What Law Establishes PII? A Guide to U.S. PII Laws and Regulations

Key Takeaways

• U.S. privacy law has no single authority. PII protection is split across multiple federal, state, and international frameworks, and which ones apply to you depends on your industry, your data, and where you operate.
• State legislatures are filling the gaps that federal law leaves open. California led the way with CCPA, but the state-level privacy landscape is expanding.
• GDPR has a longer reach than most organizations realize. If you are a U.S. company with customers, employees, or website visitors in the EU, it applies to you, regardless of where your company is headquartered.
• Most PII regulations are built around the same core ideas: be transparent, collect only what you need, protect what you hold, and give people control over their own information.
• The real cost of non-compliance goes beyond the fine. Legal exposure, damaged relationships, and the operational burden of breach response are often more disruptive than the penalty itself.

Introduction

If your organization collects, stores, or transmits personal information, you are operating inside a web of legal obligations. Compliance failures can mean multi-million dollar fines, class action lawsuits, and reputational damage that takes years to recover from.

That’s because there is no single law that governs PII in the United States. Instead, a layered system of federal statutes, state laws, and international regulations each define and protect personal information in different ways.

Knowing which laws apply to your organization, and what they actually require, is the foundation of any serious compliance program.

In this guide, we cover:

• The major U.S. federal PII regulations
• What PII laws typically require
• The consequences of non-compliance and practical implications for regulated industries

What Law Establishes PII? The Foundation of U.S. Privacy Law

If you’re looking for a definitive answer to this question, there isn’t one. The U.S. has no single federal law that defines and governs all PII (Personally Identifiable Information).

Instead, the responsibility is spread across sector-specific statutes, state laws, and federal guidance, and which ones apply to you depends on your industry, the data you hold, and where you operate.

There are three federal instruments that laid the groundwork:

• The Privacy Act of 1974 is the closest thing the U.S. has to a foundational PII law. It governs how federal agencies collect, store, use, and share personal information, and gives individuals the right to access and correct their own records. Disclosure without written consent is prohibited. The Act applies directly to federal agencies, as well as any contractors or vendors that handle federal records.
• NIST SP 800-122 put the definition into practice. NIST defined PII as any information that can be used to identify an individual, either on its own or combined with other data. This definition is now the standard reference point across both government and private sector compliance programs.
• The E-Government Act of 2002 extended these protections into the digital age, requiring agencies to assess privacy risks before deploying any system that collects personal data.

Together, these three form the federal backbone of the U.S. PII law. But for most private sector organizations, the more practical question is: which industry-specific regulations apply to us?

The Role of Regulations in Protecting PII

PII regulations exist for a simple reason: without rules, personal data gets misused: sold without consent, exposed through careless handling, or accessed by people with no business seeing it. The consequences for individuals can be serious: identity theft, financial fraud, discrimination, or targeted attacks built from their own personal details.

Regulations create accountability. They give individuals rights over their own information and require organizations to handle it responsibly.

At their core, they are there to:

• Protect individuals from identity theft, discrimination, financial fraud, and surveillance
• Set clear standards for how personal data should be collected, stored, and used
• Create real consequences when those standards aren’t met

For organizations, this means collecting personal data isn’t a neutral act. It comes with obligations, and those are enforceable.

How Privacy Laws Define and Classify PII

Not all personal information carries the same level of risk, and privacy laws reflect that. Before you can comply with PII regulations, you need to understand how they classify the data you hold.

Most frameworks distinguish between two types of identifiers:

Direct vs. indirect identifiers

Direct identifiers are data points that identify a person on their own, like a Social Security number (SSN), passport number, biometric data, or financial account number. These carry the highest risk if exposed and are subject to the strictest protections.

Indirect identifiers don’t identify someone by themselves, but can when combined with other data. A ZIP code, date of birth, and gender together are enough to uniquely identify the majority of U.S. residents. This is why indirect identifiers still need to be treated carefully, even when they seem harmless in isolation.

PII in metadata

Most organizations focus their PII compliance efforts on visible content: the text in an email, the fields in a form, the rows in a database.

But personal information is also embedded in the metadata that surrounds every digital file and communication.

