Privacy Regulations in United States

COPPA is the primary US federal law protecting children's online privacy. It requires verifiable parental consent before collecting personal information from children under 13. Persistent identifiers including cookies are classified as personal information. The 2025 amendments expand protections significantly.

HIPAA protects health information privacy. OCR's 2022 guidance clarified that marketing pixels and tracking technologies on healthcare websites can constitute impermissible PHI disclosure. Cookie consent banners do NOT satisfy HIPAA authorization requirements. Enforcement now targets browser-based tracking.

GLBA requires financial institutions to explain information-sharing practices and give customers the right to opt out of sharing with certain third parties. The updated Safeguards Rule mandates comprehensive security programs. Most US state privacy laws exempt GLBA-regulated entities.

FERPA protects student education records at federally funded institutions. Written consent is required before disclosing personally identifiable information from education records. The sole enforcement mechanism is withdrawal of federal education funding — a penalty so severe it has never been imposed.