if users are clearly informed and given a technically enforceable option to opt out.

Technical Comparison: Consent Management – EU vs. U.S.

For internationally operating businesses—especially SaaS providers, MarTech platforms, and e-commerce companies—this regulatory fragmentation results in significant operational complexity. Consent solutions must be able to legally distinguish between opt-in and opt-out regimes, using mechanisms such as geo-targeting, dynamic consent banners, or server-side consent forwarding.

Global Privacy Control (GPC) Explained: How the Privacy-Friendly Opt-Out Signal Works

Users are increasingly overwhelmed by cookie banners and tracking consent pop-ups during everyday browsing. As the demand grows for a simple, standardized way to manage privacy preferences, the Global Privacy Control (GPC)offers a promising solution: a privacy-centric, browser-based opt-out signal.

GPC was developed in response to the fragmented and inconsistent consent experiences across the digital ecosystem. Its goal is to provide a universal signal that automatically informs websites whether a user consents to the collection or sharing of their personal data—or opts out.

What makes GPC unique is that it operates independently of manual interaction: the signal is sent directly from the user’s browser or browser extension, without the need to click “Reject” on every cookie banner.

How GPC Works in Practice:

• Users activate the GPC signal once via their browser or a supported extension

• On each visit to a GPC-compliant website, an opt-out request is sent automatically

• The signal specifically applies to data collection and third-party sharing, such as for advertising purposes

• GPC is based on a standardized technical specification, making it easy for websites and Consent Management Platforms (CMPs) to detect and respond appropriately

In short: users no longer need to reject cookies on every site—a major step forward in terms of user control, privacy convenience, and regulatory compliance.

Where Is GPC Legally Recognized?

Global Privacy Control (GPC) is particularly relevant in the United States, where it is already legally enforceable under several state privacy laws. Notably, the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) require website operators to honor GPC signals. In California, ignoring a valid GPC request can lead to legal consequences, making compliance a critical issue for companies targeting U.S. consumers.

U.S. Privacy Laws vs. the GDPR: Key Differences

For businesses operating internationally, a major challenge lies in the fundamental difference between U.S. and EU privacy frameworks. While the European Union's GDPR establishes a single, comprehensive regulation across all member states, the United States lacks a unified federal privacy law. Instead, U.S. privacy is governed by a patchwork of sector-specific and state-level regulations, which vary significantly depending on the industry, data type, or geographic location.

This fragmented legal environment makes it difficult for companies to implement a consistent, global privacy strategy—especially when engaging with both EU and U.S. users simultaneously.

Fundamental System Difference: Fundamental Right vs. Consumer Protection

One of the most significant distinctions between the GDPR and U.S. privacy laws lies in their underlying legal philosophy:

• In the European Union, data protection is considered a fundamental right. The GDPR applies broadly to all personal data, regardless of industry or context.

• In the United States, privacy is typically framed as a matter of consumer protection—focused mainly on commercial contexts. As a result, not all types of data processing are legally regulated. Instead, regulation tends to apply only in specific sectors or use cases, as seen in laws such as:

  • HIPAA (Health data)

  • GLBA (Financial data)

  • FISMA (Government and security)

  • CCPA / CPRA (California state-level consumer protection)

GDPR vs. U.S. Privacy Laws: Key Differences at a Glance

Why German Companies Need to Understand U.S. Privacy Laws

Many German businesses mistakenly believe that U.S. privacy laws—such as the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA)—only apply to American companies. But this is a risky misconception: these laws include what's known as extraterritorial applicability. In other words, they also apply to foreign companies that process personal data of U.S. residents, even if the business is based in Germany.

A commonly overlooked fact: tracking a single website visitor from California can trigger compliance obligations under the CCPA/CPRA. For German companies offering digital products or services to the U.S. market, partnering with U.S.-based platforms, or running personalized ads targeted at U.S. users, this can quickly become a compliance risk.

And California is just the beginning. Other states—such as Colorado, Virginia, Connecticut, and Texas—have introduced similar extraterritorial provisions in their privacy laws. German companies may be legally required to comply with these regulations when processing U.S. user data, such as:

• Email addresses collected via newsletters

• IP addresses used in web analytics

• Device usage data for retargeting campaigns

• Purchase behavior tracked in e-commerce environments

The key takeaway: If your business processes user data from the United States, you must know where your users are located—and which state-level laws apply to their personal information.

