Mobile Privacy Laws in the US: State and Federal Protections

Mobile privacy law in the United States operates through an overlapping patchwork of federal statutes, sector-specific regulations, and state-level consumer protection frameworks — none of which were drafted with smartphones as the primary concern. This page maps the operative legal structures governing mobile data collection, transmission, storage, and disclosure, with reference to the agencies, codes, and enforcement mechanisms that define compliance obligations. For organizations navigating mobile security compliance in the US, understanding which legal frameworks apply — and how they interact — is a foundational requirement.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps
• Reference table or matrix
• References

Definition and scope

Mobile privacy law governs how personally identifiable information (PII) collected through mobile devices — smartphones, tablets, wearables, and connected accessories — may be gathered, used, shared, and retained. The scope encompasses data generated by mobile applications, operating systems, cellular network operators, device hardware (including sensors, GPS modules, and biometric readers), and third-party SDKs embedded in consumer-facing software.

No single federal statute in the United States constitutes a general mobile privacy law. Instead, the landscape is composed of at least 5 distinct federal frameworks with partial mobile applicability, layered atop state laws that now exist in 20+ US states in some form of comprehensive privacy legislation (IAPP US State Privacy Legislation Tracker). The Federal Trade Commission (FTC) operates as the de facto primary federal enforcement authority for mobile privacy in the commercial sector under Section 5 of the FTC Act, 15 U.S.C. § 45.

Mobile privacy law intersects directly with mobile data loss prevention strategies and with the structural risks documented in mobile app security risks, since many privacy violations originate at the application layer.

Core mechanics or structure

Federal layer

The federal framework governing mobile privacy draws from statutes not originally written for mobile but applied to it through FTC enforcement, regulatory guidance, and judicial interpretation:

Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510–2523 — Enacted in 1986, ECPA restricts government interception of electronic communications and governs stored communications access by law enforcement. The Stored Communications Act (SCA), Title II of ECPA, applies directly to data held by mobile app providers and cloud storage services linked to mobile devices.

Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq. — Administered by the FTC, COPPA requires verifiable parental consent before collecting personal information from children under 13, including through mobile apps. The FTC's COPPA Rule (16 C.F.R. Part 312) was updated in 2013 to explicitly cover mobile applications and persistent identifiers.

Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191 — Administered by the HHS Office for Civil Rights, HIPAA governs protected health information (PHI) transmitted or stored via mobile devices in covered entity and business associate contexts. HHS guidance published in 2012 addressed mobile device use by healthcare organizations (HHS Mobile Devices: Know the RISKS).

Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §§ 6801–6809 — Governs financial institutions' handling of consumer financial data, including mobile banking data, under rules enforced by the FTC, CFPB, and federal banking regulators.

California Electronic Communications Privacy Act (CalECPA), Cal. Penal Code §§ 1546–1546.4 — Though state-level, CalECPA has become a functional national reference point, requiring law enforcement to obtain a warrant before accessing electronic device data, including mobile device content.

State layer

California's Consumer Privacy Act (CCPA, Cal. Civ. Code §§ 1798.100–1798.199.100) and its amendment through the California Privacy Rights Act (CPRA) establish the most expansive state-level mobile privacy rights, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. Colorado (CPA, C.R.S. § 6-1-1301 et seq.), Virginia (VCDPA, Va. Code § 59.1-571 et seq.), Connecticut (CTDPA), and Texas (TDPSA) have enacted comparable comprehensive frameworks as of 2023–2024.

Causal relationships or drivers

Mobile privacy law has expanded as a direct function of 4 identifiable structural pressures:

1. Sensor proliferation and passive data generation. Modern smartphones integrate GPS, accelerometers, microphones, cameras, and Bluetooth/NFC radios simultaneously. This density of sensing capability — not present in desktop computing — generates persistent location and behavioral data streams that existing statutes were not designed to address.

2. App ecosystem data monetization. The mobile advertising ecosystem relies structurally on device identifiers (IDFAs, Android Advertising IDs), precise location data, and behavioral profiles. The FTC's 2012 report Mobile Privacy Disclosures: Building Trust Through Transparency identified undisclosed data sharing with third parties as a primary violation pattern.

3. Law enforcement access demands. The Supreme Court's decision in Carpenter v. United States, 585 U.S. 296 (2018), held that government acquisition of cell-site location information (CSLI) constitutes a Fourth Amendment search requiring a warrant — directly reshaping the legal obligations of mobile carriers and indirectly driving state legislative activity.

4. State attorney general enforcement. Following FTC resource constraints and jurisdictional limitations, state attorneys general — particularly in California, Illinois, and New York — have used state consumer protection statutes and biometric privacy laws to fill federal enforcement gaps.

The Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/) is the most litigated mobile biometric statute in the US, covering fingerprint and facial recognition data collected through mobile devices and applications.

Classification boundaries

Mobile privacy law applies differently depending on the data type, the entity collecting it, and the jurisdiction of the affected individual:

By data sensitivity:
- Biometric data (fingerprints, face geometry, voiceprints) — subject to BIPA in Illinois, CIPA in Texas (Tex. Bus. & Com. Code § 503.001), and covered under CCPA/CPRA as sensitive personal information.
- Health data outside HIPAA — covered by the FTC Health Breach Notification Rule (16 C.F.R. Part 318) if collected by non-covered entities (e.g., health and fitness apps).
- Precise geolocation — classified as sensitive data under CPRA, Colorado CPA, and Virginia VCDPA, triggering opt-in consent requirements.
- Children's data — subject to COPPA at the federal level and heightened protections under CPRA for consumers under 16.

