Back

Laws and Regulations

Key Takeaways

The laws and regulations governing identity, privacy, and data protection form a critical backdrop to any conversation around digital identity. While this list is not exhaustive, it reflects a range of legal frameworks that explicitly or primarily address these areas. As more aspects of daily life continue to move online, legislative and regulatory bodies are actively updating and introducing new rules to keep pace.

Digital privacy and user-controlled identity are long-established principles that lawmakers across jurisdictions have repeatedly codified into law, often reinforcing and expanding them over time. Future updates will build on this foundation by including additional laws that continue to impact digital identity implementation in meaningful ways.

United States: Federal Laws

US Privacy Act of 1974

The Privacy Act of 1974 is a federal law that governs how U.S. government agencies collect, maintain, and use personally identifiable information within systems of records. A “system of records” refers to any collection of data retrievable by personal identifiers (such as name or Social Security number) maintained by a federal agency in either digital or physical formats.

Under the Act, agencies must publish a System of Records Notice (SORN) for each system they control, detailing what data is collected, the legal basis for doing so, how the data is used, and any applicable exemptions. These notices must be made publicly available in the Federal Register to promote transparency.

The Privacy Act protects individuals by granting them the right to access their records, request corrections to inaccurate or incomplete data, and limit disclosures of their personal information without consent, except under certain legal exemptions. Collectively, these provisions aim to minimize unwarranted invasions of privacy and promote responsible data stewardship within the federal government.

US Family Educational Rights and Privacy Act (FERPA) of 1974

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. It applies to all educational institutions and agencies that receive federal funding. Under FERPA, parents, legal guardians, and eligible students (aged 18 or older) have the right to access and review the student's education records and to request corrections if records are inaccurate, misleading, or violate privacy rights.

FERPA generally requires written consent before schools can disclose personally identifiable information from a student’s records. However, there are specific exceptions that allow disclosures without consent, including to school officials with a legitimate educational interest, to comply with a court order or subpoena, or for authorized audits and evaluations by government agencies.

Educational institutions are also required to inform parents and eligible students of their FERPA rights on an annual basis, reinforcing transparency and accountability in how student information is handled.

US Fair Credit Reporting Act (FCRA) of 1970

The Fair Credit Reporting Act (FCRA) is a federal law that governs how consumer credit information is collected, shared, and used. Originally enacted as part of the Consumer Credit Protection Act, the FCRA ensures that consumer reporting agencies (CRAs) provide accurate and complete data to lenders, employers, insurers, and other entities that use credit reports to make decisions. It also grants consumers the right to access their credit reports and dispute inaccurate information.

Entities that use credit data have specific legal obligations under the FCRA, including notifying individuals of adverse decisions made based on their credit reports and securing consent before accessing credit data. Over time, the law has been strengthened through updates such as the Fair and Accurate Credit Transactions Act, which added identity theft protections, and the Dodd-Frank Act, which transferred rulemaking authority to the Consumer Financial Protection Bureau while leaving enforcement with the Federal Trade Commission.

US Health Insurance Portability and Accountability Act (HIPAA) of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets national standards for protecting individuals’ medical records and personal health information. It applies to healthcare providers, health plans, and healthcare clearinghouses, collectively known as “covered entities”, and requires them to safeguard electronic protected health information (ePHI) through administrative, physical, and technical controls.

HIPAA grants individuals specific rights over their health data, including the right to access, obtain copies of, and request corrections to their health information. Covered entities must also provide a clear notice of privacy practices and, in most cases, obtain written authorization before using or disclosing personal health information, particularly for marketing or research purposes. Certain uses, such as for treatment or billing, are permitted without prior consent.

The law also includes breach notification requirements, mandating that covered entities report certain exposures of unsecured ePHI to both affected individuals and the U.S. Department of Health and Human Services.

US Children’s Online Privacy Protection Act (COPPA) of 1998

The Children’s Online Privacy Protection Act (COPPA) is a federal law enacted in 1998 to safeguard the online privacy of children under the age of 13. It requires website operators and online service providers to obtain verifiable parental consent before collecting personal information from children. Covered entities must also post a clear privacy policy, explain their data collection practices, and provide parents the ability to review or delete their child’s information.

COPPA prohibits requiring children to provide more personal information than is reasonably necessary to participate in activities like games or contests. It also mandates reasonable data security practices, data minimization, and proper deletion protocols to protect children’s information.

The law applies not only to website and app operators, but also to third-party advertisers that collect data from children on those platforms. These parties must also comply with COPPA’s consent and privacy requirements. The Federal Trade Commission enforces COPPA and administers the COPPA Rule, which enhances protections and offers a “safe harbor” pathway for industry groups to develop approved self-regulatory programs.

