Blog

U.S. Personal Data Protection Acts Explained

Written by

Ashley Ferraro, Product

Reviewed by

Jan 14, 2025

•

Min Read

Protect Your Payments

In 2022, the U.S. Congress introduced the American Data Protection and Privacy Act (ADPPA)^[1], a proposed federal law designed as a personal data protection act similar to the EU’s GDPR or Canada’s PIPEDA. Even though the act wasn’t passed into law, its introduction highlights the pressing need for a unified approach to protecting personal data in the U.S.

In this guide, we’ll explore the legal circumstances surrounding data protection and privacy, as well as the ADPPA and its provisions. We’ll also introduce methods you can use to make your personal information more secure online.

Disclaimer: Information in this article is not intended to be legal advice or regulatory guidance. It is provided for general informational purposes only and should not be considered a substitute for actual legal counsel.

The Current State of Data Protection in the U.S.

A close-up photo of a wooden judge’s gavel and two leather-bound books placed on a wooden surface — *Source:* *succo*

The U.S. has no comprehensive federal law regulating consumer data protection and privacy. Instead, your data privacy is protected by a patchwork of laws at the national level and, depending on the state you live in, state laws that might offer broader protections.

Federal Laws Protecting Personal Data

Several federal laws have provisions protecting data privacy. However, these provisions usually only apply to a certain type of data, industry, or context—they don’t offer blanket protection of all types of personal information whenever it’s gathered and processed.

These laws include:

Act	Description
Privacy Act of 1974^[2]	This law applies to federal agencies and governs how they collect, maintain, use, and disclose personal data. It also outlines individuals' rights to access and amend their records.
Health Insurance Profitability and Accountability Act (HIPAA)^[3]	HIPAA protects the privacy and security of an individual's medical information. It applies to healthcare providers, insurers, health plans, and healthcare clearinghouses, among others.
Gramm-Leach-Bliley Act (GLBA)^[4]	This act requires institutions in the financial sector to protect consumers' personal financial information and explain their data-sharing practices. It applies to banks, credit unions, insurance companies, and other financial institutions.
Children’s Online Privacy Protection Act (COPPA)^[5]	COPPA protects the online privacy of children under 13 years old. It requires operators of commercial websites and online services directed at children to get parental consent before collecting, using, or disclosing their personal information.
Fair Credit Reporting Act (FCRA)^[6]	FCRA regulates credit reporting agencies and protects the accuracy, fairness, and privacy of consumers' personal data in their credit reports. It gives individuals the right to access and dispute inaccurate or incomplete information.
Federal Trade Commission Act (FTC Act)^[7]	This act establishes the Federal Trade Commission (FTC) and gives it broad authority to regulate unfair or deceptive trade practices, including violations relating to data privacy.

State Privacy Laws

In addition to federal laws, individual states have their own data protection laws that apply within their borders. California pioneered this type of legislation with its California Consumer Privacy Act of 2018 (CCPA)^[8], which gave California residents four fundamental rights:

The right to know which of their personal information businesses collect and how they use it
The right to delete personal information collected on them
The right to opt out of the sale and sharing of personal information
The right to non-discrimination for exercising their rights
‍

CCPA was amended by the California Rights Privacy Act in 2020 to include additional rights, such as the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information^[8].

CCPA and CPRA apply to information about individuals and households, and they define sensitive personal information—such as passwords, Social Security numbers, and bank information—as a subset of personal information that requires additional protections.

These laws also have some limitations. For example, they don’t apply to certain types of publicly available personal information, such as real estate records or professional licenses. They also only target commercial businesses that meet any of three conditions:

An annual revenue of over $25 million
Collection and processing of information from over 100,000 California residents or households
50% or more of their annual income coming from processing California residents’ or household’s data
‍

Other states with similar data privacy laws include Colorado^[9], Utah^[10], Connecticut^[11], and Virginia^[12].

American Data Protection and Privacy Act and Its Provisions

A photo showing an out-of-focus man in a white shirt and dark suit pointing at an illustration of balancing scales — *Source:* *herbinisaac*

With a holistic approach to data protection, the ADPPA sought to provide a unified framework for protecting personal information and giving individuals more control over how their data is collected, used, and shared by organizations. That way, it aimed to create a level playing field for businesses while providing individuals with a consistent and enforceable set of data rights.

Some key provisions of the ADPPA included^[1]:

Reasonable data collection—Businesses should collect, process, and transfer only the personal data necessary for specific purposes and not more than what’s reasonably required.
Data handling requirements—Organizations should implement reasonable data security measures to protect personal data from unauthorized access. The transfer of personal data to third parties without obtaining express consent from individuals is prohibited.
Individual rights—Individuals have the right to access, correct, and delete their personal information held by organizations. Companies must also provide an easy way to opt out of targeted advertising.
Enforcement mechanisms—State attorneys general and the FTC can bring civil actions against companies that violate the provisions of the law. Subject to certain notification requirements, individuals also have the right to bring private lawsuits against organizations that violate their data rights.

Are Data Protection Laws Enough To Keep Your Information Safe Online?

A photo of a small white and red cone with the word “caution” on it placed on top of a laptop keyboard — *Source:* *Fernando Arcos*

Even if the ADPPA became law or you live in a state that has a personal data protection act, the growing sophistication of cyber attacks calls for more proactive measures to protect your data against potential threats.

Some methods you can use to minimize the amount of data you share and protect it from compromise include:

Using a virtual private network (VPN)—Services such as Bitdefender, Avast SecureLine, NordVPN, or Surfshark mask your IP address and encrypt internet traffic, making it harder for hackers to access sensitive data.