• Email headers contain IP addresses, server routing history, and device identifiers that can be traced back to a specific individual. Word documents and PDFs store the original author’s name, the names of everyone who edited the file, and internal server paths.
• Images carry EXIF data, including GPS coordinates, timestamps, and device serial numbers.
• Tracked changes in a document can contain information that a user thought they deleted, but which remains fully retrievable in the file’s background layers.

This matters for compliance because major privacy frameworks explicitly cover these identifiers.

GDPR categorizes IP addresses and location data as personal data because they can be used to single out an individual. CCPA includes unique identifiers and electronic network activity in its definition of PII.

If your compliance strategy only accounts for visible content, metadata is a massive gap, and one that regulators and opposing counsel in ediscovery know to look for.

Sensitive vs. non-sensitive PII

Many laws go a step further and separate PII into sensitive and non-sensitive categories:

• Sensitive PII: health records, financial account numbers, biometric data, government ID numbers, racial or ethnic origin, carry a high risk of harm if exposed, and are subject to the most stringent legal requirements
• Non-sensitive PII: email addresses, phone numbers, and general employment details are still protected, but pose a lower standalone risk

Here’s how the major frameworks handle this:

Why does this matter practically?

Because compliance isn’t one-size-fits-all. A piece of data that triggers strict HIPAA requirements might only be lightly regulated under CCPA. Misclassifying what you hold, or failing to classify it at all, means you’re either under-protecting sensitive information or wasting resources on data that doesn’t need that level of care.

Getting classification right is the foundation everything else is built on.

Major Federal PII Regulations by Industry

Because the U.S. has no single privacy law, PII rules are organized by sector. There are four main federal laws: HIPAA, GLBA, FERPA, and COPPA.

Health Insurance Portability and Accountability Act (HIPAA)

If you work in healthcare, HIPAA is your primary PII regulation. It covers hospitals, clinics, insurers, and business associates (vendors that handle patient data on their behalf).

Under HIPAA, health-related personal data is called Protected Health Information (PHI), and it includes everything from diagnoses and treatment records to appointment dates when they’re linked to a patient.

Key requirements:

• Limit who can access PHI based on job function
• Sign Business Associate Agreements with any third party handling PHI
• Notify affected individuals and the Department of Health and Human
• Services within 60 days of a breach
• Penalties range from $100 to $50,000 per violation, up to $1.9M per year per violation category

Gramm-Leach-Bliley Act (GLBA)

GLBA applies to financial institutions, like banks, credit unions, insurance companies, investment firms, and mortgage brokers. It requires them to protect customers’ nonpublic personal financial information and be transparent about how it’s used and shared.

Key requirements:

• Inform customers what data is collected and give them the right to opt out of certain sharing
• Maintain a written information security program covering technical, administrative, and physical safeguards
• As of 2023, encryption and multi-factor authentication are specifically required

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the personal information contained in student education records, including grades, transcripts, disciplinary history, financial aid data, and attendance. It applies to any school that receives federal funding, which covers virtually all public schools and most private institutions.

Key requirements:

• Get written consent before sharing student records with third parties
• Give students and parents the right to review and correct records
• Schools are responsible if their vendors mishandle student data
• Non-compliance can result in loss of federal funding

Children’s Online Privacy Protection Act (COPPA)

COPPA applies to any website or online service that collects personal data from children under 13. It’s enforced by the FTC and focuses on one core principle: parents must give verifiable consent before any data is collected from their child.

Key requirements:

• Obtain verifiable parental consent before collecting any data from children under 13
• Post a clear privacy policy explaining what data is collected and why
• Collect only the minimum data needed to provide the service
• Allow parents to review and delete their child’s data at any time
• Penalties up to $53,088 per violation

U.S. State-Level PII Laws

Federal law covers specific industries, but it doesn’t cover everything. That gap is exactly why U.S. states have been stepping in with their own privacy laws, and the pace has picked up significantly over the last few years.

California Consumer Privacy Act and California Privacy Rights Act (CCPA / CPRA)

California’s privacy law is the most influential state-level PII regulation in the country. The original CCPA came into effect in 2020. The CPRA expanded it two years later and created a dedicated enforcement agency, the California Privacy Protection Agency, to back it up.

