Mobile Privacy Laws in the US: State and Federal Protections

Mobile privacy law in the United States operates through a fragmented system of federal statutes, sector-specific regulations, and an expanding set of state-level consumer privacy frameworks. This page maps the primary federal and state instruments governing mobile data collection, transmission, and use — covering definitional scope, structural mechanics, enforcement authorities, and the classification boundaries that determine which law applies to which mobile data type. The landscape is directly relevant to device manufacturers, app developers, mobile carriers, healthcare providers, financial institutions, and any organization processing personal data through mobile endpoints.

Definition and scope

Mobile privacy law governs the collection, processing, storage, sharing, and deletion of personal data generated by or transmitted through mobile devices — including smartphones, tablets, wearables, and connected vehicle systems. The regulatory scope covers location data, device identifiers, contact lists, call records, biometric inputs, app usage patterns, and communications content.

No single comprehensive federal mobile privacy statute exists in the United States. Instead, mobile data falls under a sectoral patchwork: the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq. governs interception of electronic communications; the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq. governs data collection from users under 13; HIPAA governs health data processed by covered entities; and the Gramm-Leach-Bliley Act (GLBA) governs financial data held by financial institutions.

At the state level, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) and codified at Cal. Civ. Code § 1798.100 et seq., is the most operationally significant. As of 2024, at least 20 states have enacted or are advancing comprehensive consumer privacy statutes with mobile data implications, according to the International Association of Privacy Professionals (IAPP) State Privacy Legislation Tracker.

The Federal Trade Commission (FTC) holds broad enforcement jurisdiction over mobile privacy under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts — including privacy misrepresentations in app disclosures and data broker practices. The Federal Communications Commission (FCC) holds jurisdiction over telecommunications carriers' handling of Customer Proprietary Network Information (CPNI) under 47 U.S.C. § 222.

For a broader orientation to the service landscape covered on this site, the Mobile Security Providers section maps providers operating in mobile privacy and security compliance.

Core mechanics or structure

Mobile privacy law functions through three structural mechanisms: disclosure requirements, consent architectures, and enforcement channels.

Disclosure requirements mandate that entities collecting mobile data publish privacy notices describing what data is collected, the purposes of collection, and third-party sharing practices. Under COPPA, operators of apps directed to children must post a direct notice to parents before collecting any personal information (FTC COPPA Rule, 16 C.F.R. Part 312). Under the CCPA/CPRA, businesses must disclose all categories of personal information collected, including device identifiers and precise geolocation, at or before the point of collection.

Consent architectures vary by data type and statutory framework. ECPA requires prior consent from at least one party to a communication before interception — a standard that shapes how mobile app developers may access call logs or SMS content. HIPAA requires patient authorization before covered entities may use protected health information (PHI) for purposes beyond treatment, payment, and healthcare operations, which directly governs health and fitness apps connected to covered entity systems. COPPA requires verifiable parental consent before any personal data collection from users under 13, a requirement the FTC enforces actively against mobile app operators.

Enforcement channels include FTC administrative proceedings and federal court actions under Section 5; state attorney general actions under applicable state statutes; private rights of action available under statutes like the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq.; and FCC enforcement actions against carriers for CPNI violations. The FTC's enforcement actions in mobile privacy have resulted in civil penalties — the agency obtained a $5.7 million penalty against a children's app operator (TikTok/Musical.ly) in 2019 for COPPA violations, as documented in FTC Case Reference No. 172-3004.

Causal relationships or drivers

The fragmentation of mobile privacy law in the United States follows from three structural causes.

First, Congress has not enacted a comprehensive federal privacy statute with preemptive effect. Legislative efforts including the American Data Privacy and Protection Act (ADPPA) have advanced in committee but have not cleared both chambers as of the 2024 legislative calendar, leaving regulatory authority distributed across agencies and states.

Second, mobile technology generates data types — precise geolocation, persistent device identifiers, behavioral biometrics — that existing federal statutes, most written before smartphones existed, do not address with sufficient specificity. ECPA was enacted in 1986, predating modern mobile ecosystems by more than two decades. Courts and regulators have repeatedly had to reinterpret ECPA's "reasonable expectation of privacy" doctrine — a process that advanced significantly through the Supreme Court's decision in Carpenter v. United States, 585 U.S. 296 (2018), which held that the government's warrantless acquisition of 127 days of historical cell-site location information (CSLI) violated the Fourth Amendment.