Using strong passwords—Password managers such as Keeper, 1Password, Bitdefender, LastPass, and Bitwarden can help generate and store complex and unique passwords in encrypted vaults, making it harder to breach your accounts.
Reviewing privacy policies and permissions—Services and products from companies such as Google or Amazon might give you options to limit the amount of data they collect.
Removing sensitive information from the internet—Data removal services might help you remove your information from data brokers, people search engines, and other online databases.
Using virtual cards—Paying with virtual cards reduces the risk of fraud and theft. Banks like Capital One^® and American Express^® offer virtual cards as part of their services, but if you choose a dedicated provider like Privacy, you’ll also get robust security and advanced card control features.

Keep Your Financial Information Secure With Privacy Cards

After connecting your bank account or debit card with Privacy, you can use Privacy Virtual Cards to mask your real financial information with randomly generated card numbers at checkout. Virtual cards reduce the amount of sensitive information you share with merchants and help lower the risk of your actual card details being stolen during a merchant data breach.

As a PCI-DSS-compliant service provider, Privacy undergoes regular third-party audits to ensure compliance with the same high security standards your bank might adhere to. Privacy uses AES-256-bit encryption to secure your personal information during transit and storage, and it keeps your data on servers protected by firewalls and regular security updates.

Additional security measures Privacy implements include:

Two-factor authentication (2FA)—You can protect your account with 2FA through SMS, email, or authenticator apps to ensure only you can access your account.
Real-time transaction alerts—Privacy sends real-time push notifications or email alerts to your phone each time a transaction is authorized or declined, helping you spot and react to suspicious charges.
Fraud investigation—In the event of unauthorized transactions, Privacy will investigate the claim and, if deemed valid, initiate a chargeback against the merchant on your behalf.

Privacy Virtual Card Types and Features

Privacy allows you to create three types of virtual cards, as explained in the table below:

Privacy Card Type	Description
Single-Use Cards	These cards are designed for one-time transactions. They become invalid shortly after the first payment, making them useless to potential hackers. Single-Use Cards are most suitable for transacting with unfamiliar merchants.
Merchant-Locked Cards	These cards "tie" to the first vendor they're used with. Even if cybercriminals would steal the card numbers, they couldn’t use them with any other merchant. This card type is ideal for recurring payments, such as subscriptions to Apple, Amazon, and Google services.
Category-Locked Cards	Category Cards are "locked" to a predefined merchant category, such as groceries, dining, or retail. These cards can help you budget and track spending.

You can also set spending limits on your virtual cards, and Privacy will decline all transactions that exceed the limit. This feature helps protect you against unexpected charges, such as hidden fees and unannounced price hikes.

The Convenience of Privacy Virtual Cards

A cropped photo of a person holding a payment card and a smartphone, with a computer and mouse placed on a wooden desk — Source: Erick Gielow

Accredited by the BBB^® and trusted by over 250,000 users, Privacy makes your online shopping experience and virtual card management seamless and convenient with the following features:

Browser extension—The Privacy Browser Extension, available for Microsoft Edge, Google Chrome, Firefox, Safari, and Safari for iOS, allows you to quickly create virtual cards and autofill payment info at checkout for faster transactions.
Mobile app—Available for Android and iOS devices, the Privacy App allows you to create, manage, and monitor your virtual cards directly from your smartphone.
1Password integration—If you're a 1Password user, you can manage your Privacy Virtual Cards and passwords from the password manager’s browser extension.

How To Sign Up for Privacy

To get your Privacy Cards, take the following four steps:

Create an account
Enter the required information to verify your identity
Connect your funding source (bank account or debit card)
Request your first virtual card
‍

Privacy offers the following four monthly plans:

Plan	What You Get
Personal (free for domestic transactions)	This plan allows you to create up to 12 new Merchant-Locked and Single-Use Cards per month. You can use the web app, mobile app, and browser extension, set spending limits, and pause or close your cards as needed.
Plus ($5/month)	The Plus plan includes all Personal plan features. It lets you create up to 24 new virtual cards per month and grants you access to Category-Locked Cards. The plan includes the Shared Cards feature, custom Card Notes, Priority support, and Live Chat (Mon–Fri, 9 a.m.–5 p.m. ET).
Pro ($10/month)	The Pro plan offers everything in Plus and allows you to create up to 36 new virtual cards per month. It waives all fees for foreign transactions and offers 1% cashback on eligible purchases totaling up to $4,500 per month.
Premium ($25/month)	This plan has all the Pro plan features and allows you to generate up to 60 new virtual cards per month.

References

^[1]Congress.gov. https://www.congress.gov/bill/117th-congress/house-bill/8152, sourced October 15, 2024

^[2]Justice.gov. https://www.justice.gov/opcl/privacy-act-1974, sourced October 15, 2024

^[3]HHS.gov. https://www.hhs.gov/hipaa/for-individuals/index.html, sourced October 15, 2024

^[4]FTC. https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act, sourced October 15, 2024

^[5]Code of Federal Regulations. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312,

sourced October 15, 2024

^[6]FTC. https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act, sourced October 15, 2024

^[7]FTC. https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act, sourced October 15, 2024

^[8]OAG. https://oag.ca.gov/privacy/ccpa, sourced October 15, 2024

^[9]COAG. https://coag.gov/resources/colorado-privacy-act/, sourced October 15, 2024

^[10]UCPA. https://www.dcp.utah.gov/ucpa/, sourced October 15, 2024

^[11]Portal.ct.gov. https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act, sourced October 15, 2024

^[12]OAG. https://www.oag.state.va.us/consumer-protection/files/tips-and-info/Virginia-Consumer-Data-Protection-Act-Summary-2-2-23.pdf, sourced October 15, 2024

‍

Privacy — Seamless & Secure Online Card Payments

Checkout securely online by creating unique virtual card numbers for every purchase. Avoid data breaches, unwanted charges, and stolen credit card numbers.