Part 3 of John's CIPP/US Privacy MaterialsJohn Bandler’s CIPP/US and US Privacy Learning Part 3

Federal Privacy and Cybersecurity Laws, BoK II

by John Bandler

This is Part 3 of my U.S. Privacy and CIPP/US and privacy learning materials.

Here we cover federal privacy laws, meaning federal laws that relate to privacy, cybersecurity, and data breach notifications. We don't cover issues relating to privacy from law enforcement here (that's in the next domain, Part 4, BoK III).

+ Please excuse some construction disruption as I revamp my webpages and update my CIPP/US privacy study courses. +

To navigate John's CIPP/US pages

Topics covered

IAPP renamed the title of this domain, and I'm glad they did, but the basic content remains very similar.

The current name is "Federal Privacy Law", the prior name was "Limits on Private-sector Collection and Use of Data". That old name never sat well for me. "Limits" really meant "laws", and the domain was always primarily about federal laws, but we need to remember state laws set similar limits also, and state laws are the subject of an entirely different domain (BoK V).

Some people are not sure what privacy law entails (I explain it in my courses and short articles and videos on cyberlaw, data law, and privacy law), but I make it clearer by referring to this as "Federal privacy and cybersecurity law". Let's also remember that this is about privacy from private companies, and if we want to learn about privacy from government, that's in a different domain and in my Fourth Amendment resources.

This is an important domain, since federal law is important. We see how the U.S. does things sector-by-sector for many areas of privacy (also known as the sectoral model). This domain essentially covers:

  • Federal Trade Commission (FTC), authority (FTC Act) and their role in privacy and cybersecurity consumer protection and enforcement
    • Much privacy is across various sectors
    • Privacy for children: Children’s Online Privacy Protection Act of 1998 (COPPA)
  • Healthcare and Medical Sector Privacy Laws and Regulations
    • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
      • Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
  • Financial Sector Privacy Laws and Regulations
    • The Fair Credit Reporting Act of 1970 (FCRA)
    • The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
    • The Financial Services Modernization Act of 1999 (“Gramm-Leach-Bliley” or GLBA)
  • Education Sector Privacy Laws and Regulations
    • Family Educational Rights and Privacy Act of 1974 (FERPA)
  • Telecommunications and Marketing Privacy and Laws
    • Telephone Consumer Protection Act of 1991 (TCPA)
    • Telemarketing sales rule (TSR)
    • The Do-Not-Call registry (DNC)
    • Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
    • The Junk Fax Prevention Act of 2005 (JFPA)

Federal enforcement and priorities can change significantly with different administrations, and it is fair to say the changes have been unprecedented since early 2025. There have been extensive layoffs in most federal agencies, consumer protection has been deprioritized and reduced, there are plans to disband the Department of Education, which oversees FERPA.

My courses

I have created two online courses to help people learn about privacy and prepare for this certification exam.

Overall references for CIPP/US

  • See my Part 1 course for the overall references and additional reading (including IAPP resources)
  • My courses provide priority coverage of important areas. If you want to dig deeper, I provide those resources on where to start.

Part 3 specific references

This page is hosted at https://johnbandler.com/cippus/part3. Copyright John Bandler, all rights reserved. No claim to IAPP materials or legal references.

Page posted 3/22/2026, drawing upon my previous materials. This page updated 04/12/2026.