{"id":380,"date":"2025-02-07T10:05:00","date_gmt":"2025-02-07T09:05:00","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=29039"},"modified":"2026-03-29T20:58:44","modified_gmt":"2026-03-29T18:58:44","slug":"us-data-privacy-laws-by-state","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/","title":{"rendered":"U.S. data privacy laws by state: rights and requirements"},"content":{"rendered":"\n<p>California passed the first U.S. state data privacy law in 2018 with the <a href=\"https:\/\/usercentrics.com\/ccpa\/\">California Consumer Privacy Act (CCPA)<\/a>, the same year the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/the-eu-general-data-protection-regulation\/\">General Data Protection Regulation (GDPR)<\/a> came into force. Progress beyond that state was slow for the next several years, with the <a href=\"https:\/\/usercentrics.com\/vcdpa\/\">Virginia Consumer Data Protection Act (VCDPA)<\/a> being the main state-level regulation passed.<\/p>\n\n\n\n<p>New momentum started in 2023, with six states passing laws. The European Union and United States also replaced the struck-down Privacy Shield with their new <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/eu-us-data-privacy-framework\/\">data privacy framework<\/a>: the EU-U.S. Data Privacy Framework.<\/p>\n\n\n\n<p>The momentum continued into 2024, with seven more U.S. state privacy laws being passed and federal legislation being made public for review. Eight state privacy laws are currently scheduled to come into effect in 2025, and three more in 2026. More state-level data privacy laws are expected to be passed, and some states are already enacting updates to their existing laws. Federal legislation has not made progress, which is expected to continue to be the case.<\/p>\n\n\n\n<p>We also expect to see more topical or industry-specific laws being proposed or passed in the U.S., like the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/washington-my-health-my-data-act-guide\/\">Washington My Health My Data Act<\/a>, and the <a href=\"https:\/\/leg.colorado.gov\/sites\/default\/files\/2024a_205_signed.pdf\">AI Act in Colorado<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-states-with-privacy-laws\">What are the states with privacy laws?<\/h2>\n\n\n\n<p>There is a long way to go before U.S. states with data privacy laws are the majority, or a federal law is passed that supplants them. However, momentum is growing, and states drafting legislation now have a substantial number of implemented regulations to draw from, as well as a wealth of evolving thought regarding data privacy, technology, and consumers\u2019 rights.<\/p>\n\n\n\n<p>To date, all the data privacy laws in the U.S. at a state level have implemented an opt-out consent model, so in most cases personal data can be collected and processed without consent, though individuals have the right to opt-out of sale, sharing, targeted advertising, and\/or profiling, depending on the specific regulation. California remains the only state to enable a private right of action, allowing consumers to directly sue companies for damages if they are involved in a data breach or other violation.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" height=\"550\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/07\/uc_blog_770x550_us_pricacy_laws_3.svg\" alt=\"Illustration of U.S. map highlighting the states that have data protection laws.\" class=\"wp-image-10486\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-which-modern-u-s-state-privacy-laws-are-considered-comprehensive\">Which modern U.S. state privacy laws are considered comprehensive?<\/h3>\n\n\n\n<p>Due to its somewhat more narrow focus and broader exclusions, the Florida Digital Bill of Rights (FDBR) is not considered among the comprehensive modern data privacy laws in the US. The same goes for the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) and Amendment SB-260, though that law is older and predates even California\u2019s CCPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-are-the-compliance-requirements-for-u-s-state-privacy-laws\">What are the compliance requirements for U.S. state privacy laws?<\/h3>\n\n\n\n<p>Compliance threshold standards vary across states, with thresholds like company revenue not being included in more recently passed laws. We are also seeing advancements in technology and social issues being reflected in the laws, e.g. with more explicit considerations for \u201cautomated decision-making\u201d (e.g. AI tools) and inclusion of information like gender identity under the category of sensitive data.<\/p>\n\n\n\n<p>While some of the U.S. states with privacy laws tout themselves as being more \u201cbusiness-friendly\u201d or more strict, they all remain fairly similar. It is important, however, to consult with qualified legal counsel or a data privacy expert to ensure that your business meets the requirements for all states where it\u2019s required to comply with regulations.<\/p>\n\n\n\n<p>Let\u2019s look at a comparison of the U.S. data privacy laws at the state level and what they mean for businesses and consumers.<\/p>\n\n\n<div >\n    \n<div class=\"uc-video-wrapper\">\n    <div class=\"uc-video\"\n         id=\"439c5ba4-6d44-49a0-b566-13cb287c596d\">\n                    <div class=\"uc-video__overlay\">\n                                    <div class=\"uc-video__overlay__bg\">\n                        <img decoding=\"async\" loading=\"lazy\" width=\"480\" height=\"360\" src=\"https:\/\/privacy-proxy-server.usercentrics.eu\/video\/youtube\/QbDggHGAkg8-poster-image\" alt=\"Video Preview\">                    <\/div>\n                                                <button type=\"button\"\n                        class=\"uc-video__overlay__play\"\n                        aria-label=\"Play\">\n                    <svg width=\"160\" height=\"161\" viewBox=\"0 0 160 161\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n    <path fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M13.3333 83.955C13.3333 47.1395 43.1844 17.2883 79.9999 17.2883C116.815 17.2883 146.667 47.1395 146.667 83.955C146.667 120.77 116.815 150.622 79.9999 150.622C43.1844 150.622 13.3333 120.77 13.3333 83.955ZM106.097 88.1974L68.8335 113.599C68.6292 113.736 68.3884 113.818 68.1375 113.836C67.8867 113.854 67.6355 113.806 67.4115 113.699C67.1876 113.591 66.9996 113.428 66.8682 113.227C66.7367 113.026 66.667 112.795 66.6666 112.559V61.7892C66.6658 61.553 66.7348 61.3212 66.8659 61.1195C66.9971 60.9179 67.1853 60.7541 67.4097 60.6465C67.634 60.5389 67.8859 60.4917 68.1372 60.5099C68.3885 60.5282 68.6295 60.6113 68.8335 60.7501L106.097 86.1352C106.273 86.2519 106.417 86.4064 106.516 86.5858C106.615 86.7652 106.667 86.9643 106.667 87.1663C106.667 87.3683 106.615 87.5674 106.516 87.7468C106.417 87.9262 106.273 88.0807 106.097 88.1974Z\" fill=\"white\"\/>\n<\/svg>\n                <\/button>\n            <\/div>\n                <div class=\"uc-video__wrapper\">\n            <div class=\"uc-video__container\">\n                <iframe loading=\"lazy\" title=\"US Legislation Trends 2024\/25: Transforming Businesses Through Privacy-Led Marketing Strategies\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/QbDggHGAkg8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>            <\/div>\n                    <\/div>\n        <script>\n            window.ucEmbedConfig = window.ucEmbedConfig || {};\n            window.ucEmbedConfig['439c5ba4-6d44-49a0-b566-13cb287c596d'] = '{\"animation\":false,\"overlay\":true}';\n        <\/script>\n    <\/div>\n<\/div>\n\n    <script type=\"application\/ld+json\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"VideoObject\",\"name\":\"US Legislation Trends 2024\\\/25: Transforming Businesses Through Privacy-Led Marketing Strategies\",\"thumbnailUrl\":\"https:\\\/\\\/privacy-proxy-server.usercentrics.eu\\\/video\\\/youtube\\\/QbDggHGAkg8-poster-image\",\"uploadDate\":\"2025-02-07 10:05:00\",\"embedUrl\":\"https:\\\/\\\/www.youtube.com\\\/embed\\\/QbDggHGAkg8?feature=oembed\"}<\/script>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-effective-dates-of-the-u-s-state-privacy-laws\">What are the effective dates of the U.S. state privacy laws?<\/h2>\n\n\n\n<p>U.S. data privacy laws tend to draw on existing privacy regulations when they\u2019re drafted. When the CCPA was drafted, there were fewer models than when other U.S. state data privacy legislation was in progress. However, the EU&#8217;s GDPR was already in effect in 2018 when the CCPA was passed.<\/p>\n\n\n\n<p>Typically, there has been a lead time of a couple of years between when legislation is passed and a new law comes into effect, giving businesses and other organizations time to familiarize themselves with the law\u2019s contents and requirements. However, with laws passed in 2024, that period of time is getting shorter. The Nebraska Data Privacy Act (NDPA) comes into effect less than nine months after being signed into law by the governor, for example.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Name of Regulation<\/th><th>Effective Date<\/th><\/tr><tr><td>California*<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/california-consumer-privacy-act\/\">California Consumer Privacy Act (CCPA)<\/a>  <br><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/cpra-and-the-future-of-privacy-law\">California Consumer Rights Act (CPRA)<\/a><\/td><td>January 1, 2020 and January 1, 2023<\/td><\/tr><tr><td>Colorado<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/colorado-privacy-act\/\">Colorado Privacy Act (CPA)<\/a><\/td><td>July 1, 2023<\/td><\/tr><tr><td>Connecticut<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/connecticut-data-privacy-act-ctdpa\/\">Connecticut Data Privacy Act (CTDPA)<\/a><\/td><td>July 1, 2023<\/td><\/tr><tr><td>Delaware<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/delaware-digital-personal-data-protection-act-dpdpa\/\">Delaware Personal Data Privacy Act (DPDPA)<\/a><\/td><td>January 1, 2025<\/td><\/tr><tr><td>Florida<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/florida-digital-bill-of-rights-fdbr\/\">Florida Digital Bill of Rights (FDBR)<\/a><\/td><td>July 1, 2024<\/td><\/tr><tr><td>Indiana<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/indiana-consumer-data-protection-act-cdpa\/\">Indiana Consumer Protection Act (INCDPA)<\/a><\/td><td>July 1, 2026<\/td><\/tr><tr><td>Iowa<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/iowa-consumer-data-protection-act-icdpa\/\">Iowa Consumer Data Protection Act (ICDPA)<\/a><\/td><td>January 1, 2025<\/td><\/tr><tr><td>Kentucky<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/kentucky-consumer-data-protection-act-kcdpa\/\">Kentucky Consumer Data Protection Act (KCDPA)<\/a><\/td><td>January 1, 2026<\/td><\/tr><tr><td>Maryland<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/maryland-online-data-privacy-act-modpa\/\">Maryland Online Data Privacy Act (MODPA)<\/a><\/td><td>October 1, 2025<\/td><\/tr><tr><td>Minnesota<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/minnesota-consumer-data-privacy-act-mcdpa\/\">Minnesota Consumer Data Privacy Act (MCDPA)<\/a><\/td><td>July 31, 2025<\/td><\/tr><tr><td>Montana<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/montana-consumer-data-privacy-act-mtcdpa\/\">Montana Consumer Data Privacy Act (MTCDPA)<\/a><\/td><td>October 24, 2024<\/td><\/tr><tr><td>Nebraska<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/nebraska-data-privacy-act-ndpa\/\">Nebraska Data Privacy Act (NDPA)<\/a><\/td><td>January 1, 2025<\/td><\/tr><tr><td>Nevada<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/nevada-privacy-of-information-collected-on-the-internet-from-consumers-act-amendment-sb-260\/\">Nevada Privacy of Information Collected on the Internet from Consumers Act and Amendment SB-260 (NPICICA &amp; SB-260)<\/a><\/td><td>July 1, 2017, updated October 1, 2021<\/td><\/tr><tr><td>New Hampshire<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/new-hampshire-data-privacy-act-nhpa\/\">New Hampshire Privacy Act (NHPA)<\/a><\/td><td>January 1, 2025<\/td><\/tr><tr><td>New Jersey<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/new-jersey-data-privacy-act-njdpa\/\">New Jersey Data Privacy Act (NJDPA)<\/a><\/td><td>January 16, 2024<\/td><\/tr><tr><td>Oregon<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/oregon-consumer-privacy-act-ocpa\/\">Oregon Consumer Privacy Act (OCPA)<\/a><\/td><td>July 1, 2024<\/td><\/tr><tr><td>Rhode Island<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/rhode-island-data-transparency-and-privacy-protection-act-ridtppa\/\">Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA)<\/a><\/td><td>January 1, 2026<\/td><\/tr><tr><td>Tennessee<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/tennessee-information-protection-act-tips\/\">Tennessee Information Protection Act (TIPA)<\/a><\/td><td>July 1, 2025<\/td><\/tr><tr><td>Texas<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/texas-data-privacy-and-security-act\/\">Texas Data Privacy and Security Act (TDPSA)<\/a><\/td><td>July 1, 2024<\/td><\/tr><tr><td>Virginia<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/virginia-consumer-data-protection-act-vcdpa\/\">Virginia Consumer Data Protection Act (VCDPA)<\/a><\/td><td>January 1, 2023<\/td><\/tr><tr><td>Utah<\/td><td><a href=\"https:\/\/usercentrics.com\/knowledge-hub\/utah-consumer-privacy-act-ucpa\/\">Utah Consumer Privacy Act (UCPA)<\/a><\/td><td>December 31, 2023<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><small>*The California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act (CCPA). In this article, they will be displayed as one regulation, and we will include the most up to date requirements, i.e. those introduced with the CPRA.