Which German companies are affected?

You should keep an eye on US data protection requirements if you:

• Promote or offer products or services in the USA, especially in California.

• Operate a website that analyzes US traffic or sets cookies.

• Work with US platforms like Google, Meta, Stripe, or Mailchimp.

• Conduct retargeting or personalized advertising for US users (e.g., via Facebook Ads).

• Use CRM, newsletter, or automation tools that process US customer data.

In all these cases, regulations like the CPRA apply, even if you don't have a physical location in the USA.

Recommendations for Action for German Companies with US Traffic

To ensure legal compliance and meet data protection requirements, we recommend the following measures:

1. Differentiate Consent Management by Region
   → Use a CMP (Consent Management Platform) with geo-targeting, such as Usercentrics with Region Rules.

2. Actively Integrate a "Do Not Sell/Share" Function
   → Place a visible opt-out link for California & co. on your website.

3. Set Up Server-Side Tracking with Consent Logic
   → Integrate your CMP decisions server-side and separate by regions.

4. Document Consent Protocols Separately
   → Keep separate consent logs for EU and US users readily available (important for audits).

5. Regularly Review the Legal Situation
   → New federal states like Texas, Florida, or Montana have already passed data protection laws; stay up to date.

Sector-Specific Data Protection Regulations: HIPAA, COPPA & Co.

In addition to federal data protection laws, numerous sector-specific data protection regulations govern the handling of sensitive data, depending on the sector or target group. For German companies interacting with US data or users, it is therefore crucial to know and comply with these individual laws. Particularly relevant are: HIPAA, COPPA, GLBA, and FERPA.

HIPAA – Data Protection in Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) is the central US law for the protection of health data. It obliges companies to implement technical, organizational, and physical security measures when working with patient data from the USA.

Does HIPAA also apply to German companies?

Yes. HIPAA is extraterritorial in its applicability, meaning it also applies to German companies if they:

• Process health data of US patients.

• Have access to such data (e.g., via IT services, telemedicine, or payment processing).

• Act as a Business Associate for US healthcare providers.

Attention: Working in compliance with the GDPR does not automatically fulfill HIPAA requirements. HIPAA is more concretely regulated in many areas, for instance, regarding reporting deadlines for data breaches or physical access security.

COPPA – Data Protection for Children Under 13

The Children's Online Privacy Protection Act (COPPA) protects the privacy of children under 13 when using online services. Companies that collect data from children via websites, apps, or platforms must:

• Provide a child-friendly, transparent privacy policy.

• Obtain parental consent before collecting data.

• Not use the collected data for targeted advertising or tracking.

Does COPPA also apply internationally?

Yes – German companies are also obliged to comply with COPPA if they:

• Provide online content for children from the USA.

• Use analytics tools or tracking on children's websites.

• Evaluate or store user data from children under 13.

Violations of COPPA can lead to fines from the FTC (Federal Trade Commission).

GLBA – Protection of Financial Customer Data

The Gramm-Leach-Bliley Act (GLBA) obliges financial institutions in the USA to protect their customers' non-public personal information (NPI). This includes:

• Account data

• Credit information

• Transaction data

• Personally identifiable information in a financial context

Companies must inform their customers how they handle their data and provide opt-out options for data sharing. Relevance for German companies: Any FinTech, payment provider, or financial service provider interacting with US customers should ensure GLBA-compliant security and data protection levels.

FERPA – Protection of Educational Data

The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student data in the USA. It applies to all educational institutions receiving federal funds and grants:

• Parents the right to inspect and control their children's data.

• Students aged 18 and older control over their own educational information.

This includes, among other things:

• Grades

• Attendance records

• Address data or documents related to financial aid for studies

When are German providers affected?

Educational platforms, e-learning providers, or LMS (Learning Management System) providers that serve US schools or universities must operate in compliance with FERPA, for instance, regarding data sharing with third parties or the hosting of student profiles.

Why Data Privacy Transfer to the USA Remains Insecure – Despite the Data Privacy Framework

International tech giants like Google, Meta, Amazon, and Microsoft are central components of the digital ecosystem, including for many German companies. Whether through Google Ads, Meta Pixel, cloud services, or CRM platforms, most of these services require the processing of personal data by US companies.

However, this is precisely where the problem lies: The data protection standards of the USA and the EU fundamentally differ, making legally secure data transfers to third countries like the USA a legal gray area.