US Gramm–Leach–Bliley Act (GLBA) of 1999

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, allows financial institutions such as banks, securities firms, and insurance companies to consolidate and offer a broader range of financial services. In addition to reshaping the financial industry, the Act introduced key consumer privacy protections.

GLBA requires financial institutions to safeguard nonpublic personal information and restrict its disclosure to nonaffiliated third parties. Institutions must provide clear notices explaining their data-sharing practices and give consumers the right to opt out of certain information disclosures. The Act also limits how entities that receive consumer data can reuse or share that information further.

The law applies broadly to firms engaged in financial activities, including some that are not traditionally viewed as financial institutions. Enforcement of the Act’s privacy provisions falls to the Federal Trade Commission and other federal regulators. The FTC enforces these rules through the Privacy of Consumer Financial Information Rule (Privacy Rule), introduced in 2001.

US REAL ID Act of 2005

The REAL ID Act, passed in 2005, implements a key recommendation of the 9/11 Commission by establishing federal security standards for state-issued driver’s licenses and identification cards. The Act prohibits federal agencies from accepting IDs that do not meet these standards for official purposes, including boarding federally regulated commercial aircraft, accessing certain federal facilities, and entering nuclear power plants.

States are required to upgrade their ID issuance processes to meet the Act’s requirements, and residents must obtain compliant licenses for access to these federal functions. The nationwide rollout has faced multiple delays, with the most recent extension pushing the full enforcement date to May 7, 2025, giving states additional time to meet compliance.

After the deadline, federal agencies, including the Transportation Security Administration (TSA), will no longer accept non-compliant IDs for official purposes, as mandated by the Department of Homeland Security.

US Social Security Number Fraud Prevention Act of 2017

The Social Security Number Fraud Prevention Act of 2017 is a federal law designed to reduce identity theft by restricting how Social Security numbers (SSNs) are displayed, shared, and used. It prohibits government agencies and private businesses from mailing documents that visibly display full SSNs, unless required by law.

The Act also limits the sale, purchase, and public display of SSNs and imposes penalties for violations. To further combat fraud, it directs the Social Security Administration (SSA) to maintain a death information database, preventing the misuse of SSNs belonging to deceased individuals. The SSA is also tasked with issuing regulations to guide agencies and institutions in preventing SSN-related identity theft.

United States: State Laws

California Consumer Privacy Act (CCPA) of 2018

The California Consumer Privacy Act (CCPA), effective January 1, 2020, is one of the most comprehensive privacy laws in the United States. It grants California residents a broad set of rights over their personal information and imposes significant disclosure, transparency, and data handling obligations on qualifying businesses.

Under the CCPA, businesses that collect personal information from California residents must provide a detailed privacy policy and honor requests to access, correct, delete, or limit the use and sharing of that information. The law also gives consumers the right to opt out of the sale or sharing of their personal data, including via browser-enabled global privacy controls.

Key rights under the CCPA include:

  • Right to know what personal data is collected, how it's used, and with whom it’s shared or sold
  • Right to delete personal data, with certain legal exceptions
  • Right to opt out of the sale or sharing of personal data
  • Right to correct inaccurate personal information
  • Right to limit the use and disclosure of sensitive personal data

The CCPA applies to for-profit businesses that meet specific thresholds, such as $25 million or more in annual revenue, data collection from 50,000+ California residents, or deriving 50% or more of revenue from selling personal data. It does not apply to most nonprofits or government agencies.

California Privacy Rights Act (CPRA) of 2020

The California Privacy Rights Act (CPRA), passed by ballot initiative in November 2020 and effective as of January 1, 2023, significantly amends and expands the California Consumer Privacy Act (CCPA). The CPRA strengthens privacy protections for California residents and introduces new compliance requirements for businesses that collect and process personal information.

Key provisions of the CPRA include:

  • Expanded definition of personal information, now covering sensitive personal information such as race, health data, and geolocation, and extending protections to include sharing for cross-context behavioral advertising.

  • Creation of the California Privacy Protection Agency (CPPA), a new independent enforcement body with the authority to issue regulations and impose fines.

  • Enhanced consumer rights, including the ability to access, correct, delete, and restrict the use of sensitive personal information.

  • Stronger business obligations, such as requirements to conduct regular cybersecurity audits, perform risk assessments, and formalize contracts with service providers that include privacy terms.

Together, the CPRA builds on the foundation of the CCPA, giving Californians greater control over their data and increasing regulatory accountability for businesses.

Colorado Privacy Act (CPA) of 2021

The Colorado Privacy Act (CPA), effective July 1, 2023, regulates how certain entities collect and process the personal data of Colorado residents. Unlike similar laws in California and Virginia, the CPA extends to nonprofits, in addition to for-profit businesses. It applies to entities that either control or process the personal data of at least 100,000 Colorado residents annually, or derive revenue from the sale of personal data and process the data of 25,000 or more Colorado residents.