<\/small><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-protected-in-u-s-states-with-data-privacy-laws\">Who is protected in U.S. states with data privacy laws?<\/h2>\n\n\n\n<p>Data privacy laws passed by the states are designed primarily to protect consumers, the data subjects from whom businesses and other organizations collect personal data. These days that data comes from an increasing number of sources as we live and work more and more online. Web browsers, mobile devices, connected appliances, and more all result in consumers generating vast amounts of data about their identities, preferences, and activities every day.<\/p>\n\n\n\n<p>The U.S. data privacy laws apply to residents of the state in question. This means that a company does not need to be headquartered in a state, or even have an office there, to be subject to the state\u2019s privacy law, if their users or customers include residents of that state. Many of the state-level laws explicitly protect people and their data in a personal or household context, excluding those acting in a commercial or employment context (which is covered by other laws).<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Protected Parties<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>Residents of California, acting in an individual or household context, with specific rights for people acting in an employment context<\/td><\/tr><tr><td>Colorado<\/td><td>Residents of Colorado, acting in an individual or household context<\/td><\/tr><tr><td>Connecticut<\/td><td>Residents of Connecticut, acting in an individual or household context<\/td><\/tr><tr><td>Delaware<\/td><td>Residents of Delaware, acting in an individual or household context<\/td><\/tr><tr><td>Florida<\/td><td>Residents of Florida, acting in an individual or household context<\/td><\/tr><tr><td>Indiana<\/td><td>Residents of Indiana, acting in an individual or household context<\/td><\/tr><tr><td>Iowa<\/td><td>Residents of Iowa, acting in an individual or household context<\/td><\/tr><tr><td>Kentucky<\/td><td>Residents of Kentucky, acting in an individual or household context<\/td><\/tr><tr><td>Maryland<\/td><td>Residents of Maryland, acting in an individual or household context<\/td><\/tr><tr><td>Minnesota<\/td><td>Residents of Minnesota, acting in an individual or household context<\/td><\/tr><tr><td>Montana<\/td><td>Residents of Montana, acting in an individual or household context<\/td><\/tr><tr><td>Nebraska<\/td><td>Residents of Nebraska, acting in an individual or household context<\/td><\/tr><tr><td>Nevada<\/td><td>Residents of Nevada in their online activities<\/td><\/tr><tr><td>New Hampshire<\/td><td>Residents of New Hampshire, acting in an individual or household context<\/td><\/tr><tr><td>New Jersey<\/td><td>Residents of New Jersey, acting in an individual or household context<\/td><\/tr><tr><td>Oregon<\/td><td>Residents of Oregon, acting in an individual or household context<\/td><\/tr><tr><td>Rhode Island<\/td><td>Residents of Rhode Island, acting in an individual or household context<\/td><\/tr><tr><td>Tennessee<\/td><td>Residents of Tennessee, acting in an individual or household context<\/td><\/tr><tr><td>Texas<\/td><td>Residents of Texas, acting in an individual or household context<\/td><\/tr><tr><td>Virginia<\/td><td>Residents of Virginia, acting in an individual or household context<\/td><\/tr><tr><td>Utah<\/td><td>Residents of Utah, acting in an individual or household context<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-has-to-comply-with-state-level-u-s-data-privacy-laws\">Who has to comply with state-level U.S. data privacy laws?<\/h2>\n\n\n\n<p>State privacy laws are primarily aimed at businesses, i.e. commercial enterprises intended to earn revenue. Those that obtain revenue from selling personal data are particularly responsible to comply. While the number of people whose data is sold is a common criterion, a company revenue threshold is only in use for some laws, and is increasingly being left out of states\u2019 legislation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-who-is-exempt-from-complying-with-state-level-u-s-data-privacy-laws\">Who is exempt from complying with state-level U.S. data privacy laws?<\/h3>\n\n\n\n<p>Some of the laws also explicitly exempt small businesses. All of the laws have other exemptions, mainly for personal data covered under other laws, like that collected and processed by healthcare and financial institutions. Nonprofits and institutions of higher education are also often exempt (though not in all states), so as always, requirements of specific laws should be checked with input from qualified legal counsel.<\/p>\n\n\n\n<p>All the thresholds listed below, except where noted, are for a calendar year or the preceding calendar year.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Compliance Thresholds<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>have gross annual revenue greater than USD 26,625,000 in the preceding calendar year, <b>or<\/b><\/li>\n \t<li>alone or in combination, annually buy, sell or share the personal data of 100,000 or more consumers or households, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">o<\/b><span style=\"font-size: inherit; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\"><strong>r<\/strong><\/span><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">derive 50% or more of annual revenue from selling or sharing consumers\u2019 personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>process personal data of at least 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">derive at least 50% of gross revenue from selling personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>process personal data of at least 25,000 consumers<b style=\"font-size: revert; color: var(--tb-primary);\">, and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">receive a discount on goods or services from selling personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 35,000 Delaware residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, <b>or<\/b><\/li>\n \t<li>control or process personal data of at least 10,000 Delaware residents, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">derive more than 20 percent of gross revenue from the sale of personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>are organized or operated for the profit or financial benefit of its shareholders or owners<\/li>\n \t<li>conduct business in the state of Florida<\/li>\n \t<li>collect personal data about consumers, or is the entity on behalf of which such information is collected<\/li>\n \t<li>determines the purposes and means of processing personal data about consumers alone or jointly with others<\/li>\n \t<li>makes in excess of USD 1 billion on global gross annual revenue<\/li>\n<\/ul>\n<strong>and satisfies at least one of the following:<\/strong>\n<ul>\n \t<li>derive 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online<\/li>\n \t<li>operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation<\/li>\n \t<li>operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 100,000 Indiana residents<\/li>\n \t<li>control or process personal data of at least 25,000 Indiana residents<\/li>\n<\/ul>\n<b>and<\/b>\n<ul>\n \t<li>derive over 50 percent of gross revenue from the sale of personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>control or process personal data of more than 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive over 50 percent of gross revenue from the sale of personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 100,000 consumers , <b>or<\/b><\/li>\n \t<li>control or process personal data of at least 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li>derive over 50 percent of gross revenue from the sale of personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction, <b>or<\/b><\/li>\n \t<li>control or process the personal data of at least 10,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive more than 20 percent of their gross revenue from the sale of personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>control or process personal data of at least 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive over 50 percent of gross revenue from the sale of personal data<\/span><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>control or process the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction, <b>or<\/b><\/li>\n \t<li>control or process the personal data of at least 10,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive more than 20 percent of their gross revenue from the sale of personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>process or engage in the sale of personal data<\/li>\n \t<li>not a small business as defined under the U.S. Small Business Act, unless they are engaged in the sale of sensitive data without consumer consent<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>own or operate a website or an online service for business purposes, <b>and<\/b><\/li>\n \t<li>collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service, <strong>a<\/strong><b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">nd<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents<\/span><b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">, and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">have more than 20,000 visitors per year<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>control or process personal data of 100,000 or more consumers, excluding data for the purpose of completing payment transactions, <b>or<\/b><\/li>\n \t<li>control or process personal data of 25,000 or more consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive 25 percent or more of the gross revenue from selling personal dat<\/span><span style=\"font-size: inherit; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">a<\/span><\/li>\n<\/ul>\n<span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">*The first state that does not limit the amount of data to a specific time period, e.g. \u201cpreceding calendar year\u201d<\/span><\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction, <b>or<\/b><\/li>\n \t<li>control or process the personal data of at least 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive revenue or receive a discount on the price of any goods or services from the sale of personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>control or process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>control or process personal data of at least 25,000 or more consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive 25 percent or more of the annual gross revenue from selling personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>control or process the personal information of at least 10,000 Rhode Island consumers, <b>and<\/b><\/li>\n \t<li>derive more than 20 percent of their gross revenue from the sale of personal