The United States does not have a single, unified federal privacy law — unlike the EU's GDPR or Canada's PIPEDA. Instead, US websites face a patchwork of federal sector-specific laws, a growing number of state privacy laws, and common law obligations. Understanding what you need before you launch — or audit what you already have — is the starting point for any US-based online business.
Required and strongly recommended legal documents
Privacy Policy is legally required if you collect personal information from California residents (CCPA), from children under 13 (COPPA), or if you operate in a sector covered by federal law such as healthcare (HIPAA), finance (GLBA), or education (FERPA). In practice, because California residents represent a large share of US internet traffic, any US website that collects personal data should have a CCPA-compliant privacy policy as a minimum. Many states have now passed their own privacy laws — Virginia, Colorado, Connecticut, Texas, and others — adding further obligations depending on where your customers are located.
Terms of Service (or Terms and Conditions) is not legally mandated, but it is strongly recommended for any website offering products, services, or user accounts. It defines the rules of use, limits your liability, protects your intellectual property, and gives you grounds for account termination. Without one, your relationship with users is governed by whatever default laws apply — and those defaults are almost never written with your specific business in mind.
Cookie Notice / Cookie Policy is required under California law (CCPA/CPRA) if you use cookies that qualify as selling or sharing personal data. Even if you are not in scope for California, a cookie notice is good practice and is required if you serve EU or UK visitors.
CCPA Opt-Out Mechanism — if your business meets CCPA thresholds (annual revenue over $25M, or processing data from 100,000+ California consumers, or deriving 50%+ of revenue from selling personal data), you must provide a "Do Not Sell or Share My Personal Information" opt-out link, typically in the website footer.
Accessibility Statement — not federally mandated for private businesses under current law, but increasingly expected as part of ADA compliance best practice. Federal contractors and government websites have stricter requirements under Section 508.
Federal laws that shape your obligations
Even without a comprehensive federal privacy law, several federal statutes apply to specific sectors or activities:
- CAN-SPAM Act — governs commercial email. Requires honest sender identification, a working unsubscribe mechanism, and your physical postal address in every commercial email.
- COPPA — applies if your site is directed at children under 13 or if you knowingly collect data from children. Requires verifiable parental consent before collecting children's personal information.
- FTC Act Section 5 — prohibits unfair or deceptive acts in commerce. In practice, this means your privacy policy must accurately reflect your actual practices. Publishing a privacy policy you do not follow is an FTC enforcement target.
- ADA — the Americans with Disabilities Act has been interpreted by courts to apply to website accessibility, particularly for businesses with physical locations and their associated websites.
State privacy laws to watch
As of 2026, over 20 US states have enacted or are finalising consumer privacy laws. Unlike GDPR, most US state laws use an opt-out rather than opt-in model, but they share common elements: the right to know what data is collected, the right to delete, the right to opt out of targeted advertising, and non-discrimination protections. If you collect data from US consumers at any scale, your privacy policy should address these rights collectively — specifying that you honour applicable state rights regardless of which state the consumer is in.