The law grants individuals the right to access, correct, and delete their personal data. It also requires opt-in consent for the processing of sensitive data, including information related to race, health, religion, sexual orientation, and government-issued identifiers.

Covered entities must:

  • Provide clear privacy notices outlining data use and sharing practices
  • Implement reasonable security measures
  • Conduct data protection assessments for high-risk activities
  • Designate a person or team responsible for compliance

The CPA includes enforcement authority for the Colorado Attorney General and a limited private right of action, allowing residents to pursue legal remedies in certain situations. The law emphasizes transparency, accountability, and risk-based governance across both public-facing and internal data handling practices.

Connecticut Data Privacy Act (CTDPA) of 2022

The Connecticut Data Privacy Act (CT DPA), officially titled the Act Concerning Personal Data Privacy and Online Monitoring, went into effect on July 1, 2023. It regulates the collection and processing of personal data of Connecticut residents by certain businesses and establishes key privacy rights for individuals. Notably, the law excludes data processed solely for payment transactions, meaning businesses handling credit or debit card information only to complete a sale are not subject to the law.

The CT DPA applies to businesses that:

  • Process the personal data of 100,000+ Connecticut residents, or
  • Process the data of 25,000+ residents and derive 25% or more of gross revenue from the sale of that data

Unlike the CCPA or Utah's privacy law, there is no revenue threshold for applicability under the CT DPA.

Connecticut residents are granted the rights to:

  • Access, correct, delete, and obtain a copy of their personal data
  • Opt in before any processing of sensitive personal data, including information related to race, religion, health, sexual orientation, and government-issued identifiers.

Covered businesses must provide clear privacy notices, implement reasonable security measures, and clearly disclose how data is used and shared. The law emphasizes transparency and user control, aligning with broader trends in U.S. state-level privacy legislation.

Iowa Consumer Data Protection Act of 2023

The Iowa Consumer Data Protection Act, passed in March 2023 and took effect on January 1, 2025, establishes baseline privacy rights for Iowa residents and defines compliance obligations for businesses processing personal data. Modeled closely after Utah’s privacy law, it incorporates elements from other state frameworks but with fewer consumer rights and business requirements.

The law applies to companies that either process the data of 100,000 or more Iowa consumers, or 25,000 or more if they derive at least 50% of revenue from selling personal data. Iowa consumers have the right to confirm whether their personal data is being processed, access that data, request deletion (limited to data they provided), obtain a copy, and opt out of the sale of their data.

Unlike several other state laws, the ICDPA does not require opt-in consent for sensitive data, grant correction rights, or mandate risk assessments, purpose limitation, or the ability to opt out of profiling. Still, covered businesses must provide privacy notices and maintain transparent data practices.

New York SHIELD Act of 2019

The SHIELD Act is a New York State law that strengthens data security and breach notification requirements for any business that collects the private information of New York residents, regardless of where the business is based. The law broadens the definition of “private information” to include biometric data, email addresses with passwords or security answers, and financial account credentials that can be used without additional authentication.

Covered businesses must implement reasonable safeguards (administrative, technical, and physical) to protect private information. These safeguards should be scaled based on the business’s size, complexity, and the nature of the data collected. The SHIELD Act also requires a written data security program and the designation of responsible personnel to oversee compliance.

In the event of a data breach, businesses must notify affected individuals without unreasonable delay and inform the New York Attorney General and other relevant agencies. Noncompliance with security or breach notification requirements can result in civil penalties of up to $5,000 per violation.

Utah Consumer Privacy Act (UCPA) of 2022

Effective December 31, 2023, the Utah Consumer Privacy Act applies to businesses with over $25 million in annual revenue that either process the personal data of at least 100,000 Utah residents or have 25,000 or more consumers and derive over 50% of revenue from selling personal data. The law grants Utah residents rights to access, delete, and obtain their data, as well as opt out of its sale or use for targeted advertising. Covered entities must provide clear privacy notices explaining what data is collected, why, and with whom it is shared. The Utah CPA is narrower in scope than many other state laws but establishes baseline rights and transparency for consumers.

Virginia Consumer Data Protection Act (VCDPA) of 2021

Effective January 1, 2023, the Virginia Consumer Data Protection Act regulates how certain businesses collect and process the personal data of Virginia residents. It applies to entities that process the data of at least 100,000 residents, or 25,000 residents if over 50% of revenue comes from selling personal data, as well as data brokers processing data on 50,000 or more individuals. The law gives residents the right to access, correct, and delete their personal data, and requires opt-in consent for processing sensitive data such as health, race, and geolocation information. Covered businesses must provide clear privacy notices, implement reasonable security measures, conduct data protection assessments for high-risk processing, and assign compliance responsibility internally. The Attorney General of Virginia oversees enforcement.