information<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>exceed USD 25 million in revenue, <b>and<\/b><\/li>\n \t<li>control or process the personal information of at least 25,000 Tennessee consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">erive more than 50 percent of their gross revenue from the sale of personal information<\/span>, <strong>o<\/strong><b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">r<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">control or process the personal information of at least 175,000 Tennessee residents during a calendar year<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>conduct business in Texas or generating products or services consumed by Texas residents,<strong> a<\/strong><b>nd<\/b><\/li>\n \t<li>process or engage in the sale of personal data, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">not identify as a small business as defined by the U.S. Small Business Administration (independent for-profit entity with fewer than 500 employees)<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>process personal data of at least 100,000 consumers, <b>or<\/b><\/li>\n \t<li>process personal data of at least 25,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive at least 50 percent of gross annual revenue from selling personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>gross annual revenue of at least US 25 million, <b>and<\/b><\/li>\n \t<li>process personal data of at least 100,000 consumers, <b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">or <\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">process personal data of at least 25,000 consumers<\/span><b style=\"font-size: revert; background-color: transparent; color: var(--tb-primary);\">, and<\/b><\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">derive at least 50 percent of gross revenue from selling personal data<\/span><\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-the-enforcement-authority-in-u-s-states-with-data-privacy-laws\">Who is the enforcement authority in U.S. states with data privacy laws?<\/h2>\n\n\n\n<p>Each state manages enforcement of the data privacy law, including investigations and penalties. The creation of the California Privacy Protection Agency was included in the CPRA, but to date it is the only state with a separate agency to enforce privacy law. All the other states have these functions under the Attorney General\u2019s office.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" height=\"650\" width=\"770\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2024\/07\/uc_blog_770x650_priv_laws_compare.svg\" alt=\"Table presenting the states and the enforcement authority\" class=\"wp-image-10485\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-penalties-for-violation-or-noncompliance-with-the-u-s-state-privacy-laws\">What are the penalties for violation or noncompliance with the U.S. state privacy laws?<\/h2>\n\n\n\n<p>Most penalties are monetary, though some can include cessation of data processing. Some of the privacy laws specify fine amounts, and others defer to laws governing deceptive trade practices, or to the Attorney General\u2019s discretion. Outside of official channels, companies can also suffer loss of brand reputation, customer trust, and, ultimately revenue as the result of a publicized violation or data breach.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-do-the-u-s-state-privacy-laws-provide-a-cure-period-for-violations\">Do the U.S. state privacy laws provide a cure period for violations?<\/h3>\n\n\n\n<p>Many of the U.S. states with privacy laws provide companies with a \u201cright to cure\u201d, which is a specific number of days during which they have the opportunity to fix any violation they\u2019ve been notified about without being penalized for it. If they don\u2019t cure the violation, proceedings to levy fines and\/or other penalties can then commence.<\/p>\n\n\n\n<p>Some laws have put a time limit of one to two years on the cure period, specifying a sunset date. After that time, companies will not have a right to cure, but can be granted a cure period at the Attorney General\u2019s discretion. In some cases, like with repeat or willful (known) violations, there is no cure period.<\/p>\n\n\n\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained\">\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Fines, Penalties, and Cure Periods<\/th><\/tr><tr><td>California (CCPA\/SPRA)<\/td><td>\n<ul>\n \t<li>up to USD 2,663 for each violation (e.g. negligence) or USD 7,988 for willful violations<\/li>\n \t<li>fines for violations involving minors increased to USD 7,988 from USD 2,663<\/li>\n \t<li>provides consumers with private right of action only when their unencrypted or unredacted personal information is breached<\/li>\n \t<li>no cure period<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>fines not specified under the CPA, penalties governed by the Colorado Consumer Protection Act<\/li>\n \t<li>from USD 2,000 to USD 20,000 per violation, or between USD 10,000 to USD 50,000 per violation against an elderly person<\/li>\n \t<li>violations can lead to criminal charges<\/li>\n \t<li>cure period has sunset<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>fines not specified under the CTDPA, penalties governed by the Connecticut Unfair Trade Practices Act (CUTPA)<\/li>\n \t<li>USD 5,000 for willful violations<\/li>\n \t<li>restraining orders, which can lead to cessation of data collection (violation of a restraining order could result in an additional USD 25,000 penalty)<\/li>\n \t<li>cure period has sunset<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>fines not specified under the DPDPA, but the regulation references Subchapter II of Chapter 25 of Title 29, which provides the Attorney General standing to investigate, initiate administrative proceedings, sanction unlawful conduct, and\/or seek remedies on behalf of the state for violations<\/li>\n \t<li>willful violations can result in fines up to USD 10,000 per violation<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>fines not specified under the FDBR, as violations are considered deceptive trade practices- fines up to USD 50,000 per violation<\/li>\n \t<li>penalties can be tripled if:\n<ul>\n \t<li>the violation is against a known child<\/li>\n \t<li>controller fails to delete personal data after receiving an authenticated consumer request (or a processor receives instructions to do so from a controller)<\/li>\n \t<li>controller continues to sell or share a consumer\u2019s personal data after the consumer has opted out<\/li>\n<\/ul>\n<\/li>\n \t<li>45-day cure period at the discretion of the Attorney General (no sunset date), unless the violation involves a known child, in which case there is no cure period<\/li>\n \t<li>includes prohibition that no government entity can request that a social media platform remove content or user accounts unless the content or account is used to commit a crime or otherwise violates Florida public records law<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation (paid into the fund for consumer education and litigation)<\/li>\n \t<li>90-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>fines up to USD 10,000 per violation, fines for repeat violations up to USD 25,000 for each subsequent violation<\/li>\n \t<li>60-day cure period (sunsets April 1, 2027)<\/li>\n \t<li>individuals do not have private right of action, but MODPA specifically notes that they are not prohibited from pursuing any other remedy provided by law<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (sunsets July 31, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>fines not specified under the MTCDPA, but notes that the Attorney General can \u201cbring an action\u201d<\/li>\n \t<li>60-day cure period (sunsets April 1, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>violations are considered deceptive trade practices, so NRS 598A applies<\/li>\n \t<li>fines up to USD 5,000 per violation (which can mean per website visitor)<\/li>\n \t<li>a data collector can pursue damages against a person or entity that has unlawfully obtained or benefitted from personal data obtained from the data collector\u2019s records, which may include:\n<ul>\n \t<li>reasonable costs of notification<\/li>\n \t<li>reasonable attorneys&#8217; fees<\/li>\n \t<li>costs and punitive damages where appropriate<\/li>\n<\/ul>\n<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n \t<li>the Attorney General or any county\u2019s district attorney can bring action against a suspected violator, enabling them to obtain a temporary or permanent injunction against the violating activity, including cessation of data collection<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>fines not specified under the NHPA, as violations are considered deceptive trade practices, but the regulation references Section 358-A:2<\/li>\n \t<li>Attorney General can seek civil penalties up to USD 10,000 per violation<\/li>\n \t<li>60-day cure period (sunsets January 1, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>fines up to USD 10,000 for an initial violation and up to USD 20,000 for subsequent violations<\/li>\n \t<li>30-day cure period (sunsets July 16, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (sunsets January 1, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>fines up to USD 10,000 per violation<\/li>\n \t<li>30-day cure period (sunsets January 31, 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>fines up to USD 15,000 per violation<\/li>\n \t<li>fines can be up to three times higher for willful violations<\/li>\n \t<li>60-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>fines up to USD 7,500 per violation<\/li>\n \t<li>30-day cure period (no sunset date)<\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-are-consent-and-global-privacy-control-managed-under-the-u-s-data-privacy-laws\">How are consent and Global Privacy Control managed under the U.S. data privacy laws?<\/h2>\n\n\n\n<p>Opt in consent means that in most cases a business or other organization must obtain informed, valid consent from users and customers (data subjects) before collecting or processing their personal data. Opt out consent means that in most cases a business can collect and use data subjects\u2019 personal data without requiring consent.<\/p>\n\n\n\n<p>Under state privacy laws, data subjects must have the option to opt out of sale, sharing, targeted advertising, profiling, automated decision-making, or other use of their personal data, depending on the specific data privacy law. Under most of the U.S. privacy laws, prior consent is required if the data to be processed is categorized as sensitive or belongs to a known child. Most of the laws defer to the <a href=\"\/knowledge-hub\/childrens-online-privacy-protection-act-coppa\/\">Children\u2019s Online Protection Act (COPPA)<\/a> regarding access to and use of children\u2019s personal data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-are-the-notification-requirements-under-u-s-data-privacy-laws\">What are the notification requirements under U.S. data privacy laws?<\/h3>\n\n\n\n<p>All of the American privacy laws require that data subjects be notified under all circumstances about what data is collected, for what purposes, who it\u2019s shared with, etc. The United States is the main country utilizing an opt-out consent model. In much of the rest of the world, the opt-in model is the standard.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-are-companies-required-to-recognize-the-global-privacy-control-under-u-s-state-privacy-laws\">Are companies required to recognize the Global Privacy Control under U.S. state privacy laws?<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-global-privacy-control\/\">Global Privacy Control (GPC)<\/a> or universal opt-out mechanism, enables individuals to set their consent preferences once in their web browser, and having those preferences respected automatically by all websites they subsequently visit. Some of the state-level data privacy laws stipulate this signal must be respected, and others do not reference it at all. Some states have provided a grace period of a year or so before GPC signals must be respected.