US State Privacy Laws and Outsourcing to Kenya

For US buyers, outsourcing to Kenya raises a different compliance question than it does for UK firms: there is no comprehensive federal privacy law, so the rules come from a patchwork of state statutes and sector-specific laws, with the cross-border transfer governed mainly by contract. This page explains the US landscape, the 19 states with comprehensive privacy laws, how HIPAA bears on health data through aligned controls, and how to structure a compliant transfer to a Kenya team. It pairs the US side with Kenya’s own Data Protection Act 2019, which governs the export side.

Key Facts

Key terms

Comprehensive state privacy law

A state statute giving consumers broad rights over their personal data, such as California's CCPA/CPRA.

PHI

Protected health information, the category of US health data governed by HIPAA.

Aligned controls

Security and privacy practices that follow the structure of a standard such as HIPAA without an external certification claim.

There is no federal privacy law

Answer: The United States has no comprehensive federal privacy law, so obligations come from state statutes and sector-specific rules, with transfers governed by contract.

This is the starting point that surprises many buyers. Unlike the UK, where one regime governs transfers, US privacy is fragmented. There is no single federal export rule for sending personal data to a Kenya team; instead, your obligations flow from the state laws that apply to your consumers and from any sector rules such as HIPAA. The practical consequence is that the contract does the heavy lifting. You define security, confidentiality, breach handling and data-use limits in the agreement with your provider, and you confirm the provider’s standing under the Kenya Data Protection Act 2019 on the export side. Our compliance overview shows where this sits in the wider picture.

The 19 state privacy laws

Answer: Nineteen states have passed comprehensive privacy laws, and which apply depends on where your consumers are and each law’s thresholds.

The leading examples shape most compliance programmes:

These laws give consumers rights such as access, deletion and opt-out, and impose duties on businesses that process their data, including obligations that flow down to service providers and processors. The detail varies between states, but the common thread is that you remain responsible for personal data even after it reaches your Kenya team, so the duties have to be passed on in writing. When a Kenya team handles data about residents of these states, your contract should require the provider to support those obligations, from honouring deletion requests to limiting use of the data to the agreed purpose. Because applicability turns on consumer location and statutory thresholds, map where your data subjects are before drafting terms, and revisit the map as you enter new markets. The IAPP tracker is a practical reference for the current state of play, as the number of states with comprehensive laws has grown steadily. For vendor selection, fold these requirements into your RFP so providers price and plan for them from the outset.

HIPAA and health data

Answer: HIPAA applies to US protected health information, so a Kenya team handling such data should operate under HIPAA-aligned controls and appropriate contractual terms.

If your outsourcing involves protected health information, HIPAA sits on top of any state law. The right framing is HIPAA-aligned controls: structure the arrangement so the Kenya provider follows the safeguards HIPAA expects and is bound by appropriate contractual terms, rather than claiming a certification that does not exist. Pair this with the Kenya Data Protection Act on the export side, which already requires appropriate security and treats health data as sensitive, raising the bar on the Kenya end too. Where a provider references HIPAA or ISO 27001, treat these as aligned controls to verify. This is common ground in regulated work such as clinical and medical support.

Structuring a compliant transfer

Answer: Govern the transfer by contract, reflect the applicable state and sector obligations, and confirm the Kenya provider’s standing under the DPA.

A workable structure for US buyers:

1. Map your data subjects so you know which state laws apply.
2. Set contractual terms that flow down state-law and any HIPAA-aligned obligations to the provider.
3. Confirm the Kenya side: check the provider’s compliance with the Data Protection Act 2019 and ODPC registration where thresholds apply.
4. Define security and breach handling, including support for the Kenya 72-hour breach rule.
5. Review as state laws evolve and as your processing changes.

Because the transfer is contract-governed, the diligence you do up front, and the clarity of your terms, are what make the arrangement defensible. UK buyers face a parallel but distinct duty through the IDTA, which is worth understanding if you operate across both markets.

Key Takeaways

• The US has no federal comprehensive privacy law; obligations come from state and sector rules.
• Nineteen states have comprehensive laws, led by California’s CCPA/CPRA and peers in Virginia, Colorado and beyond.
• HIPAA applies to health data; use HIPAA-aligned controls language, never a certification claim.
• Transfers to Kenya are governed by contract, with the Kenya DPA applying on the export side.

Looking for a Kenya outsourcing partner?

A compliance-ready Kenyan provider will accept contractual terms that flow down your state-law and HIPAA-aligned obligations and meet the Kenya DPA on the export side.

Find a Kenya Outsourcing Partner →

Frequently Asked Questions

Is there a US federal privacy law for outsourcing to Kenya?

No. The United States has no comprehensive federal privacy law. Privacy is regulated at the state level, with 19 states having passed comprehensive privacy laws, and by sector-specific rules such as HIPAA for health data. Cross-border transfers to Kenya are governed mainly by contract.

Which US states have comprehensive privacy laws?

Nineteen states have comprehensive privacy laws. Key examples include California’s CCPA and CPRA, Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA and Texas’s TDPSA. Which laws apply depends on where your consumers are and the thresholds each law sets.

How does HIPAA affect outsourcing health data to Kenya?

HIPAA applies to US protected health information. When a Kenya team handles such data, structure the arrangement so the provider operates under HIPAA-aligned controls and appropriate contractual terms. Pair this with the Kenya Data Protection Act on the export side.

How do I structure a compliant transfer to a Kenya team?

Govern the transfer by contract, reflecting the obligations of the applicable state laws and any sector rules such as HIPAA aligned controls. The Kenya Data Protection Act governs the export side, so confirm the provider’s compliance and registration where thresholds apply, and set clear security and breach terms.

Sources & References

1. IAPP, “US State Privacy Legislation Tracker,” accessed 2026-06-13. https://iapp.org/
2. Office of the Data Protection Commissioner (Kenya), “Data Protection Act, 2019,” accessed 2026-06-13. https://www.odpc.go.ke/
3. UK Information Commissioner’s Office, “International transfers,” accessed 2026-06-13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
4. KenInvest, “Why Invest in Kenya,” accessed 2026-06-13. https://www.investkenya.go.ke/

Published by Outsourcing.ke.

Further Reading

• Kenya Data Protection Act — the export-side law
• Compliance Overview — the wider framework
• Outsourcing RFP Guide — fold privacy terms into vendor selection
• Employer of Record Kenya — EOR services for US firms entering Kenya