Third, state legislative activity intensified after the European Union's General Data Protection Regulation (GDPR) took effect in May 2018, which pressured US-based companies to build privacy infrastructure and prompted state legislatures to respond to constituent demand for comparable domestic protections. California's CCPA, enacted in 2018 and effective January 1, 2020, directly credits this pressure. Since 2022, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and 16 additional states have enacted or passed similar frameworks, according to the IAPP State Privacy Legislation Tracker.

The reference explains how this regulatory landscape maps onto the categories of providers indexed in this network.

Classification boundaries

Mobile privacy law classification depends on four variables: the type of data involved, the identity of the collecting entity, the age of the data subject, and the jurisdiction of the affected parties.

Data type is the primary classifier. Location data triggers distinct treatment under CPNI (carrier-level), the FTC's 2024 commercial surveillance rulemaking process, and state statutes that treat precise geolocation as "sensitive" personal information requiring opt-in consent rather than opt-out. Biometric data — including facial geometry, fingerprints, and voiceprints captured through mobile devices — is governed by BIPA in Illinois, and by analogous statutes in Texas (Tex. Bus. & Com. Code § 503.001) and Washington (RCW 19.375.020).

Entity type determines which federal regime applies. A mobile health app connected to a hospital's EHR system triggers HIPAA. The same app operated independently by a wellness company may fall outside HIPAA's covered entity definition while remaining subject to FTC Section 5 enforcement and applicable state law.

Age of the data subject creates the sharpest classification boundary in US mobile privacy law. Collection from users under 13 triggers COPPA's verifiable parental consent requirement regardless of industry sector or entity type. The FTC's COPPA Rule, 16 C.F.R. Part 312, applies to operators of websites and online services — including mobile apps — directed to children or with actual knowledge of child users.

Jurisdiction governs which state statute applies. Most state comprehensive privacy laws follow a data subject residency model: a law applies when a resident of that state's data is processed, regardless of where the processing entity is located.

Tradeoffs and tensions

The central tension in US mobile privacy law is between federal preemption and state experimentation. Industry stakeholders, including trade groups such as the Software & Information Industry Association (SIIA), have advocated for a single federal standard that would displace the growing patchwork of state laws — arguing that compliance with 20 or more distinct state frameworks creates disproportionate operational complexity for small app developers and mid-market technology firms. Consumer advocacy organizations and state attorneys general have opposed preemption provisions that would reduce protections below the California floor, noting that CPRA rights — including the right to correct inaccurate personal information and the right to limit use of sensitive data — exceed any currently proposed federal standard.

A second tension involves law enforcement access versus individual privacy. ECPA's third-party doctrine, before Carpenter, permitted warrantless government access to metadata held by carriers. Post-Carpenter, Fourth Amendment protection attaches to comprehensive location data, but the contours of the ruling remain contested in lower courts. State Electronic Communications Privacy Acts, including California's CalECPA (Cal. Penal Code § 1546 et seq.), impose warrant requirements for government access to electronic device information that exceed federal baseline protections.

A third tension involves consent architecture design. Opt-in models for sensitive data — as required under CPRA for precise geolocation and biometric data — reduce the volume of data available for analytics and targeted advertising, affecting the economic model of mobile advertising. App stores have implemented privacy label requirements (Apple's App Store Privacy Nutrition Labels and Google Play's Data Safety section) that create disclosure infrastructure but do not standardize what constitutes valid consent under any particular statute.

Common misconceptions

Misconception: A mobile app's privacy policy constitutes legal compliance. A published privacy policy is a disclosure instrument, not a compliance certification. The FTC has brought enforcement actions against companies whose privacy policies accurately disclosed data practices that the agency determined were nonetheless unfair under Section 5. The policy must accurately reflect actual practice, and the practice itself must meet statutory requirements. Disclosure of COPPA-covered data collection does not substitute for obtaining verifiable parental consent.