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Consent Model<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>\u201cDo Not Sell Or Share My Personal Information\u201d link required on websites<\/li>\n \t<li>If sensitive personal information is processed, \u201cLimit the Use of My Sensitive Personal Information\u201d link required on websites<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>if a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a \u201cclear and conspicuous link\u201d on their website that enables consumers to opt out of either of those activities (explicit wording for the link is not specified)<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>controllers must provide \u201ca clear and conspicuous link on the controller\u2019s Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer\u2019s personal data\u201d<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n \t<li>definition of a child is anyone under the age of 18 (under 13 is the standard under most of the state-level privacy laws)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n \t<li>sale of sensitive data or children\u2019s data is banned without exception<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>opt out<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>opt out in most cases<\/li>\n \t<li>prior consent required for sensitive or children\u2019s personal data<\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-privacy-notice-policy-requirements-of-the-u-s-state-privacy-laws\">What are the privacy notice\/policy requirements of the U.S. state privacy laws?<\/h2>\n\n\n\n<p>While in many cases the data privacy laws in the U.S. do not require consent before data collection or use, all of them require users to be notified with information about what data is collected, for what purposes, what parties it gets shared with, what consumers\u2019 rights are and how to exercise them, etc. This is most commonly presented in a privacy notice or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/what-is-a-privacy-policy-and-why-do-you-need-one\/\">privacy policy<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Privacy Notice\/Policy Requirements<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>a business that controls the collection of a consumer\u2019s personal information must, before or at the point of collection, inform consumers about:categories of personal information to be collected<\/li>\n \t<li>purposes for which the categories of personal information are collected or used and whether that information is sold or shared<\/li>\n \t<li>categories of sensitive personal information to be collected, if any<\/li>\n \t<li>purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared, if any<\/li>\n \t<li>the length of time the business intends to retain each category of personal information, including sensitive personal information, if possible<\/li>\n \t<li>if providing the data retention period is not possible, the criteria used to determine that period, provided that a business does not retain a consumer\u2019s personal information for each disclosed purpose for longer than is reasonably necessary<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including contact information and how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must include all of the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller, including to submit a request<\/li>\n<\/ul>\n<\/li>\n \t<li>if the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>data controller must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose(s) of processing personal data<\/li>\n \t<li>how customers may exercise their rights<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>description of the methods by which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if the controller engages in the sale of personal data that is biometric data, the controller must provide the following notice \u201cNOTICE: This website may sell your biometric personal data\u201c<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n<\/ul>\n<\/li>\n \t<li>if a controller sells a personal data to third parties or uses it for targeted advertising, the controller shall clearly disclose such activity in the privacy notice, as well as how a consumer may exercise the right to opt out of such sales or use<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>data processors must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>description of secure and reliable means for consumers to submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising or profiling, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>description of the controller\u2019s retention policies for personal data<\/li>\n \t<li>the date that the privacy notice was last updated<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>methods through which a consumer may submit a request to exercise a consumer right<\/li>\n \t<li>if a controller sells personal data to any third party or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>data processors need to provide an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller or processor<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if the controller sells personal data<\/li>\n \t<li>third parties that collect information about consumers throughout different websites (via use of third-party cookies)<\/li>\n \t<li>how consumers may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold<\/li>\n \t<li>effective date of the privacy policy and a description of the process by which controllers will let consumers know of any changes to their privacy policy<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>an operator that collects the personally identifiable information of a consumer through a commercial Internet website or an online service shall provide on its commercial Internet website or online service, notification to a consumer that shall include, but not be limited to:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>whether a third party may collect personally identifiable information about a consumer\u2019s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator (use of third-party cookies, or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/tracking-cookies-and-the-gdpr\/\">tracking cookies<\/a>)<\/li>\n \t<li>a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer\u2019s personally identifiable information that is collected<\/li>\n \t<li>the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available, along with the effective date of the notice<\/li>\n \t<li>information concerning one or more designated request addresses of the operator<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible, clear, and meaningful privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise their rights, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors<\/li>\n \t<li>identifies the controller, including any business name under which the controller<\/li>\n \t<li>registered with the Secretary of State and any assumed business name that the controller uses in the state<\/li>\n \t<li>a clear and conspicuous description of any processing of personal data in<\/li>\n \t<li>which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer and a procedure by which the consumer may opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>third parties to whom the controller has sold or may sell customers\u2019 personally identifiable information<\/li>\n \t<li>when the controller may disclose personal information<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal information processed<\/li>\n \t<li>purpose(s) for processing personal information<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal information that the controller sells to third parties, if any<\/li>\n \t<li>categories of third parties, to whom the controller sells personal information, if any<\/li>\n \t<li>if a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing<\/li>\n<\/ul>\n<\/li>\n \t<li>at least one of the following methods for consumers to submit a request to exercise consumer rights: toll-free telephone number, email address, web form<\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">a clear and conspicuous link on the controller&#8217;s main internet homepage to an internet webpage that enables a consumer to exercise their rights<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>a controller must provide consumers with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed, including any sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including the process by which a consumer may appeal a controller\u2019s decision with regard to the consumer\u2019s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>a description of the methods through which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller engages in the sale of sensitive personal data, they must include the following notice: &#8220;NOTICE: We may sell your sensitive personal data&#8221; posted in the same location and in the same manner as the privacy notice<\/li>\n \t<li>if a controller engages in the sale of biometric personal data, they must include the following notice: &#8220;NOTICE: We may sell your biometric personal data&#8221;, posted in the same location and in the same manner as the privacy notice<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed purpose(s) for processing personal data how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\"> categories of personal data that the controller shares with third parties, if any<\/span><span style=\"font-size: inherit; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\"> categories of third parties, with whom the controller shares personal data, if any if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing one or more secure and reliable means for consumers to submit a request to exercise their consumer rights<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible and clear privacy notice, which must contain at least the following information:\n<ul>\n \t<li><span style=\"font-size: inherit; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">categories of personal data processedpurpose(s) for processing personal data<\/span>categories of personal data processedpurpose(s) for processing personal datahow consumers can exercise their consumer rightscategories of personal data that the controller shares with third parties, if any<span style=\"font-size: inherit; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">categories of third parties with whom the controller shares personal data, if any<\/span><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">if a controller sells a consumer&#8217;s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer&#8217;s personal data or processing for targeted advertising<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Privacy Notice\/Policy Requirements<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>a business that controls the collection of a consumer\u2019s personal information must, before or at the point of collection, inform consumers about:\n<ul>\n \t<li>categories of personal information to be collected purposes for which the categories of personal information are collected or used and whether that information is sold or shared categories of sensitive personal information to be collected, if any purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared, if any the length of time the business intends to retain each category of personal information, including sensitive personal information, if possible if providing the data retention period is not possible, the criteria used to determine that period, provided that a business does not retain a consumer\u2019s personal information for each disclosed purpose for longer than is reasonably necessary<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including contact information and how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must include all of the following information:\n<ul>\n \t<li>categories of personal data processedpurpose(s) for processing personal datahow consumers may exercise their consumer rights, including how a consumer may appeal a controller\u2019s decision with regard to the consumer\u2019s requestcategories of personal data that the controller shares with third parties, if anycategories of third parties with which the controller shares personal data, if anyan active electronic mail address or other online mechanism that the