Security + privacy regulations in the United States

The United States has no single comprehensive federal privacy law as of 2026. Instead, the regulatory landscape is a combination of sectoral federal laws (HIPAA for health, GLBA for finance, COPPA for children under 13, FERPA for education) and a growing collection of state-level comprehensive privacy laws. California led with CCPA in 2018, followed by CPRA amendments in 2020; since then Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and several others have passed substantially-similar laws. Most are GDPR-lite: consumer rights to access, delete, correct, and opt out of sale. For B2B SaaS, the most important compliance artifact is not a law at all — it's SOC 2. This auditor-issued report on five trust service criteria (Security being mandatory; Availability, Processing Integrity, Confidentiality, and Privacy optional) is the gate every mid-market+ enterprise buyer asks for. A startup selling to one enterprise customer will be asked for a SOC 2 report within the first 30 days of contract discussions. Type 1 (point-in-time) is the typical first-time target; Type 2 (3-12 month observation) follows for renewals. The SEC's 2023 cyber-disclosure rule adds a materiality-based 4-business-day reporting obligation for public companies (not most startups, but relevant if you're preparing for an IPO). FTC's Section 5 authority gives it broad powers to act against unfair or deceptive practices, which increasingly includes insufficient security.

Key laws + frameworks

SOC 2

De facto US B2B SaaS compliance report. Type 1 for your first enterprise deal; Type 2 for renewals.

Read the compliance guide →

HIPAA

Federal health-data privacy + security. Applies if you touch PHI.

Read the compliance guide →

CCPA / CPRA

California's comprehensive privacy law. Applies to any service with Californian users above thresholds.

Read the compliance guide →

PCI-DSS

Payment-card data security. Mandatory for any service touching card data.

State privacy laws

VA CDPA, CO CPA, CT CTDPA, UT UCPA, TX TDPSA, OR OCPA, FL FDBR, IA ACDPA, DE DPDPA — all CCPA-similar.

SEC cyber-disclosure

Public companies must disclose material cyber incidents within 4 business days (Reg S-K Item 106).

FTC Section 5

Unfair-or-deceptive-practice authority, increasingly used for insufficient security.

Regulators
  • FTC (general)
  • HHS OCR (HIPAA)
  • SEC (public cos)
  • State AGs (state privacy)
  • CA AG + CPPA (CCPA/CPRA)
Breach notification

Breach-notification is state-by-state in the US. All 50 states have laws; most require notification within 30-60 days of discovery. Federal sectors (HIPAA: 60 days, GLBA: per rule, SEC: 4 business days for public cos) have their own timelines. Multi-state breaches trigger multiple notifications.

Cross-border transfer

Outbound US data transfers are generally unrestricted. Inbound from the EU requires EU-US Data Privacy Framework certification (replaced Privacy Shield in 2023) or Standard Contractual Clauses plus a Transfer Impact Assessment. China, Russia, and a growing number of countries have blocking statutes to consider.

Startup priority

Priority stack for US-facing B2B SaaS: (1) SOC 2 Type 1 committed before first enterprise deal closes; (2) CCPA-compliant Privacy Policy covering all 12+ state privacy laws (they largely overlap); (3) DPA template ready to sign for enterprise contracts; (4) HIPAA BAA only when a specific health customer requires it — don't pursue HIPAA compliance speculatively. Skip PCI-DSS by not touching card data (let Stripe / Paddle handle it). Skip FedRAMP until you have a signed federal contract that requires it (it costs $1-3M and takes 18-36 months).