In 1995 the European Union (EU) introduced the Data Protection Directive for its member states. As a result, many organizations doing business within the EU began to draft policies to comply with this Directive. In the same year the U.S. Federal Trade Commission published the Fair Information Principles which provided a set of non-binding governing principles for the commercial use of personal information. While not mandating policy, these principles provided guidance of the developing concerns of how to draft privacy policies.

The four critical issues identified in Fair Information Principles are:

In addition the Principles discuss the need for enforcement mechanisms to impose sanctions for noncompliance with fair information practices.

The United States does not have a specific federal regulation establishing universal implementation of privacy policies. Congress has, at times, considered comprehensive laws regulating the collection of information online, such as the Consumer Internet Privacy Enhancement Act and the Online Privacy Protection Act of 2001, but none have been enacted. In 2001, the FTC stated an express preference for "more law enforcement, not more laws" and promoted continued focus on industry self regulation.

In most cases, the FTC enforces the terms of privacy policies as promises made to consumers using the authority granted by Section 5 of the FTC Act which prohibits unfair or deceptive marketing practices. The FTC's powers are statutorily restricted in some cases; for example, airlines are subject to the authority of the Federal Aviation Administration (FAA), and cell phone carriers are subject to the authority of the Federal Communications Commission (FCC).

While no generally applicable law exists, some federal laws govern privacy policies in specific circumstances, such as:

The Children's Online Privacy Protection Act (COPPA) affects websites that knowingly collect information about or target at children under the age of 13. Any such websites must post a privacy policy and adhere to enumerated information-sharing restrictions COPPA includes a Safe Harbor provision to promote Industry self regulation.

The Gramm-Leach-Bliley Act requires institutions "significantly engaged in financial activities give "clear, conspicuous, and accurate statements" of their information-sharing practices. The Act also restricts use and sharing of financial information.

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules requires notice in writing of the privacy practices of health care services, and this requirement also applies if the health service is electronic.

Some states have implemented more stringent regulations for privacy policies. The California Online Privacy Protection Act of 2003 - Business and Professions Code sections 22575-22579 requires "any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site". Both Nebraska and Pennsylvania have laws treating misleading statements in privacy policies published on Web sites as deceptive or fraudulent business practices.