consumer may use to contact the controller, including to submit a requestif the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing<span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">if the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>data controller must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose(s) of processing personal data<\/li>\n \t<li>how customers may exercise their rights<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>description of the methods by which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if the controller engages in the sale of personal data that is biometric data, the controller must provide the following notice \u201cNOTICE: This website may sell your biometric personal data\u201c<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>if a controller sells a personal data to third parties or uses it for targeted advertising, the controller shall clearly disclose such activity in the privacy notice, as well as how a consumer may exercise the right to opt out of such sales or use<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>data processors must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>description of secure and reliable means for consumers to submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising or profiling, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>description of the controller\u2019s retention policies for personal data<\/li>\n \t<li>the data the privacy notice was last updated<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>methods through which a consumer may submit a request to exercise a consumer right<\/li>\n \t<li>if a controller sells personal data to any third party or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>data processors need to provide an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller or processor<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if the controller sells personal data<\/li>\n \t<li>third parties that collect information about consumers throughout different websites (via use of third-party cookies)<\/li>\n \t<li>how consumers may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold<\/li>\n \t<li>effective date of the privacy policy and a description of the process by which controllers will let consumers know of any changes to their privacy policy<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>an operator that collects the personally identifiable information of a consumer through a commercial Internet website or an online service shall provide on its commercial Internet website or online service, notification to a consumer that shall include, but not be limited to:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>whether a third party may collect personally identifiable information about a consumer\u2019s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator (use of third-party cookies, or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/tracking-cookies-and-the-gdpr\/\">tracking cookies<\/a>)<\/li>\n \t<li>a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer\u2019s personally identifiable information that is collected<\/li>\n \t<li>the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available, along with the effective date of the notice<\/li>\n \t<li>information concerning one or more designated request addresses of the operator<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible, clear, and meaningful privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise their rights, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors<\/li>\n \t<li>identifies the controller, including any business name under which the controller<\/li>\n \t<li>registered with the Secretary of State and any assumed business name that the controller uses in the state<\/li>\n \t<li>a clear and conspicuous description of any processing of personal data in<\/li>\n \t<li>which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer and a procedure by which the consumer may opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>third parties to whom the controller has sold or may sell customers\u2019 personally identifiable information<\/li>\n \t<li>when the controller may disclose personal information<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal information processed<\/li>\n \t<li>purpose(s) for processing personal information<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal information that the controller sells to third parties, if any<\/li>\n \t<li>categories of third parties, to whom the controller sells personal information, if any<\/li>\n \t<li>if a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing<\/li>\n<\/ul>\n<\/li>\n \t<li>at least one of the following methods for consumers to submit a request to exercise consumer rights: toll-free telephone number, email address, web form<\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">a clear and conspicuous link on the controller&#8217;s main internet homepage to an internet webpage that enables a consumer to exercise their rights<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>a controller must provide consumers with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed, including any sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including the process by which a consumer may appeal a controller\u2019s decision with regard to the consumer\u2019s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>a description of the methods through which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller engages in the sale of sensitive personal data, they must include the following notice: &#8220;NOTICE: We may sell your sensitive personal data&#8221; posted in the same location and in the same manner as the privacy notice<\/li>\n \t<li>if a controller engages in the sale of biometric personal data, they must include the following notice: &#8220;NOTICE: We may sell your biometric personal data&#8221;, posted in the same location and in the same manner as the privacy notice<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processedpurpose(s) for processing personal data<span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s requestcategories of personal data that the controller shares with third parties, if any<\/span><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">categories of third parties, with whom the controller shares personal data, if any<\/span><span style=\"font-size: revert; font-weight: inherit; background-color: transparent; color: var(--tb-primary);\">if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processingone or more secure and reliable means for consumers to submit a request to exercise their consumer rights<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible and clear privacy notice, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed- purpose(s) for processing personal datahow consumers can exercise their consumer rightscategories of personal data that the controller shares with third parties, if anycategories of third parties with whom the controller shares personal data, if anyif a controller sells a consumer&#8217;s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer&#8217;s personal data or processing for targeted advertising<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Privacy Notice\/Policy Requirements<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>a business that controls the collection of a consumer\u2019s personal information must, before or at the point of collection, inform consumers about:\n<ul>\n \t<li>categories of personal information to be collectedpurposes for which the categories of personal information are collected or used and whether that information is sold or sharedcategories of sensitive personal information to be collected, if anypurposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared, if anythe length of time the business intends to retain each category of personal information, including sensitive personal information, if possibleif providing the data retention period is not possible, the criteria used to determine that period, provided that a business does not retain a consumer\u2019s personal information for each disclosed purpose for longer than is reasonably necessary<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>controllers must include an accessible, clear, and meaningful privacy notice, which must include the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purposes for processing personal data<\/li>\n \t<li>how consumers can exercise their consumer rights, including contact information and how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must include all of the following information:\n<ul>\n \t<li>categories of personal data processedpurpose(s) for processing personal datahow consumers may exercise their consumer rights, including how a consumer may appeal a controller\u2019s decision with regard to the consumer\u2019s requestcategories of personal data that the controller shares with third parties, if anycategories of third parties with which the controller shares personal data, if anyan active electronic mail address or other online mechanism that the consumer may use to contact the controller, including to submit a requestif the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processingif the controller sells personal data to third parties or processes personal data for targeted advertising, they must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>data controller must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose(s) of processing personal data<\/li>\n \t<li>how customers may exercise their rights<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>description of the methods by which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if the controller engages in the sale of personal data that is biometric data, the controller must provide the following notice \u201cNOTICE: This website may sell your biometric personal data\u201c<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>a controller must include an accessible, clear, and meaningful privacy notice, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>if a controller sells a personal data to third parties or uses it for targeted advertising, the controller shall clearly disclose such activity in the privacy notice, as well as how a consumer may exercise the right to opt out of such sales or use\n&#8211; a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>data processors must include an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller<\/li>\n \t<li>purpose for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>description of secure and reliable means for consumers to submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n \t<li>a secure and reliable means for consumers to submit a request to exercise their rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells consumer\u2019s personal data or engages in targeted advertising or profiling, then the controller needs to clearly and conspicuously disclose such activity and the manner in which a consumer may exercise the right to opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>description of the controller\u2019s retention policies for personal data<\/li>\n \t<li>the data the privacy notice was last updated<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with which the controller shares personal data, if any<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision regarding the consumer&#8217;s request<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>methods through which a consumer may submit a request to exercise a consumer right<\/li>\n \t<li>if a controller sells personal data to any third party or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>data processors need to provide an accessible and simple to read privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller or processor<\/li>\n \t<li>categories of third parties, if any, with whom the controller shares personal data<\/li>\n \t<li>if the controller sells personal data<\/li>\n \t<li>third parties that collect information about consumers throughout different websites (via use of third-party cookies)<\/li>\n \t<li>how consumers may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold<\/li>\n \t<li>effective date of the privacy policy and a description of