HIPAA sets U.S. national standards for protecting individuals' health information. Its Privacy Rule governs use and disclosure of protected health information, and its Security Rule requires administrative, physical, and technical safeguards for electronic protected health information (ePHI).

The Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of customer information. The FTC Safeguards Rule implements GLBA for non-bank financial institutions and, as amended in 2023, prescribes specific controls including access controls, encryption, and multi-factor authentication.

The Sarbanes-Oxley Act established corporate accountability and financial reporting reforms for U.S. public companies. Section 404 requires management to establish, maintain, and assess internal control over financial reporting (ICFR). Effective ICFR depends heavily on IT general controls such as access management and segregation of duties.

The CCPA grants California consumers rights over their personal information, and the CPRA expanded those rights and created the California Privacy Protection Agency. Businesses must honor rights to know, delete, correct, and opt out of sale or sharing, and must verify consumer identity before fulfilling requests.

COPPA regulates the online collection of personal information from children under 13. Operators of child-directed sites and services must give notice and obtain verifiable parental consent. The FTC's 2025 Rule amendments expanded covered personal information to include biometric and government identifiers.

NIST SP 800-63 is the U.S. federal reference for digital identity, defining models and risk-based assurance levels for identity proofing (IAL), authentication (AAL), and federation (FAL). It is mandatory for many federal systems and widely adopted as a best-practice benchmark by private organizations. Revision 4 was published in 2025.

BIPA is an Illinois statute that regulates how private entities collect, store, use, and disclose biometric identifiers and information such as fingerprints, retina or iris scans, voiceprints, and face geometry. It is one of the strictest biometric laws in the US because it gives individuals a private right of action with statutory damages, driving extensive class action litigation.

The VCDPA is Virginia's comprehensive consumer privacy law, effective 1 January 2023, giving residents rights over their personal data and imposing duties on businesses that control or process it. It treats biometric data processed to uniquely identify a person as sensitive data requiring opt-in consent. Enforcement rests solely with the Virginia Attorney General.

The Colorado Privacy Act is a comprehensive consumer privacy law effective 1 July 2023 that grants residents rights over their personal data and requires controllers to honor a universal opt-out mechanism for sale and targeted advertising. It treats biometric data used to identify a person as sensitive data requiring consent, and a 2024 amendment (HB 24-1130, effective 1 July 2025) added detailed obligations for biometric identifiers.

The TDPSA is Texas's comprehensive consumer privacy law, effective 1 July 2024, granting residents rights over their personal data and imposing controller and processor obligations. It treats certain biometric and sensitive data as requiring consent before processing, along with notice when sensitive or biometric data is sold. The Texas Attorney General has exclusive enforcement authority.