What does the GDPR say about data transfer to third countries?

According to Article 44 et seq. of the General Data Protection Regulation (GDPR), personal data may only be transferred from the EU to a third country if an adequate level of data protection exists there. This can be ensured either by:

• An adequacy decision by the EU Commission,

• Standard Contractual Clauses (SCCs), or

• Additional technical and organizational measures.

In the past, the USA has repeatedly faced criticism, particularly due to a lack of protection mechanisms against government surveillance.

Safe Harbor, Privacy Shield & Co. – Ein Rückblick auf die gescheiterten Abkommen

In recent years, there have been repeated attempts to enable legally compliant data transfer to the USA:

• Safe Harbor (2000–2015)
  → Declared invalid by the ECJ in Schrems I, as US authorities had extensive access to EU data. Privacy Shield (2016–2020)

• Privacy Shield (2016–2020)
  → Was also declared inadmissible in the Schrems II ruling, for the same reasons: lack of legal remedies for EU citizens and extensive access possibilities for US intelligence services.

• EU-US Data Privacy Framework (seit 2023)
  → Current attempt at a new adequacy decision, intended to improve legal certainty. However, even here there is massive criticism from data protection advocates and legal experts who fear that this agreement will also not stand up before the ECJ.

American Privacy Rights Act (APRA): Is the First Unified US Data Protection Law Coming Now?

The absence of a unified data protection standard in the USA presents many companies with significant challenges. However, this could soon change: With the American Privacy Rights Act (APRA), a legislative draft for a national data protection law in the United States has been introduced for the first time.

On April 21, 2024, the APRA was published as an official discussion draft. The goal is to create a unified, comprehensive data protection law for all US federal states, comparable to the General Data Protection Regulation (GDPR) in Europe.

What does the APRA specifically entail?

The draft of the American Privacy Rights Act consolidates existing data protection regulations from federal states like California (CPRA), Virginia (VCDPA), or Colorado (CPA) and expands them with new control and protection mechanisms for consumers. Key elements include:

• Unified standards for all US companies that process personal data.

• Expanded rights for consumers, including access, deletion, correction, and objection.

• Transparent opt-out options for data processing for advertising purposes.

• Strict requirements for handling sensitive data.

• Increased powers for the Federal Trade Commission (FTC) for oversight and enforcement.

• Establishment of a compensation fund for affected individuals in cases of data protection violations.

What does the APRA mean for German companies?

Should the APRA come into force, it would establish a unified legal framework for the US market for the first time. For German and European companies that process personal data of US citizens, this would have two key advantages:

• Increased legal certainty in data transfer and processing (e.g., in marketing, e-commerce, SaaS).

• Uniform compliance requirements, instead of individual adjustments depending on the federal state.

However, it's important to note: The APRA is currently still in the legislative process – whether and when it will be passed is unclear. Furthermore, criticism is already emerging that some formulations are too vague or leave loopholes for large tech corporations.

With the American Privacy Rights Act, the USA would have its first opportunity to standardize data protection at a national level – a step that is long overdue. For companies worldwide, this would not only mean more clarity but also better comparability with the GDPR.

Whether the APRA will ultimately be adopted and how closely it will align with European data protection standards remains to be seen. But one thing is clear: The debate about a nationwide US data protection framework has long begun.

Conclusion: US Data Protection Laws 2025/26 – What's Next?

The coming years remain exciting, as 2025 and 2026 will also be largely defined by increasing data protection regulation in the USA. For German companies that process data of US citizens or use US services, the challenges remain high.

The fundamental differences between the GDPR and US data protection laws, especially in the assessment of government surveillance and personal data rights, continue to cause tension. While Europe understands data protection as a fundamental right, the USA pursues a sectoral, consumer-oriented approach that often appears insufficient from a European perspective.

Although the American Privacy Rights Act (APRA) was an attempt to introduce a nationwide uniform data protection law, its future is still uncertain. What is certain, however, is that more and more US federal states are passing their own data protection laws – including Indiana and Kentucky by 2026.

For internationally active companies, this means: Without intelligent consent management that takes regional differences in data protection into account, legally compliant data handling is hardly possible. Modern CMP (Consent Management Platform) solutions with geo-targeting, differentiated opt-out mechanisms, and legally compliant logging functions are no longer a nice-to-have, but a strategic necessity.