the process by which controllers will let consumers know of any changes to their privacy policy<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>a controller shall provide each consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise a consumer right, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an active electronic mail address or other online mechanism that the consumer may use to contact the controller<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>an operator that collects the personally identifiable information of a consumer through a commercial Internet website or an online service shall provide on its commercial Internet website or online service, notification to a consumer that shall include, but not be limited to:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>whether a third party may collect personally identifiable information about a consumer\u2019s online activities over time and across different commercial Internet websites or online services when the consumer uses the Internet website or online service of the operator (use of third-party cookies, or <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/tracking-cookies-and-the-gdpr\/\">tracking cookies<\/a>)<\/li>\n \t<li>a description of the process for an individual consumer who uses or visits the commercial Internet website or online service to review and request changes to any of the consumer\u2019s personally identifiable information that is collected<\/li>\n \t<li>the process by which the operator notifies consumers who use or visit the commercial Internet website or online service of material changes to the notification required to be made available, along with the effective date of the notice<\/li>\n \t<li>information concerning one or more designated request addresses of the operator<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible, clear, and meaningful privacy notice on their website, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processed by the controller, including sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how a consumer may exercise their rights, including the process by which a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, including sensitive data, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors<\/li>\n \t<li>identifies the controller, including any business name under which the controller<\/li>\n \t<li>registered with the Secretary of State and any assumed business name that the controller uses in the state<\/li>\n \t<li>a clear and conspicuous description of any processing of personal data in<\/li>\n \t<li>which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer and a procedure by which the consumer may opt out<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processed<\/li>\n \t<li>third parties to whom the controller has sold or may sell customers\u2019 personally identifiable information<\/li>\n \t<li>when the controller may disclose personal information<\/li>\n \t<li>an active email address or other mechanism that the consumer may use to contact the controller<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal information processed<\/li>\n \t<li>purpose(s) for processing personal information<\/li>\n \t<li>how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s request<\/li>\n \t<li>categories of personal information that the controller sells to third parties, if any<\/li>\n \t<li>categories of third parties, to whom the controller sells personal information, if any<\/li>\n \t<li>if a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing<\/li>\n<\/ul>\n<\/li>\n \t<li>at least one of the following methods for consumers to submit a request to exercise consumer rights: toll-free telephone number, email address, web form<\/li>\n \t<li><span style=\"font-size: revert; font-weight: inherit; color: var(--tb-primary);\">a clear and conspicuous link on the controller&#8217;s main internet homepage to an internet webpage that enables a consumer to exercise their rights<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>a controller must provide consumers with a reasonably accessible and clear privacy notice that includes:\n<ul>\n \t<li style=\"list-style-type: none;\">\n<ul>\n \t<li>categories of personal data processed, including any sensitive data<\/li>\n \t<li>purpose(s) for processing personal data<\/li>\n \t<li>how consumers may exercise their consumer rights, including the process by which a consumer may appeal a controller\u2019s decision with regard to the consumer\u2019s request<\/li>\n \t<li>categories of personal data that the controller shares with third parties, if any<\/li>\n \t<li>categories of third parties with whom the controller shares personal data, if any<\/li>\n \t<li>a description of the methods through which consumers can submit requests to exercise their consumer rights<\/li>\n \t<li>if a controller engages in the sale of sensitive personal data, they must include the following notice: &#8220;NOTICE: We may sell your sensitive personal data&#8221; posted in the same location and in the same manner as the privacy notice<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n \t<li>if a controller engages in the sale of biometric personal data, they must include the following notice: &#8220;NOTICE: We may sell your biometric personal data&#8221;, posted in the same location and in the same manner as the privacy notice<\/li>\n \t<li>if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:\n<ul>\n \t<li>categories of personal data processedpurpose(s) for processing personal data how consumers may exercise their consumer rights, including how a consumer may appeal a controller&#8217;s decision with regard to the consumer&#8217;s requestcategories of personal data that the controller shares with third parties, if anycategories of third parties, with whom the controller shares personal data, if anyif a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processingone or more secure and reliable means for consumers to submit a request to exercise their consumer rights<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>a controller must provide an accessible and clear privacy notice, which must contain at least the following information:\n<ul>\n \t<li>categories of personal data processedpurpose(s) for processing personal data how consumers can exercise their consumer rightscategories of personal data that the controller shares with third parties, if anycategories of third parties with whom the controller shares personal data, if anyif a controller sells a consumer&#8217;s personal data to one or more third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out of the sale of the consumer&#8217;s personal data or processing for targeted advertising<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-is-personal-data-defined-under-u-s-state-privacy-laws\">How is personal data defined under U.S. state privacy laws?<\/h2>\n\n\n\n<p>Information that is considered personal data or personal information is generally required to be able to identify a person, by itself or in combination with other data points (e.g. name, address, credit card number, IP address). There are differences between what is categorized as personal data and <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/personally-identifiable-information-vs-personal-data\/\">personally identifiable information<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-is-sensitive-personal-information-defined-and-handled-under-u-s-data-privacy-laws\">How is sensitive personal information defined and handled under U.S. data privacy laws?<\/h3>\n\n\n\n<p>Many U.S. data privacy laws also have explicit consideration for \u201csensitive personal data\u201d, which can include information belonging to children, about racial or ethnic origin, medical or genetic data, sexual orientation, etc. Generally, this category includes information that could particularly be used to cause discrimination or harm if misused.<\/p>\n\n\n\n<p>Typically, sensitive personal information (and children\u2019s information) require consent before it can be collected or processed, and additional security measures. Specific U.S. data privacy laws should be checked for their definitions and requirements for sensitive personal data. Data that is publicly available, like government records, is not typically considered personal data.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Definition of Personal Data\/Information<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\u201c&#8230;information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\u201d (Examples in <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/codes_displaySection.xhtml?lawCode=CIV&amp;sectionNum=1798.140.\">Section 1798.140<\/a> CCPA)<\/td><\/tr><tr><td>Colorado<\/td><td>\u201c&#8230;information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Connecticut<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Delaware<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Florida<\/td><td><b>Personal data:<\/b> \u201c&#8230;information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.\u201d<b>Personal information:<\/b> \u201c&#8230;any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>Indiana<\/td><td>\u201c\u2026information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include:(1) de-identified data(2) aggregate data\n<p>(3) publicly available information\u201d<\/p>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable natural person\u2026 does not include de-identified or aggregate data or publicly available information.\u201d<\/td><\/tr><tr><td>Kentucky<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable natural person&#8230; does not include de-identified data or publicly available information,\u201d<\/td><\/tr><tr><td>Maryland<\/td><td>\u201c&#8230;any information that is linked or can be reasonably linked to an identified or identifiable consumer\u2026 does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Minnesota<\/td><td>\u201c&#8230; any information that is linked or reasonably linkable to an identified or identifiable natural person\u2026 does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>Montana<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>Nebraska<\/td><td>\u201cany information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual\u2026 does not include deidentified data or publicly availableinformation\u201d<\/td><\/tr><tr><td>Nevada<\/td><td><b>Covered information:<\/b> \u201c&#8230;any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:<br><br>1. A first and last name.<br>2. A home or other physical address which includes the name of a street and the name of a city or town. <br><span style=\"font-size: revert;font-weight: inherit;background-color: transparent;color: var(--tb-primary)\">3. An electronic mail address.<\/span> <br><span style=\"font-size: revert;font-weight: inherit;background-color: transparent;color: var(--tb-primary)\">4. A telephone number.<\/span> <br><span style=\"font-size: revert;font-weight: inherit;background-color: transparent;color: var(--tb-primary)\">5. A social security number.<\/span> <br><span style=\"font-size: revert;font-weight: inherit;background-color: transparent;color: var(--tb-primary)\">6. An identifier that allows a specific person to be contacted either physically or online.<\/span> <br><span style=\"font-size: revert;font-weight: inherit;background-color: transparent;color: var(--tb-primary)\">7. Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.<\/span><\/td><\/tr><tr><td>New Hampshire<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>New Jersey<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable individual\u2026 does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>Oregon<\/td><td>\u201c&#8230;data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household\u2026 does not include deidentified data or data that is lawfully available through federal, state or local government records or through widely distributed media; or a controller reasonably has understood to have been lawfully made available to the public by a consumer.