It applies to for-profit businesses that meet at least one of these thresholds:

• Annual gross revenue over $26,625,000
• Buy, sell, or receive personal data of 100,000+ consumers or households per year
• Derive 50% or more of annual revenue from selling consumer personal information

Under the CCPA/CPRA, California residents have the right to know what data is collected about them, delete it, correct it, and opt out of it being sold or shared.

Businesses that violate the law face fines of $2,663 per unintentional violation and $7,988 per intentional one. Consumers can also sue directly for data breaches, with statutory damages of $100 to $750 per person per incident.

The broader state landscape

California was first, but it’s no longer the only one. Virginia, Colorado, Connecticut, Texas, and Florida have all passed their own comprehensive privacy laws. More states are actively working on legislation. While the specifics vary, they share a common structure: consumer rights over personal data, obligations for businesses that collect it, and penalties for non-compliance.

For organizations operating across multiple states, this creates a real compliance challenge; one set of policies rarely satisfies all frameworks simultaneously.

GDPR: The Global Standard for PII Protection

The General Data Protection Regulation (GDPR) is the EU’s flagship privacy law, and it’s widely considered the most comprehensive data protection framework in the world. It came into effect in May 2018 and has influenced privacy legislation on every continent since.

The most important thing to understand about GDPR is that it reaches far beyond the EU borders.

Any organization, anywhere in the world, that collects or processes personal data belonging to EU residents must comply. That means if you are a U.S. company that has customers, employees, or website visitors from the EU, GDPR covers you.

How GDPR defines personal data

GDPR uses the term “personal data” rather than PII, but the concept is broader than most U.S. frameworks. It covers any information that can identify a person, directly or indirectly. That includes obvious identifiers like names and passport numbers, but also IP addresses, location data, and cookie identifiers.

GDPR also singles out special categories of data that require the highest level of protection: health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, and data concerning sexual orientation.

What GDPR requires

• Have a documented lawful basis for every type of data processing you do
• Give individuals clear privacy notices at the point of data collection
• Honor data subject rights: access, correction, erasure, portability, and the right to object
• Conduct a Data Protection Impact Assessment (DPIA) before any high-risk processing
• Report data breaches to the relevant authority within 72 hours of discovery
• Ensure any data transferred outside the EU relies on approved legal mechanisms

Penalties are serious.

Less severe violations can result in fines up to €10 million or 2% of global annual revenue. The most serious breaches, processing without a lawful basis, ignoring data subject rights, or unlawful international transfers, can trigger fines up to €20 million or 4% of global annual revenue, whichever is higher.

What PII Laws Actually Require

Despite covering different industries and jurisdictions, most PII regulations share a common set of obligations. Understanding these common threads is useful because building compliance around them tends to satisfy multiple frameworks at once.

Lawful basis for collection

You need a documented reason for collecting personal data. It can’t be arbitrary.

Under GDPR, that means identifying one of six lawful bases. Under HIPAA, it means fitting within the defined permitted uses.

The principle is the same across all frameworks: collect data with a purpose, and be able to prove it.

Informed consent and privacy notices

People have a right to know what you’re collecting about them, why you’re collecting it, how long you’ll keep it, and who you’ll share it with.

The format varies, as GDPR requires layered privacy notices, CCPA requires a “Do Not Sell or Share” disclosure, but transparency is the consistent requirement across the board.

Individual rights

Most modern privacy laws give people meaningful control over their own data:

• Right to access: request a copy of the data you hold about them
• Right to correction: fix inaccurate or incomplete information
• Right to erasure: delete data when it’s no longer needed or on request
• Right to portability: receive data in a machine-readable format
• Right to object: opt out of certain types of processing, including direct marketing

Data minimization

Only collect what you actually need. Every extra piece of PII you store is both a compliance liability and a breach risk. The less you hold, the less there is to protect, and the less damage if something goes wrong.

Security safeguards

Every major PII regulation requires reasonable technical and organizational measures to protect personal data.

In practice, that means:

• Encrypting data in transit and at rest
• Limiting access based on job function
• Maintaining audit logs of who accessed or modified PII
• Conducting regular risk assessments
• Having an incident response plan ready before you need it

Breach notification

When personal data is compromised, you have to act fast.

GDPR requires notifying the relevant supervisory authority within 72 hours. HIPAA gives covered entities 60 days. Most U.S. state laws have their own timelines. The common thread: silence is not an option.

