Your Data Travels Even If You Don’t
The more connected we become, the more data we continue to share, sell, or allow to be processed about us. Every time you access the internet and input or view sensitive information—whether checking health information, paying bills, or tagging your location on social media—you’re generating data that can be collected and brokered across services and devices.
According to a national study, Pew Research Center finds that 81% of U.S. adults say they have very little or no control over the data companies collect about them and 79% are concerned about how companies use that data. In a time when our lives are so heavily entwined with the internet, knowing what’s done with the data you share is critical.
Why it matters
Landmark security breaches remind us how vulnerable our data really is. Equifax, one of the top three credit reporting agencies, disclosed a data breach that exposed Social Security numbers, names, addresses, and driver’s license numbers; information was compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected. More recently, 2024 brought disruptive ransomware and third‑party cloud incidents that affected U.S. healthcare services and exposed large telecom and entertainment datasets, underscoring how a single vendor or platform can create downstream risk across entire ecosystems.
Facebook has experienced a series of security issues, which has resulted in federal scrutiny. In recent years, the user data of large caches of users was exposed on Amazon’s cloud computing services. It was also revealed that Facebook had data-sharing partnerships with more than 150 companies that people were not aware of. In research by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data. Regulators have since increased enforcement attention on sensitive datasets like precise location and detailed browsing data, especially when collected or sold by data brokers without clear consent.
Federal Laws
- U.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information, unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.
- Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices by companies and seek monetary compensation. The FTC actively uses this authority to police privacy, data security, and opaque data-sharing practices.
- Children’s Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent. The FTC has proposed updates to strengthen the COPPA Rule, including tighter limits on retention and certain third‑party disclosures.
- Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.
There is no single catch-all data privacy law. Instead, there are a mixture of federal and state laws that address different aspects of data protection. In the absence of a comprehensive federal consumer privacy statute, individual states have enacted their own laws protecting residents—many of which took effect in 2024–2025 and continue to expand consumer rights and opt-outs. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.
Types of Data Privacy Laws
Consumer privacy
Do you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. Today, consumer expectations are higher: global research shows majorities will avoid brands they don’t trust with data, and many have switched providers over data practices. In the U.S., Pew Research Center finds most adults feel they have little or no control over companies’ data collection and are concerned about how their data is used.
The California Consumer Privacy Act empowers residents with rights to know, access, delete, and opt out of the sale or sharing of personal information, with additional protections strengthened by subsequent amendments. California also recognizes browser-based global privacy controls to effect certain opt-outs. Similar comprehensive privacy laws in many other states now provide access, deletion, correction, portability, and opt-outs for targeted advertising, sale, and certain profiling—expanding across the country through 2025.
Children’s online privacy
One of the only inclusive data privacy laws is concerned with children’s online privacy. Children’s Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted. The FTC has also proposed updates to strengthen the COPPA Rule’s data minimization, retention, and consent requirements.
TikTok paid $5.7 million to the FTC over concerns that the video app was in violation of COPPA. The largest children’s privacy civil penalty to date at the time, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example; regulators have also brought significant actions against other platforms and devices handling children’s data, including cases involving Google and YouTube, as well as actions targeting deceptive design and unlawful retention.
E-reader
There are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms’ privacy policies to give you the answers you’ve been searching for.
Online services
Consumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent about their data practices and, in several states, are required to honor browser-based universal opt-out signals for sales/sharing or targeted advertising. Many people take steps to maintain their online privacy—clearing cookies, using a virtual private network, and encrypting their email, for example—but Pew Research Center also finds that Americans feel a lack of control and remain concerned about how companies use their data. Still, many say they want to do more to protect themselves.
Information sharing by business
While businesses collecting and sharing your information is nothing new, recent changes require that companies clearly inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It’s also imperative that consumers know their rights and ability to impact how companies collect and use their information.
Notice when recording phone calls
Generally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable “this call may be monitored or recorded…” message. When a caller continues with the call, many states take that as implied consent.
Some states require both parties to consent to the recording. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.
Breach notification laws
Every single state has a data breach notification law in place, and many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.
Data disposal
Data disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company’s security program.
Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.
