Compliance requirements, such as the HIPAA, FERPA, CIPA, COPPA etc., are drafted keeping in mind the existing standards in security as well the safety of consumers and citizens. An organization that is required to be compliant will do well to align their policies to the existing compliance requirements, at the bare minimum. They can always go above and beyond it and ensure higher protection and security.
An organization needs to do this to be in compliance with the laws and to prevent lawsuits and fines.