\u201d<\/td><\/tr><tr><td>Rhode Island<\/td><td>\u201c&#8230; any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Tennessee<\/td><td>\u201c&#8230;information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer\u2026 does not include information that is: publicly available information; or de-identified or aggregate consumer information\u201d (Examples in <a href=\"https:\/\/www.capitol.tn.gov\/Bills\/113\/Bill\/HB1181.pdf\">Section 2, 47-18-3201, 16B<\/a>)<\/td><\/tr><tr><td>Texas<\/td><td>\u201c&#8230;any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.\u201d<\/td><\/tr><tr><td>Virginia<\/td><td>\u201c&#8230;any information that is linked or reasonably linkable to an identified or identifiable natural person\u2026 does not include de-identified data or publicly available information.\u201d<\/td><\/tr><tr><td>Utah<\/td><td>\u201c&#8230;information that is linked or reasonably linkable to an identified individual or an identifiable individual\u2026 does not include deidentified data, aggregated data, or publicly available information.\u201d<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-consumers-rights-under-the-states-data-privacy-law\">What are consumers\u2019 rights under the states\u2019 data privacy law?<\/h2>\n\n\n\n<p>Some rights are consistent across all of the state-level U.S. data privacy laws to date, though some laws get more granular than others. California is currently the only state that enables consumers to sue for a data breach in specific circumstances (private right of action). Not all data privacy laws enable portability of one\u2019s data, either.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-do-companies-have-to-handle-consumer-requests-under-the-u-s-state-privacy-laws\">How do companies have to handle consumer requests under the U.S. state privacy laws?<\/h3>\n\n\n\n<p>It is common for businesses to have 45 days from receiving a consumer\u2019s request to exercise their rights to fulfill it, with an option to extend that under certain circumstances. Specific U.S. data privacy laws should be reviewed to confirm the exact time frame for responding to requests, extensions, and\/or the ability to refuse requests, as well as ensuring familiarity with each data privacy law\u2019s specific consumer rights to ensure consumers can exercise them or appeal a decision.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Consumers\u2019 Rights<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n<li><b>Right to access:<\/b> personal information collected before the CPRA\u2019s look-back period (the 12 months prior to January 1, 2023) as long as it\u2019s possible or not unreasonably difficult to provide<\/li>\n<li><b>Right to opt out: <\/b>of the sharing <i>and<\/i> sale of personal information to third parties<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller and third parties has about or from the consumer, with some exceptions<\/li>\n<li><b>Right to portability: <\/b>obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right for minors\u2019 personal information not to be shared or sold without explicit consent<\/b>, and for them not to be asked for consent within 12 months of declining a company\u2019s consent request<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to restrict sensitive personal information: <\/b>to limit access to and use of data categorized as sensitive<\/li>\n<li><b>Right to access information about automated decision-making: <\/b>to request information about automated decision-making and the likely outcomes of using such processes, specifically with regards to profiling<\/li>\n<li><b>Right to opt-out of automated decision-making technology: <\/b>for the use of automated decision-making technology with regards to personal information<\/li>\n<li><b>Right not to be discriminated against: <\/b>controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n<li><b>Right to opt-out: <\/b>of data processing for targeted advertising, sale or profiling using their personal data<\/li>\n<li><b>Right to access: <\/b>any data that a company has collected about them<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer, with some exceptions<\/li>\n<li><b>Right to portability: <\/b>obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n<li><b>Right to access: <\/b>any data that a company has collected about them<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer, with some exceptions<\/li>\n<li><b>Right to portability: <\/b>obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right to opt-out:<\/b> of data processing for targeted advertising, sale or profiling using their personal data<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n<li><b>Right to access: <\/b>confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li><b>Right to disclosure: <\/b>a list of the categories of third parties to which the controller has disclosed the consumer\u2019s personal data<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer, with some exceptions<\/li>\n<li><b>Right to portability: <\/b>obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against: <\/b>controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out: <\/b>of sale of personal data, targeted advertising, or profiling \u201cin furtherance of solely automated decisions that produce legal or similarly significant effects\u201d concerning the consumer<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer, with some exceptions<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out<\/b>:\n<ul>\n<li>sale of personal data<\/li>\n<li>targeted advertising<\/li>\n<li>certain profiling \u201c<i>in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer<\/i>\u201d<\/li>\n<li>collection or processing of sensitive data<\/li>\n<li>collection of personal data through the operation of a voice recognition or facial recognition feature<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data or a representative summary of it, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right to delete<\/b>: any personal information the controller has that was provided by the consumer (with some exceptions)<\/li>\n<li><b>Right to disclosure<\/b>: any categories of information about the consumer that have been sold<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal information, targeted advertising, or profiling, and partial right not to be subject to fully automated decision-making<\/li>\n<li><b>Right to not be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td><ul><li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal data and access to that data, with some exceptions<\/li><li><b>Right to delete<\/b>: any personal data the controller has that was provided by the consumer<\/li><li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li><li><b>Right to opt out<\/b>: of sale of personal data<\/li><li><b>Right to not be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li><\/ul><\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal data and access to that data, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has that was provided by the consumer<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right to opt out: <\/b>consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n<li><b>Right to access: <\/b>consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions<\/li>\n<li><b>Right to correction: <\/b>consumers have the right to correct any inaccuracies in their personal data, considering the nature of the personal data and purposes of processing<\/li>\n<li><b>Right to deletion: <\/b>consumers can request controllers to delete any personal data provided by, or obtained about, them, unless the law requires the personal data to be retained<\/li>\n<li><b>Right to data portability: <\/b>consumers can obtain a copy of their personal data in a ready usable format, with some exceptions<\/li>\n<li><b>Right to information: <\/b>consumers can obtain a list of categories of third parties to whom the controller has disclosed their, or any consumer\u2019s, personal data<\/li>\n<li><b>Right to opt out: <\/b>consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal data and access to that data, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has that was provided by the consumer<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right to opt out: <\/b>consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling<\/li>\n<li><b>Right to obtain: <\/b>a list of third parties to which the controller has disclosed the consumer&#8217;s personal data<\/li>\n<li><b>Right to question the results of a controller&#8217;s profiling<\/b>: to be informed of the reason that the profiling resulted in a specific decision, the actions the consumer may take to secure a different decision in the future, review their data used in the profiling, and correct inaccurate data for reevaluation<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal data, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n<li><b>Right to access:<\/b> consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions<\/li>\n<li><b>Right to correction:<\/b> consumers have the right to have any inaccuracies in their personal data that the controller holds corrected, taking into account the nature of the personal data and purposes of processing<\/li>\n<li><b>Right to deletion:<\/b> consumers can request the deletion of any personal data provided by, or obtained about, them, with exceptions<\/li>\n<li><b>Right to data portability:<\/b> consumers can obtain a copy of their personal data that they previously provided to the controller, in a ready usable format, with some exceptions<\/li>\n<li><b>Right to opt out:<\/b> consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n<li><b>Right to access<\/b> covered information that a controller has collected about them<\/li>\n<li><b>Right to correction<\/b> of covered information that the operator has collected about them<\/li>\n<li><b>Right to opt out<\/b> of the sale of covered information<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n<li><b>Right to access: <\/b>confirm whether or not the controller is processing the consumer\u2019s personal data and access such data, with exceptions<\/li>\n<li><b>Right to correction: <\/b>any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes<\/li>\n<li><b>Right to delete: <\/b>any personal data provided by, or obtained about, the consumer, with exceptions<\/li>\n<li><b>Right to portability: <\/b>obtain a copy of the consumer\u2019s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions<\/li>\n<li><b>Right not to be discriminated against: <\/b>controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out: <\/b>of processing of personal data for the purposes of sale, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n<li><b>Right to access:<\/b> confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li><b>Right to disclosure:<\/b> a list of the categories of third parties to which the controller has disclosed the consumer\u2019s personal data<\/li>\n<li><b>Right to correction:<\/b> any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete:<\/b> any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><b>Right to portability:<\/b> obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against:<\/b> controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out:<\/b> of sale of personal data, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal data, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data and information about third parties it\u2019s shared with, with exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal data, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data, with some exceptions<\/li>\n<li><b>Right to disclosure<\/b>: any categories of information about the consumer that have been sold<\/li>\n<li><b>Right to delete<\/b>: any personal information the controller has that was provided by the consumer (with some exceptions)<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal information, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirmation if the controller is processing the consumer\u2019s personal information and access to that data, with some exceptions<\/li>\n<li><b>Right to correction<\/b>: any inaccurate or outdated information the controller has that was provided by the consumer<\/li>\n<li><b>Right to delete<\/b>: any personal data the controller has about or from the consumer (with some exceptions)<\/li>\n<li><b>Right to portability<\/b>: obtain a copy of the consumer\u2019s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions<\/li>\n<li><b>Right not to be discriminated against<\/b>: controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out<\/b>: of sale of personal data, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n<li><b>Right to access<\/b>: confirm whether or not the controller is processing the consumer\u2019s personal data and access such data, with exceptions<\/li>\n<li><b>Right to correction:<\/b> any inaccuracies in the information the controller has, taking into account the nature of the personal data and processing purposes<\/li>\n<li><b>Right to delete:<\/b> any personal data provided by, or obtained about, the consumer, with exceptions<\/li>\n<li><b>Right to portability:<\/b> obtain a copy of the consumer\u2019s personal data processed by the controller, in a portable and reasonable readily usable format, where processing is carried out by automated means, with exceptions<\/li>\n<li><b>Right not to be discriminated against:<\/b> controllers cannot unlawfully discriminate against consumers, including for exercising their rights<\/li>\n<li><b>Right to opt out:<\/b> of processing of personal data for the purposes of sale, targeted advertising, or profiling<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n<li>Right to access, including confirming whether a controller is processing their data, and the ability to request and receive that data<\/li>\n<li>Right to deletion of personal data, if the data subject directly provided the data to the controller<\/li>\n<li>Right to portability, obtaining a copy of their personal data that they provided to the controller, in a format that is:\n<ul>\n<li>portable to a technically reasonable extent<\/li>\n<li>readily usable to a practical extent<\/li>\n<li>enables the consumer to transmit the data to another controller reasonably easily, where the processing is carried out by automated means<\/li>\n<\/ul>\n<\/li>\n<li>Right to opt out of certain processing, specifically for the sale of the personal data or the purposes of targeted advertising<\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-requirements-for-consent-management-to-comply-with-u-s-data-privacy-laws\">What are the requirements for consent management to comply with U.S. data privacy laws?<\/h2>\n\n\n\n<p>The U.S. data privacy laws to date all use an opt-out model of consent that does not require businesses to obtain consent before collecting personal data in most cases, with the typical exceptions being sensitive data and data belonging to known children. However, the laws do consistently require consumers to be notified about data collection and use, and provided with an option to opt out \u2014 of collection, <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/data-is-the-new-gold-how-and-why-it-is-collected-and-sold\/\">selling data<\/a>, or sharing of their personal data, or targeted advertising or profiling, depending on the law \u2014 as well as have instructions and at least one mechanism to contact the company with requests or complaints.<\/p>\n\n\n\n<p>That said, a number of the states\u2019 regulations don\u2019t specify how consent or opting out must be handled, what form that needs to take, etc. A high performance <a href=\"https:\/\/usercentrics.com\/website-consent-management\/\">Consent Management Platform<\/a>, like Usercentrics CMP, can help companies flexibly and scalably provide the required notifications and consent options for states where they need to comply with privacy regulations.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>State<\/th><th>Consent Management Requirements<\/th><\/tr><tr><td>California (CCPA\/CPRA)<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link reading \u201cDo Not Sell Or Share My Personal Information\u201d to enable consumers to submit an opt out request<\/li>\n \t<li>must honor the Global Privacy Signal<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Colorado<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request<\/li>\n \t<li>by January 1st, 2025, websites must be able to honor preference signals that communicate the consumer\u2019s opt out choice (Global Privacy Control)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Connecticut<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n \t<li>must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Delaware<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request<\/li>\n \t<li>must honor a Universal Opt-Out Mechanism (as of January 2025)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Florida<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented, except for \u201cmethods must be secure, reliable, and clearly and conspicuously accessible\u201d<\/li>\n \t<li>if a controller engages in the sale of sensitive personal data, the controller must provide the following notice: \u201cNOTICE: This website may sell your sensitive personal data.\u201d<\/li>\n \t<li>if a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: \u201cNOTICE: This website may sell your biometric personal data.\u201d<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Indiana<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Iowa<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Kentucky<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Maryland<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Minnesota<\/td><td>\n<ul>\n \t<li>clearly and conspicuous method outside the privacy notice for a consumer to opt out, \u201cThis method may include but is not limited to an Internet hyperlink clearly labeled &#8220;Your Opt-Out Rights&#8221; or &#8220;Your Privacy Rights&#8221; that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request\u201d<\/li>\n \t<li>must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Montana<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nebraska<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented- must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Nevada<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented- privacy policy is required<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Hampshire<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>New Jersey<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism (with specific reference for user profiling)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Oregon<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism (as of January 2026)<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Rhode Island<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Tennessee<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Texas<\/td><td>\n<ul>\n \t<li>clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request- must honor a Universal Opt-Out Mechanism<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Virginia<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented<\/li>\n<\/ul>\n<\/td><\/tr><tr><td>Utah<\/td><td>\n<ul>\n \t<li>no specific requirements regarding how an opt out option needs to be presented, aside from that the controller must clearly and conspicuously provide an option on the website that enables the consumer to submit an opt out request<\/li>\n<\/ul>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>In 2025 more U.S. state privacy laws came into effect than in any previous year. Three more followed in 2026 and new ones continue to be passed. We compare what U.S. state-level data privacy laws mean for businesses and consumer rights in light of increasing regulation and enforcement.<\/p>\n","protected":false},"featured_media":17937,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[13],"class_list":["post-380","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-regulations"],"acf":[],"yoast_head":"<title>U.S. State Privacy Laws - Rights &amp; Requirements for Compliance<\/title>\n<meta name=\"description\" content=\"The U.S. has an increasing patchwork of privacy regulations. Regulators are partnering to expand enforcement. Learn business obligations.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"US Data Privacy Laws By State - Rights And Requirements\" \/>\n<meta property=\"og:description\" content=\"Usercentrics explains and compares the similarities and differences among data privacy laws in the US. Find out more about US data privacy laws by state.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-29T18:58:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2023\/02\/uc_blog_illustration_500px_guide_app_privacy_orange.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"US Data Privacy Laws By State - Rights And Requirements\" \/>\n<meta name=\"twitter:description\" content=\"Usercentrics explains and compares the similarities and differences among data privacy laws in the US. Find out more about US data privacy laws by state.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2023\/02\/uc_blog_illustration_500px_guide_app_privacy_orange.png\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"78 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/\",\"name\":\"U.S. State Privacy Laws - Rights & Requirements for Compliance\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2025\\\/02\\\/US-data-privacy-laws-by-state-300x300-1.jpg\",\"datePublished\":\"2025-02-07T09:05:00+00:00\",\"dateModified\":\"2026-03-29T18:58:44+00:00\",\"description\":\"The U.S. has an increasing patchwork of privacy regulations. Regulators are partnering to expand enforcement. Learn business obligations.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/#primaryimage\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2025\\\/02\\\/US-data-privacy-laws-by-state-300x300-1.jpg\",\"contentUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2025\\\/02\\\/US-data-privacy-laws-by-state-300x300-1.jpg\",\"width\":300,\"height\":300,\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"U.S. data privacy laws by state: rights and requirements\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-data-privacy-laws-by-state\\\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"U.S. State Privacy Laws - Rights & Requirements for Compliance","description":"The U.S. has an increasing patchwork of privacy regulations. Regulators are partnering to expand enforcement. Learn business obligations.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"US Data Privacy Laws By State - Rights And Requirements","og_description":"Usercentrics explains and compares the similarities and differences among data privacy laws in the US. Find out more about US data privacy laws by state.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2026-03-29T18:58:44+00:00","og_image":[{"url":"https:\/\/usercentrics.com\/wp-content\/uploads\/2023\/02\/uc_blog_illustration_500px_guide_app_privacy_orange.png","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"US Data Privacy Laws By State - Rights And Requirements","twitter_description":"Usercentrics explains and compares the similarities and differences among data privacy laws in the US. Find out more about US data privacy laws by state.","twitter_image":"https:\/\/usercentrics.com\/wp-content\/uploads\/2023\/02\/uc_blog_illustration_500px_guide_app_privacy_orange.png","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"78 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/","name":"U.S. State Privacy Laws - Rights & Requirements for Compliance","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2025\/02\/US-data-privacy-laws-by-state-300x300-1.jpg","datePublished":"2025-02-07T09:05:00+00:00","dateModified":"2026-03-29T18:58:44+00:00","description":"The U.S. has an increasing patchwork of privacy regulations. Regulators are partnering to expand enforcement. Learn business obligations.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2025\/02\/US-data-privacy-laws-by-state-300x300-1.jpg","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2025\/02\/US-data-privacy-laws-by-state-300x300-1.jpg","width":300,"height":300,"copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"U.S. data privacy laws by state: rights and requirements","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-data-privacy-laws-by-state\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/380\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/17937"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=380"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=380"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=380"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}