| State | Title | Type of Law |
| Alabama | SB318 | Data breach notification |
| Alaska | Alaska Stat. § 45.48.010 | Data breach notification |
| #rowspan# | Alaska Stat. § 45.48.500 | Data disposal |
| Arizona | Ariz. Rev. Stat. § 41-151.22 | e-reader |
| #rowspan# | A.R.S. §§ 18-55 | Data breach notification |
| #rowspan# | Ariz. Rev. Stat. § 44-7601 | Data disposal |
| Arkansas | Ark. Code §§ 4-110-105 | Data breach notification |
| #rowspan# | Ark. Code §§ 4-110-104(b) | Consumer data |
| #rowspan# | Ark. Code §§ 4-110-104(a) | Data disposal |
| California | Cal. Civ. Code §§ 1798.100 et seq. | Consumer data |
| #rowspan# | Cal. Bus. & Prof. Code § 22948.20 | Consumer data |
| #rowspan# | Cal. Civ. Code §§ 1798.81 | Data disposal |
| #rowspan# | Calif. Bus. & Prof. Code §§ 22580-22582 | Children’s online privacy |
| #rowspan# | Cal. Ed. Code § 99122 | Online services and websites |
| #rowspan# | Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A) | Online services and websites |
| #rowspan# | Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA) | Online services and websites |
| #rowspan# | Calif. Bus. & Prof. Code § 22575 | Online services and websites |
| #rowspan# | Cal. Civ. Code §§ 1798.83 to .84 | Information sharing |
| Colorado | Colo. Rev. Stat. § 6-1-716 | Data breach notification |
| #rowspan# | Colo. Rev. Stat. § 6-1-713: | Data disposal |
| Connecticut | Conn. Gen. Stat. § 42-471 | Data disposal |
| #rowspan# | Conn. Gen Stat. § 36a-701b | Data breach notification |
| Delaware | Del. Code § 1204C | Children’s online privacy |
| #rowspan# | Del. Code tit. 6, § 1206C | e-reader |
| #rowspan# | Del. Code Tit. 6 § 205C | Information sharing |
| #rowspan# | Del. Code tit. 6 § 5002C | Data disposal |
| Florida | Fla. Stat. §§ 501.171(3)-(6) | Data breach notification |
| #rowspan# | Fla. Stat. §§ 501.171(2) | Consumer data |
| #rowspan# | Fla. Stat. §§ 501.171(8) | Data disposal |
| Georgia | Ga. Code §§ 10-1-910 et. seq. | Data breach notification |
| #rowspan# | Ga. Code §§ 10-15-2(b) | Data disposal |
| Hawaii | Haw. Rev. Stat. § 487N-2 | Data breach notification |
| #rowspan# | Haw. Rev. Stat. §§ 487R-2 | Consumer data and data disposal |
| Idaho | Idaho Code § 67-831 through § 67-833 | Data breach notification |
| Illinois | 20 ILCS § 450 | Consumer data |
| #rowspan# | 815 ILCS § 530/45 | Consumer data |
| #rowspan# | 815 ILCS §§ 530/1 to 530/25 | Data breach notification |
| #rowspan# | 815 ILCS § 530/30 | Data disposal |
| Indiana | Ind. Code §§ 4-1-11 et. seq | Data breach notification |
| #rowspan# | Ind. Code §§ 24-4-14-8 | Data disposal |
| Iowa | Iowa Code §§ 71.C.1 – 715C.2 | Data breach notification |
| Kansas | Kan. Stat. § 50-7a01 et seq. | Data breach notification |
| Kentucky | KRS § 365.732 and KRS § 61.931 to 61.934 | Data breach notification |
| #rowspan# | KRS § 365.725 | Data disposal |
| Louisiana | La. Rev. Stat. §§ 51:3071 et seq. | Data breach notification |
| Maine | 35-A MRSA § 9301(active 7/1/20) | Online services and websites |
| #rowspan# | Me. Rev. Stat. tit. 10 § 1346 et seq | Data breach notification |
| Maryland | Md. State Govt. Code § 10-624 (4) | Information sharing |
| #rowspan# | Md. State Govt. Code §§ 10-1303 | Data disposal |
| #rowspan# | Md. Code Com. Law §§ 14-3504 | Data breach notification |
| Massachusetts | Mass. Gen. Laws § 93H-3 | Data breach notification |
| #rowspan# | Mass. Gen. Laws § 93H-2 | Consumer data |
| #rowspan# | Mass. Gen. Laws § 93I-2 | Data disposal |
| Michigan | Mich. Comp. Laws §§ 445.72 | Data breach notification |
| #rowspan# | Mich. Comp. Laws §§ 445.72a | Data disposal |
| Minnesota | Minn. Stat. §§ 325M.01 to .09 | Online services and websites |
| #rowspan# | Minn. Stat. §§ 325E.64 | Data breach notification |
| Mississippi | Miss. Code § 75-24-29 | Data breach notification |
| Missouri | Mo. Rev. Stat. §§ 182.815, 182.817 | e-reader |
| #rowspan# | Mo. Rev. Stat. § 407.1500 | Data breach notification |
| Montana | Mont. Code §§ 30-14-1701 et seq | Data breach notification |
| #rowspan# | Mont. Code §§ 30-14-1703 | Data disposal |
| Nebraska | Neb. Rev. Stat. §§ 87-801 et seq. | Data breach notification |
| #rowspan# | Neb. Stat. § 87-302(15) | Inaccuracies in privacy policies |
| Nevada | NRS § 603A.300 | Consumer data |
| #rowspan# | NRS § 603A.340 | Information sharing |
| #rowspan# | SB 220 | Online services and websites |
| #rowspan# | NRS § 205.498 | Online services and websites |
| New Hampshire | N.H. Rev. Stat. §§ 359-C | Consumer data, information sharing, data breach notification, data disposal |
| New Jersey | N.J. Rev. Stat. §§ 56:8-163 | Data breach notification |
| #rowspan# | N.J. Rev. Stat. §§ 56:8-162 | Data disposal |
| New Mexico | 2017 H.B. 15, Chap. 36, Section 6 | Data breach notification |
| #rowspan# | 2017 H.B. 15, Chap. 36, Section 3 | Data disposal |
| #rowspan# | 2017 H.B. 15, Chap. 36, Section 4 | Consumer data |
| New York | S5575B | Consumer data |
| #rowspan# | N.Y. Gen. Bus. Law § 399-H | Data disposal |