By collecting entity type:
- HIPAA applies only to covered entities and business associates.
- GLBA applies only to financial institutions as defined in 15 U.S.C. § 6809(3).
- FTC Section 5 applies to commercial entities not already regulated by sector-specific statutes.

By jurisdiction:
State comprehensive privacy laws apply based on resident location, not company primary location. A company with no California operations but with 100,000+ California residents in its user base meets CCPA threshold triggers (Cal. Civ. Code § 1798.140(d)).

Tradeoffs and tensions

Federal preemption vs. state innovation. No comprehensive federal privacy law has been enacted, leaving states as the primary privacy legislators. Industry coalitions argue this creates 50-state compliance fragmentation; privacy advocates argue federal legislation risks preempting stronger state standards. The proposed American Data Privacy and Protection Act (ADPPA), which stalled in Congress, illustrated both positions simultaneously.

Consent architecture vs. usability. Granular consent models required by CCPA and CPRA — particularly opt-in for sensitive data categories — conflict with mobile UX design patterns. Consent fatigue is a documented behavioral phenomenon; the FTC's 2022 Report on Dark Patterns (FTC, Bringing Dark Patterns to Light) identified mobile interfaces as a primary venue for manipulative consent design.

Law enforcement access vs. Fourth Amendment standards. Post-Carpenter, law enforcement agencies face warrant requirements for historical CSLI, but real-time location data, tower dumps, and data broker purchases of location information remain in contested legal territory. SIM swapping attacks exploit the same carrier account access vectors that law enforcement uses for lawful intercept — creating a structural tension between access and security.

Biometric authentication vs. biometric privacy law. Deployment of mobile biometric authentication on enterprise devices in Illinois requires employers to comply with BIPA's written policy, retention schedule, and consent requirements — obligations that impose operational costs even when the biometric deployment is security-enhancing.

Common misconceptions

Misconception: App store privacy labels constitute legal compliance.
Apple's App Store Privacy Nutrition Labels and Google Play's Data Safety section are self-reported disclosures. Neither the App Store nor Google Play independently verifies their accuracy. FTC enforcement actions and academic studies (e.g., Mozilla Foundation, 2022) have found material discrepancies between stated and actual data practices. Labels are not a substitute for CCPA privacy notices, COPPA verifiable parental consent, or HIPAA authorization.

Misconception: HIPAA covers all health data on mobile devices.
HIPAA applies only to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. A consumer fitness app, a menstrual tracking app, or a mental health journaling app operated by a non-covered entity is not subject to HIPAA. The FTC's Health Breach Notification Rule (16 C.F.R. Part 318) fills part of this gap but carries narrower scope.

Misconception: Turning off location services stops all location tracking.
Cell-site location information (CSLI) is generated by carrier infrastructure independent of device-level GPS settings. Wi-Fi probe requests, Bluetooth beaconing, and IP address geolocation provide additional passive location signals that persist regardless of device privacy settings. The Carpenter decision addressed CSLI specifically, but non-GPS location inference remains minimally regulated at the federal level.

Misconception: The right to delete under CCPA requires all copies to be destroyed.
CCPA's deletion right is subject to 9 enumerated exceptions under Cal. Civ. Code § 1798.105(d), including compliance with legal obligations, internal use reasonably aligned with consumer expectations, and research in the public interest. Complete deletion is not the legal standard.

Checklist or steps

The following sequence represents the structural elements of a mobile privacy legal compliance assessment, as typically defined by applicable regulatory frameworks:

1. Identify applicable jurisdictions — Determine which state comprehensive privacy laws apply based on user base volume and revenue thresholds for each state with enacted legislation.
2. Inventory data categories collected — Enumerate all data types captured by mobile app or device, distinguishing sensitive categories (biometric, geolocation, health, financial, children's data).
3. Map data flows to legal bases — Match each data category to the legal basis permitting collection (consent, contract, legitimate interest where applicable under state law, legal obligation).
4. Assess third-party SDK data sharing — Identify all embedded third-party SDKs, their data collection scope, and whether their data sharing constitutes a "sale" under applicable state definitions.
5. Evaluate COPPA applicability — Determine whether the app is directed to children under 13 or has actual knowledge of child users; apply COPPA Rule requirements accordingly.
6. Apply sector-specific overlays — Layer HIPAA (health), GLBA (financial), or BIPA/state biometric laws over the baseline state privacy law analysis where data sensitivity triggers sector rules.
7. Audit consent mechanisms — Verify that opt-in mechanisms for sensitive data categories meet the affirmative consent standard (not pre-checked boxes, not buried in terms of service).
8. Establish data subject rights workflows — Implement operational processes for responding to access, deletion, correction, and opt-out requests within statutory time limits (45 days under CCPA, extendable by 45 additional days with notice).
9. Document retention and disposal schedules — Maintain written data retention policies specifying deletion timelines for each data category, required by BIPA and referenced as best practice in FTC guidance.
10. Review carrier and network data obligations — Assess obligations under FCC CPNI rules (47 C.F.R. Part 64, Subpart U) if the service involves telecommunications carrier relationships.

Reference table or matrix