Privacy Regulations in California

The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.

The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.

COPPA is the primary US federal law protecting children's online privacy. It requires verifiable parental consent before collecting personal information from children under 13. Persistent identifiers including cookies are classified as personal information. The 2025 amendments expand protections significantly.

HIPAA protects health information privacy. OCR's 2022 guidance clarified that marketing pixels and tracking technologies on healthcare websites can constitute impermissible PHI disclosure. Cookie consent banners do NOT satisfy HIPAA authorization requirements. Enforcement now targets browser-based tracking.

GLBA requires financial institutions to explain information-sharing practices and give customers the right to opt out of sharing with certain third parties. The updated Safeguards Rule mandates comprehensive security programs. Most US state privacy laws exempt GLBA-regulated entities.

FERPA protects student education records at federally funded institutions. Written consent is required before disclosing personally identifiable information from education records. The sole enforcement mechanism is withdrawal of federal education funding — a penalty so severe it has never been imposed.