Vendor and third-party management

You are responsible for what your vendors do with personal data. HIPAA mandates Business Associate Agreements, GDPR calls for Data Processing Agreements, and CCPA sets specific contract requirements for service providers.

If a third party mishandles data you gave them, the liability often flows back to you.

The Consequences of Non-Compliance

Non-compliance with PII regulations creates several problems at once, and they tend to compound quickly.

Financial penalties

The numbers are significant.

GDPR fines have reached into the hundreds of millions of euros for large technology companies. HIPAA penalties can hit $1.9 million per violation category per year. CCPA fines of $7,500 per intentional violation add up fast when a breach affects thousands of consumers.

And these are just the regulatory fines, which don’t include the cost of legal defense, remediation, or settlement.

Litigation and class actions

Several PII regulations give individuals the right to sue directly.

The CCPA allows consumers to bring private lawsuits for certain data breaches, with statutory damages of $100 to $750 per person per incident, which sounds modest until you multiply it across thousands of affected individuals.

GDPR similarly allows individuals to claim compensation for both material and non-material harm. In healthcare, HIPAA violations frequently trigger parallel civil litigation on top of regulatory penalties.

Reputational damage

Regulatory enforcement actions and data breaches are public events.

News travels fast, and trust is hard to rebuild. In regulated industries, especially where clients and partners actively evaluate compliance posture before signing contracts, a publicized breach or enforcement action can cost far more in lost business than the fine itself.

Operational disruption

This one is often underestimated.

Responding to a significant breach or regulatory investigation is expensive and disruptive, independent of any formal penalty.

Legal holds, forensic investigations, mandatory remediation, regulatory correspondence, and notifying affected individuals all consume time and resources, sometimes for months.

Organizations without the right infrastructure in place pay a significant premium just to respond.

Practical Implications for Regulated Industries

For organizations in regulated sectors, PII compliance is a daily operational reality. Employees send emails and messages containing PHI, student records, financial account data, and government IDs.

Those communications need to be retained for compliance, secured against unauthorized access, and made searchable when regulators, courts, or FOIA requesters come calling.

A few practical realities that every regulated organization needs to address:

PII doesn’t stay where you put it

Personal data flows through email, messaging platforms, collaboration tools, HR systems, and customer records. Tracking where PII lives, who has access to it, and how long it has been retained requires systems, not just policies.

Organizations that rely on manual processes for PII governance will consistently fall short of regulatory expectations.

FOIA and ediscovery create specific PII risks

Government agencies responding to Freedom of Information Act requests, and organizations producing documents in legal proceedings, face a concrete and recurring challenge: identifying and redacting sensitive personal information before disclosure.

Without a reliable process, names, SSNs, addresses, and other identifiers can slip through. The result is either over-disclosure, which is a privacy violation, or under-production, which is a legal one.

Neither is acceptable.

Retention and deletion are two sides of the same obligation

Regulations impose retention requirements (to keep records for a defined period) and deletion obligations (to remove data when its purpose is served or when an individual requests it). These only work together when you have full visibility into what data you hold, where it lives, and how old it is.

How Jatheon helps

Jatheon Cloud is built for exactly this scenario. Our bulk redaction capability allows legal and compliance teams to locate and redact PII across large volumes of archived communications, including emails, chat messages, images, collaboration platforms and files, before responding to FOIA requests, ediscovery production, or data subject access requests under GDPR or CCPA.

No manual document-by-document review required.

Beyond redaction, Jatheon provides:

• Role-based access controls so only authorized personnel can view sensitive communications
• Tamper-proof audit trails that log every search, export, and access event
  Configurable retention policies that automate how long different categories of data are kept
• Automated expunge of data that has reached its law-mandated retention limit.
• A centralized archive across email, mobile, and social channels, so your PII doesn’t live between platforms

For regulated organizations, the right policies are only half the equation. The other half is having the infrastructure to enforce them. That’s what Jatheon is built to provide.

