Privacy law moves fast.
Get ahead of it before regulators do.

What is data privacy law?

Data privacy law is the body of regulations that controls how businesses collect, use, share, and protect personal information about individuals. Twenty years ago this was a niche concern for hospitals and banks. Today it touches almost every business that has a website, takes credit cards, has employees, or stores any kind of customer data — which is essentially every business.

The rules are not centralized in the United States. Instead, you face a patchwork of:

• Federal sector laws — HIPAA for health, GLBA for financial services, COPPA for children, FCRA for credit reporting, and FERPA for education.
• State comprehensive laws — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, and a growing list of others. As of 2026, twenty states have passed comprehensive consumer privacy laws.
• Foreign laws that reach into the US — most prominently the EU GDPR and the UK GDPR, but also Brazil (LGPD), Canada (PIPEDA, Quebec Law 25), and many others. If you sell to or track residents of those jurisdictions, those laws apply to you regardless of where your servers sit.
• FTC Act Section 5 — the Federal Trade Commission uses its authority over "unfair or deceptive practices" to police privacy promises businesses make in their privacy policies.
• Industry standards — PCI DSS for credit cards, SOC 2 for SaaS vendors, HITRUST for healthcare, and contractual requirements imposed by enterprise buyers.

When you actually need a data privacy attorney

A privacy attorney is not a luxury for small businesses with a contact form. The triggers below mean you should call someone today, not next quarter:

• You had a breach or suspected breach. Notification clocks start ticking immediately. GDPR gives you 72 hours. State laws range from "without unreasonable delay" to specific day counts. Get counsel involved before you talk to anyone — including your insurance carrier — to preserve attorney-client privilege over the investigation.
• You received a regulator inquiry. A letter from the California Attorney General, the FTC, a state AG, or a foreign data protection authority is not something you reply to with a polite email. Every word matters.
• You are launching a product that collects new categories of data — biometric, geolocation, health, children's data, financial. Each of these has its own special rules and any of them can sink the launch if you get it wrong.
• You are doing M&A. Privacy and data security diligence is now a standard part of deals. Buyers want to know what data you have, where it is, what consents you collected, and what your liabilities look like.
• You sell to enterprises and they are sending you DPAs, security questionnaires, and SOC 2 audits. Negotiating those documents without a privacy lawyer leaves money and risk on the table.
• Your vendors handle personal data on your behalf. If your processor has a breach, you are liable. The contract is your only protection.
• You operate internationally. Cross-border transfer mechanisms (Standard Contractual Clauses, Binding Corporate Rules, the Data Privacy Framework for the US) need to be set up correctly or your data flows are technically illegal.
• You are doing AI, profiling, or automated decision-making. The EU AI Act, the Colorado AI Act, and a growing number of state laws regulate algorithmic decisions about people. The rules are messy and the fines are real.
• You received a class action complaint or arbitration demand alleging a privacy violation. Wiretap claims, biometric privacy claims, and pixel-tracking claims are flooding the courts. You need a defense lawyer immediately.

The big US laws every business needs to know about

California Consumer Privacy Act (CCPA / CPRA) — applies to most for-profit businesses that handle California residents' data and meet revenue or volume thresholds. Gives consumers rights to know, delete, correct, opt out of "sale" or "sharing," and limit use of sensitive personal information. Enforcement by the California Privacy Protection Agency and the AG. Statutory damages of $100 to $750 per consumer per incident in private breach lawsuits.

Virginia, Colorado, Connecticut, Utah, and the rest — each state's law is similar but not identical to California's. Most are enforced only by the attorney general (no private right of action), but the compliance work is real: data inventories, privacy notices, opt-out mechanisms, vendor contracts, data protection assessments, and consumer request handling.

HIPAA — covers protected health information held by "covered entities" (health plans, healthcare providers, clearinghouses) and their "business associates." Civil monetary penalties up to $2 million per violation category per year. Criminal liability for willful misconduct.

GLBA — financial institutions and their service providers. Safeguards Rule requires a written information security program. Privacy Rule requires annual privacy notices.

COPPA — collection of personal information from children under 13. Verifiable parental consent required. Recent FTC enforcement actions have produced fines in the hundreds of millions.

BIPA, Illinois Biometric Information Privacy Act — has produced an avalanche of class action lawsuits. Statutory damages of $1,000 to $5,000 per violation, with no need to prove harm. Other states are following.

What about GDPR if I am a US company?

The General Data Protection Regulation applies to your business if you offer goods or services to people in the EU or UK, or if you monitor their behavior. If you sell to European customers, ship to Europe, run ads targeting Europeans, or have a website that is being used by people in Europe in any meaningful way, GDPR applies.