Misconception: HIPAA covers all health data on mobile devices. HIPAA's covered entity framework applies to healthcare providers, health plans, and their business associates. A fitness tracking app operated by a technology company with no covered entity relationship is not subject to HIPAA. The FTC has issued guidance — including its Mobile Health Apps Interactive Tool — clarifying which federal laws apply to health-related mobile applications outside the HIPAA framework.

Misconception: Federal law preempts state mobile privacy requirements. No comprehensive federal mobile privacy statute with preemptive effect currently exists. Sector-specific statutes (HIPAA, GLBA, COPPA) preempt only inconsistent state law within their specific coverage domains. Outside those domains, state laws operate independently and may impose requirements that exceed federal minimums.

Misconception: Precise location data requires GPS. Courts and regulators have consistently found that cell-site location information (CSLI), Wi-Fi triangulation data, and Bluetooth proximity data can constitute "precise geolocation" under applicable statutes and Fourth Amendment doctrine, depending on granularity and duration. The Carpenter decision did not confine its analysis to GPS-derived data.

Checklist or steps (non-advisory)

The following sequence represents the standard compliance determination workflow applied by privacy legal teams and mobile security practitioners when assessing a mobile application or service against applicable US privacy law.

  1. Identify all data types collected — enumerate device identifiers, location data tiers (coarse vs. precise), biometric inputs, communications content, behavioral data, and health-related data.
  2. Determine entity classification — establish whether the organization qualifies as a HIPAA covered entity, HIPAA business associate, financial institution under GLBA, or operator subject to COPPA.
  3. Identify user age demographics — determine whether the app is directed to children under 13 or whether actual knowledge of child users exists, triggering COPPA requirements.
  4. Map data subjects by state residency — identify which state comprehensive privacy statutes apply based on the residency of users whose data is processed.
  5. Classify sensitive data under applicable state law — identify precise geolocation, biometric, health, financial, racial or ethnic origin, sexual orientation, and citizenship status data, which trigger heightened requirements (opt-in consent, data protection assessments) under CPRA, VCDPA, CPA, and similar statutes.
  6. Audit third-party data sharing — document all data processor and data broker relationships; assess whether state "sale" or "sharing" definitions are triggered, which activates opt-out rights under CCPA/CPRA and analogous statutes.
  7. Review carrier data practices — if the service involves a telecommunications carrier or accesses CPNI, confirm compliance with 47 C.F.R. Part 64, Subpart U governing CPNI protections.
  8. Validate consent architecture — confirm that consent mechanisms satisfy the most restrictive applicable standard across all triggering statutes.
  9. Document data minimization and retention limits — confirm policies align with state-imposed limits, including CPRA's right to deletion and storage limitation principle.
  10. Establish breach notification protocols — identify applicable state breach notification statutes and federal sector-specific requirements (HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400–414).

For reference on how mobile security compliance services are categorized within this network, see how-to-use-this-mobile-security-resource.

Reference table or matrix

Statute / Framework Governing Body Primary Mobile Data Covered Consent Model Private Right of Action Penalty Ceiling
ECPA (18 U.S.C. § 2510 et seq.) DOJ / Courts Communications content, call records Prior consent (1-party or 2-party) Yes Criminal + civil damages
COPPA (15 U.S.C. § 6501) FTC All data from users under 13 Verifiable parental consent No (FTC-enforced) $51,744 per violation (FTC, 16 C.F.R. § 1.98)
HIPAA (45 C.F.R. Parts 160, 164) HHS / OCR Protected health information (PHI) Authorization (non-TPO purposes) No Up to $1.9 million per violation category per year (HHS)
GLBA (15 U.S.C. § 6801) FTC / CFPB / Banking Regulators Financial data Opt-out (for third-party sharing) No FTC civil penalties
FCC CPNI (47 U.S.C. § 222) FCC Carrier call metadata, location Opt-in (sensitive), opt-out (others) No Up to $100,000 per day / $1 million per violation ([47 C.F.R. Part 64](https://www.ecfr.gov/current/title-47

References

 ·   · 

Read Next

Mobile Security Listings ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Security Providers The Mobile Security... Mobile Security Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Security Network: Purpose and Scope The Mobile... Mobile Ransomware Incidents: US Case Studies and Response ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Ransomware Incidents: US Case Studies and...