Summary of the Main Points

• The United States has no single law that establishes PII. Protection is built from a combination of federal statutes, state laws, and international frameworks, with the
• PII regulations give individuals rights over their personal information and impose enforceable obligations on the organizations that collect it.
• The four major federal PII laws each cover a specific sector: HIPAA governs healthcare, GLBA covers financial services, FERPA protects student education records, and COPPA regulates the collection of data from children under 13.
• At the state level, California’s CCPA/CPRA is the benchmark, but the landscape is expanding. Over a dozen states now have their own comprehensive privacy laws, with more on the way.
• GDPR is the global standard and applies to any organization handling EU residents’ personal data, regardless of where that organization is based. Its 72-hour breach notification requirement alone demands serious operational readiness.
• Across all frameworks, the core compliance obligations are consistent: have a lawful basis for collecting data, be transparent about how it’s used, honor individual rights, minimize what you collect, secure what you hold, and manage your vendors.
• Non-compliance creates layered consequences, such as regulatory fines, private litigation, reputational damage, and operational disruption, that often arrive together and compound each other.
• For regulated industries, compliance is an operational challenge as much as a legal one. Having the right infrastructure to retain, search, redact, and audit PII across communications is what separates organizations that can respond to regulatory demands from those that can’t.

FAQ

Is there a single federal law that covers all PII in the United States?

No. The U.S. has no single overarching federal privacy law. PII protection is distributed across sector-specific statutes, such as HIPAA for healthcare, GLBA for financial services, FERPA for education, COPPA for children’s online data, alongside state laws like the CCPA and international frameworks like GDPR. The Privacy Act of 1974 comes closest to a foundational federal PII law, but it applies specifically to federal agencies, not private sector organizations.

What is the difference between PII and personal data?

PII is primarily a U.S. term. Personal data is the equivalent term used in the EU under GDPR. The two concepts overlap significantly, but GDPR’s definition of personal data is broader. It explicitly includes IP addresses, cookie identifiers, and location data as personal data, whereas some U.S. frameworks treat these more narrowly. For multinational organizations, it’s safest to apply the broader GDPR definition across the board.

Does GDPR apply to U.S. companies?

Yes, if those companies handle the personal data of EU residents. GDPR applies based on where the data subject is located, not where the organization is based. A U.S. company with European customers, employees, or website visitors from the EU is subject to GDPR regardless of whether it has any physical presence in Europe.

What happens if an organization is subject to more than one PII regulation?

It needs to comply with all of them simultaneously. A healthcare organization operating in California, for example, must comply with both HIPAA and the CCPA, and if it handles data from EU residents, GDPR applies too. Where regulations overlap, the stricter requirement generally takes precedence. This is why many compliance programs are built around the most demanding framework an organization faces, then adjusted for the others.

What is the difference between sensitive and non-sensitive PII?

Sensitive PII, including health records, biometric data, SSNs, financial account numbers, and racial or ethnic origin, carries a high risk of harm if exposed and is subject to the strictest legal protections. Non-sensitive PII, like email addresses, phone numbers, and general employment details, is still regulated and protected but poses a lower standalone risk. The distinction matters because different regulations apply different levels of scrutiny depending on the category of data involved.

Is metadata considered PII?

Under most major privacy frameworks, yes. GDPR explicitly categorizes IP addresses and location data as personal data. CCPA includes unique identifiers and electronic network activity in its definition of PII. This means email headers, document author information, image EXIF data, and revision histories can all constitute PII, and need to be treated accordingly, particularly in ediscovery and FOIA contexts.

What are the most common compliance failures organizations make around PII?

The most frequent issues are: collecting more data than necessary and failing to document why it was collected; not having vendor agreements that address data handling obligations; treating breach notification as optional rather than mandatory; focusing compliance efforts on visible content while ignoring metadata; and having retention policies on paper that aren’t enforced in practice. Most regulatory investigations and enforcement actions trace back to one or more of these gaps.

How long do organizations have to notify individuals after a PII breach?

It depends on the applicable regulation. GDPR requires notification to the relevant supervisory authority within 72 hours of discovering a breach. HIPAA gives covered entities up to 60 days to notify affected individuals and the Department of Health and Human Services. CCPA and various state laws have their own timelines. Organizations subject to multiple frameworks must meet the strictest applicable deadline.

About the Author

Natasa Djalovic

Natasa Djalovic is a Senior Content Writer at Jatheon, with 10+ years of experience in creating B2B and SaaS content, with a strong focus on compliance, archiving, and tech topics. Outside of work, she likes to collect and build LEGO sets, hang out with her cats, and watch documentaries.