Unlike US laws, GDPR is comprehensive — it requires a legal basis for every processing activity, written records, data protection impact assessments for high-risk processing, breach notification within 72 hours, appointment of a Data Protection Officer in some cases, and a designated EU representative. Maximum fines are 4% of global annual revenue or €20 million, whichever is higher.

Breach response — what happens in the first 72 hours

If your security team flags a possible breach, the playbook is roughly the same regardless of industry:

1. Hour 0-4: Engage outside counsel under privilege. Activate the incident response plan. Contain the incident — do not destroy evidence. Notify the cyber insurance carrier (often a contract requirement that triggers panel counsel and a forensic firm).
2. Hour 4-24: Begin forensic investigation. Map what data was accessed, by whom, for how long. Identify which jurisdictions' notification laws apply. Preserve logs.
3. Hour 24-72: Make GDPR notifications to data protection authorities if applicable. Begin drafting US state notifications. Prepare individual notification letters and the call center script. Notify business partners under contractual obligations.
4. Day 4-30: Send individual notifications. Set up credit monitoring if appropriate. Notify the Department of Health and Human Services (HIPAA), state AGs, and any required regulators. Prepare for media coverage and class action complaints.
5. Day 30+: Cooperation with regulator investigations. Defense of class actions. Remediation of root causes. Insurance recovery.

Privacy compliance work that does not involve a breach

Most of what privacy lawyers do is preventive, not reactive. Common engagements include:

• Privacy policy and terms of service drafts and updates. Generic templates pulled from the internet are a regulatory liability — they almost always misdescribe what your business actually does, which is itself a deceptive practice under FTC Act Section 5.
• Data mapping and records of processing activities. You cannot comply with privacy law if you do not know what data you have, where it is, who has access, and why you have it.
• Vendor and processor agreements. Data Processing Addenda, Standard Contractual Clauses, Business Associate Agreements, and security exhibits — these documents allocate liability between you and your vendors.
• Consumer rights request workflows. When a consumer asks "what do you have on me, delete it, do not sell it," you have a legal deadline to respond. Build the workflow before the requests arrive.
• Cookie banners and online tracking. The intersection of GDPR ePrivacy, CCPA "sale" definitions, and recent class action cases under wiretap statutes has made cookie compliance significantly more complicated than dropping in a one-line script.
• AI governance. Documenting training data, bias testing, transparency, and human-in-the-loop reviews for automated decisions about people.
• Marketing and advertising review. CAN-SPAM, TCPA (texts and calls), pixel tracking, retargeting — these are the most common sources of consumer privacy class actions.
• Employee privacy. Background checks (FCRA), monitoring policies, biometric timekeeping, and US state employee privacy laws.

How privacy fines and damages actually work

The headline fines you read about — €1.2 billion against Meta, $5 billion against Facebook in 2019 — are outliers. But mid-sized fines are routine. State attorneys general announce six and seven figure settlements regularly. The FTC has been more aggressive in the last three years. And class action plaintiffs do not need an actual fine — they sue under statutes like BIPA, CCPA's private right of action, and the federal Wiretap Act using statutory damages that add up fast across a class of millions.

The most expensive line item in most breach cases is not the regulator fine. It is the cost of investigation, notification, litigation defense, and remediation. A mid-sized breach with hundreds of thousands of affected individuals routinely costs $5 to $20 million when all bills are paid.

Choosing the right privacy attorney for your situation

Privacy is broad. Make sure the attorney you hire actually does the kind of work you need. The main flavors:

• Compliance and counseling — drafts policies, advises on product launches, runs assessments. Often inside a larger corporate or technology practice.
• Incident response — handles breaches under privilege, manages forensic firms, communicates with regulators. Many incident response lawyers are former government cyber prosecutors.
• Privacy litigation defense — defends class actions and regulator enforcement. Different skill set from compliance lawyers.
• Healthcare privacy — HIPAA-specific. Often part of healthcare regulatory practices.
• FinTech and financial privacy — GLBA, BSA/AML, banking regulator interaction.
• International privacy — GDPR, cross-border transfer mechanisms, foreign DPA interaction.

For most growing businesses, a compliance-and-counseling lawyer who knows when to bring in litigation or incident response specialists is the right hire. For an active breach or regulator investigation, you need someone who has done that exact thing before.

What does a data privacy attorney actually cost?

Most privacy work bills hourly, with project flat fees offered for discrete deliverables like privacy notices and policies. Many firms offer a fixed monthly retainer for ongoing privacy counsel, which is the most cost-effective option for growing companies. Breach response is the one area where you should not shop on price — the cheapest forensic firm and the cheapest counsel will cost you more in regulator fines and class action exposure than the savings.

Find a Data Privacy Attorney in Your City

See all 100 cities

Related Guides

Data Privacy FAQ