Utah Senate Bill 260 (SB 260) of 2025

Effective May 1, 2025, Utah’s SB 260 establishes a state‑endorsed digital identity framework that prioritizes individual privacy, autonomy, and consent. The law makes digital identity participation fully optional, prohibits any requirement to use a mobile credential instead of a physical ID, and forbids “phone‑home” surveillance, device handover, and data sharing beyond the purpose intended by the credential holder. It enshrines selective disclosure, allowing users to verify attributes such as age or residency without revealing unnecessary personal information. SB 260 also codifies that “the state does not establish an individual’s identity,” reinforcing that government recognition does not define personal existence or rights. Inspired in part by civil‑libertarian advocacy groups such as the Libertas Institute and aligned with ACLU privacy principles, the statute represents a first‑in‑the‑nation legal model for privacy‑preserving, user‑controlled digital IDs and is expected to serve as a template for similar legislation in other states.

European Union Laws

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), enacted by the European Union and effective since May 2018, is one of the most comprehensive and influential data privacy laws globally. It governs how organizations (regardless of their geographic location) collect, process, and store the personal data of individuals within the EU. The law defines personal data broadly and requires organizations to obtain clear, explicit consent for data processing, while granting individuals rights to access, correct, delete, and port their data, as well as to object to or restrict its use. Organizations must implement strong security measures and, in certain cases, appoint a Data Protection Officer to oversee compliance. Enforcement is handled by EU data protection authorities, and noncompliance can result in fines of up to €20 million or 4% of global annual revenue, whichever is higher.

European Digital Wallet Initiative

The European Digital Wallet Initiative, also known as eIDAS 2.0, is a European Commission-led effort to create a unified digital wallet for citizens, residents, and businesses across the EU. The wallet will allow users to securely manage personal data, identification, and payment credentials, and access a wide range of public and private online services through a single interface. Built to be interoperable with national digital identity systems and eIDAS-compliant trust services, such as electronic signatures and seals, the initiative aims to enable seamless cross-border access to services, regardless of the user’s country or provider. As part of the EU’s broader digital strategy, the wallet is expected to drive cross-border e-commerce, reduce transaction complexity, and strengthen user trust in digital interactions across the Union.

European Union Electronic Identification, Authentication and Trust Services (eIDAS Regulation)

The eIDAS Regulation, adopted by the European Union in 2014 and implemented in 2016, establishes a unified legal framework for electronic identification and trust services across all EU member states. It enables citizens and businesses to use a single, recognized digital identity to access public and private services across borders, eliminating the need for multiple logins and enhancing the security and efficiency of digital transactions. 

The regulation defines legal standards for electronic signatures, seals, time stamps, and electronic delivery services, with qualified electronic signatures granted the same legal standing as handwritten ones. By ensuring mutual recognition of eIDs and trust services, eIDAS supports cross-border interoperability and is a core pillar of the EU’s Digital Single Market strategy.

eIDAS Architecture and Reference Framework (ARF)

The eIDAS Architecture and Reference Framework (ARF) is a guidance document developed to support the implementation of the EU’s 2014 eIDAS Regulation, which governs secure and trusted electronic transactions across the European Union. As part of the EU’s broader Digital Single Market strategy, the ARF outlines a technology-neutral architecture built around key principles: user-centricity, security, privacy, and interoperability. It defines the functional, legal, and technical requirements for eIDAS-compliant systems, assigning roles such as identity providers, attribute providers, trust service providers, and relying parties to ensure accountability and clear governance. 

The ARF is structured into three layers: the application layer (which supports identity and trust services), the service layer (which includes authentication and validation services), and the infrastructure layer (which comprises the underlying technical components such as certificate authorities). Regularly updated, the ARF provides a standard implementation framework for developers, system integrators, and public or private sector stakeholders to promote cross-border compatibility and secure digital interactions across the EU.

Track 2: Landscape

Solutions

Digital IDsDigital Passes & PermitsIn-Person VerificationOnline Verification

Industries

GovernmentFinancial ServicesEducationWeb3

Resources

Knowledge BaseBlogDocumentationGithub

Company

About SpruceIDContactCareersPress

Join our newsletter

Thank you for subscribing! You are now on the list for the next edition of The Leaflet 🍃
Oops! Something went wrong while submitting the form.
Privacy Policy
|
Terms of Use
© 2025 Spruce Systems, Inc.

Subscribe to our newsletter

Thank you for subscribing! You are now on the list for the next edition of The Leaflet 🍃
Oops! Something went wrong while submitting the form.

Solutions

Digital IDsDigital Passes & PermitsVerifying In-PersonVerifying Online

Industries

GovernmentFinancial ServicesEducationWeb3

Resources

Knowledge BaseSuccess StoriesBlogDocumentationGitHub

Company

About SpruceIDContactCareersPress
© 2025 Spruce Systems, Inc.
Privacy PolicyTerms of Use