Cybersecurity law asks whether data is secure. Privacy law asks whether you should be collecting and using it at all, and what rights people have over it. The two overlap constantly, and contractors increasingly answer to both.
The U.S. has no single privacy law — it has many
Instead of one statute, the United States regulates privacy through a patchwork. The FTC Act, Section 5: the Federal Trade Commission polices "unfair or deceptive acts or practices," and has built a de facto common law of privacy and data security through enforcement. Sectoral statutes: HIPAA (health), GLBA (financial), FERPA (education records), COPPA (children under 13), and the Fair Credit Reporting Act (consumer reports). State comprehensive laws: beginning with California's CCPA/CPRA, a growing majority of states (now 20+) have enacted comprehensive consumer-privacy laws granting access, deletion, correction, and opt-out rights, with heightened rules for sensitive data and automated decisions/profiling.
The GDPR and cross-border data
If you process the personal data of people in the EU, the General Data Protection Regulation can apply no matter where you sit. It distinguishes controllers (who decide why and how data is processed) from processors (who act on instructions), grants strong individual rights, and tightly restricts transferring data out of the EU — typically requiring an adequacy decision or Standard Contractual Clauses.
What's actually "personal data"?
A recurring hard problem: the line between identifiable and anonymous data is blurry. Data once thought de-identified can often be re-identified by combining datasets — so "we anonymized it" is not a complete answer.
Why it matters for contractors
Government work routinely involves PII, health data, financial data, biometrics, and records about the public. A contractor that nails NIST 800-171 but ignores privacy law can still face FTC action, state-AG enforcement, or GDPR exposure. Build privacy and security as one program: minimize what you collect, document your legal basis, honor individual rights, and secure what remains.