The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (1999). Businesses must develop a written information security plan that describes how the company protects sensitive data, and it is enforced by the Federal Trade Commission (FTC). This include administrative, technical, and physical safeguards to ensure the security and confidentiality of customer information, protect against anticipated threats and unauthorized access to the data, and ensure the secure disposal of customer information.

The California Consumer Privacy Act (CCPA) grants California residents several rights concerning their personal data, including the right to know what personal information is collected about them, the right to delete their personal information, and the right to opt-out of the sale of their personal information (2018). It applies to businesses that operate in California and meet certain criteria related to revenue and data processing. The CCPA is enforced by the California Attorney General's office and provides a framework for consumer privacy rights in the digital age. Penalties for non-compliance can be severe.

The California Privacy Rights Act (CPRA) amends and expands the CCPA, introducing additional privacy protections and rights for California residents (2020). The CPRA establishes the California Privacy Protection Agency (CPPA) to enforce privacy laws. It includes provisions related to sensitive personal information, automated decision-making, and data minimization. It also extends the consumer's rights to correct inaccurate personal information and imposes stricter limitations on the use and sharing of personal data. Businesses must comply with both the CCPA and CPRA, with the CPRA's provisions taking effect in 2023. Penalties for non-compliance can be substantial, further emphasizing the need for robust data protection practices. CPRA expands on the CCPA, introducing concepts such as sensitive personal information, creating a new enforcement agency, and extending data retention limitations. The CPRA is enforced by the California Privacy Protection Agency (CPPA). Compliance with both CCPA and CPRA is required for businesses operating in California and handling personal data of California residents, with more stringent requirements and potential penalties under the CPRA.