| #rowspan# | 23 NYCRR 500 | Data breach notification |
| Oregon | ORS § 646.607 | Information sharing |
| #rowspan# | SB684 | Data breach notifications |
| North Carolina | N.C. Gen. Stat. § 75-65 | Data breach notifications |
| #rowspan# | N.C. Gen. Stat. § 75-65 | Data disposal |
| North Dakota | N.D. Cent. Code §§ 51-30-01 et seq | Data breach notifications |
| Ohio | Ohio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seq | Data breach notifications |
| Oklahoma | 24 OK Stat § 24-163 (2016) | Data breach notifications |
| Oregon | Oregon Rev. Stat. § 646A.604 | Data breach notifications |
| #rowspan# | Oregon Rev. Stat. § 646A.622 | Data disposal |
| Pennsylvania | 18 Pa. C.S.A. § 4107(a)(10) | Inaccuracies in privacy policies |
| #rowspan# | 73 P.S. §§201-1 – 201-9.2 | Consumer data |
| Rhode Island | R. I. Gen. Laws §§ 11-49.3-1 to .3-6 | Data breach notification |
| #rowspan# | R. I. Gen. Laws § 6-52-2 | Data disposal |
| South Carolina | S.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20 | Consumer data |
| #rowspan# | S.C. Code SECTION 39-1-90 | Data breach notification |
| #rowspan# | S.C. Code Section 37-2-190 | Data disposal |
| South Dakota | SD SB62 | Data breach notification |
| Tennessee | Tenn. Code §§ 47-18-2107 | Consumer data |
| #rowspan# | Tenn Code §§ 8-4-119 | Data breach notification |
| #rowspan# | Tenn Code § 39-14-150(g) | Data disposal |
| Texas | Tex. Bus. & Com. Code § 521.053 | Data breach notifications |
| #rowspan# | Tex. Bus. & Com. Code § 521.052(a) | Consumer data |
| #rowspan# | Tex. Bus. & Com. Code § 521.052(b) | Data disposal |
| Utah | Utah Code §§ 13-37-201 to -203 | Information sharing |
| #rowspan# | Utah Code § 13-44-201(1)(a) | Consumer data |
| #rowspan# | Utah Code § 13-44-202 | Data breach notifications |
| #rowspan# | Utah Code § 13-44-201(1)(b) | Data disposal |
| Vermont | NRS § 603A.300 | Consumer data |
| Virginia | Va. Code §§ 18.2-186.6. | Data breach notifications |
| #rowspan# | Va. Code § 59.1-442 | Information sharing |
| Washington | Wash. Rev. Code §§ 19.255.010 | Data breach notifications |
| #rowspan# | Wash. Rev. Code §§ 19.215.030 | Data disposal |
| West Virginia | W.V. Code §§ 46A-2A-101 | Data breach notifications |
| Wisconsin | Wis. Stat. § 134.98 | Data breach notifications |
| #rowspan# | Wis. Stat. § 134.97 | Data disposal |
| Wyoming | Wyo. Stat. §§ 40-12-501 et seq. | Data breach notification |
| District of Columbia | D.C. Code §§ 28-3851 et seq. | Data breach notification |
| Puerto Rico | 10 L.P.R.A. § 4051 | Consumer data and data breach notification |
Quick Tips to Protect Data at Home
Possible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are a number of things you can do at home to combat them. You don’t need advanced tech skills or world-class equipment; these are practical steps you can take on your home computer and phone, including turning on phishing-resistant sign-in options (like passkeys) where available.
Security software
Installing security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any and all updates of your software and operating system, and enable built‑in anti‑fraud protections on your devices. Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.
Use a password manager
Using the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised, and many now support passkeys for phishing‑resistant sign‑in. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.
Backup your data
In the event that your information is lost, compromised or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you’re making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.
Data encryption
Data encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert back to its original form, both the sender and recipient have to have the encryption key. Use strong, up‑to‑date encryption tools and ensure websites you use enforce modern transport security.
What to do After a Data Breach
So you’ve heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.
1. Confirm if you were affected by the security breach
Beware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.
2. Find out what information was compromised
What you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don’t pass up the company’s offer to help.
3. Change your passwords
The next important step to take is to address your personal security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication or passkeys where offered to add another layer of security to your accounts and reduce phishing risk.
4. Contact a credit reporting bureau to report
To make sure you aren’t the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.
5. Monitor all accounts closely
Finally, after you’ve changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to.
Helpful resources
Knowing your data is being collected is one thing, knowing your rights and what power you have is another thing entirely. Check out these resources to make sure you’re as prepared as possible.
