The US legislative framework for the protection of PII historically has resembled a patchwork quilt. Unlike other jurisdictions, the US does not have a single dedicated data protection law at the federal level, but instead regulates privacy primarily by industry, on a sector-by-sector basis. There are numerous sources of privacy law in the US, including laws and regulations developed at both the federal and state levels. These laws and regulations may be enforced by federal and state authorities, and many provide individuals with a private right to bring lawsuits against organizations they believe are violating the law. Starting in 2018, increased legislative activity at the state level signaled a shift in focus toward more broad-based consumer privacy legislation in the United States. California became the first state to enact such legislation with the passage of the California Consumer Privacy Act (CCPA), which is aimed at protecting the personal information of consumers across the industry. Since then, numerous other states have proposed similarly broad privacy legislation, while multiple comprehensive privacy bills have been introduced at the federal level in the U.S. Congress.
