US state privacy laws, for example the CCPA/CPRA and VCDPA, are placing new requirements on businesses, and, as a result, new legal and technical burdens as well.
These US state privacy laws provide customers more control over their personal information by granting additional rights and requiring businesses to be transparent about their privacy practices. There are, however, significant differences in scope, consumers’ rights, and enforcement. See our US privacy cheatsheet for more information.
Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting.
With iubenda, you can meet these new legal requirements.
US state privacy laws require you, among others, to provide your users with an up-to-date Privacy Policy, including specific information, such as US users’ privacy rights and a description of your personal information processing practices.
🔎 For an in-depth look into what should be in a privacy policy, take a look at our dedicated privacy policy check-lists:
With our Privacy and Cookie Policy Generator, you can now enable, with a single US toggle, a compliance solution for all US state privacy laws that we currently support and ALL upcoming US state legislations that we will support in the future.
👉 Generate your US Privacy Policy or update your existing policy by clicking “Enable disclosures for users residing in the United States” to activate the new US-specific sections and clauses.
You can find the switch here:
This allows you to consider your specific case and react to where your users/clients are based and choose accordingly.
Once you have enabled it, you will see the links to the state-specific sections of your privacy policy have been added to your Privacy Policy.
When you enable “Enable disclosures for users residing in the United States” in the legislation-specific standards, various US-related options will appear on all services you add to your Privacy and Cookie Policy:
We have introduced an automated services mapping feature that displays the checkboxes as pre-selected according to the definitions of sale, sharing and targeted advertising set by applicable laws.
For custom services {those added from “Create custom service”} all checkboxes will be presented as unchecked, and you could make the proper selections.
When marking the processing by a service as falling within the categories listed above, the related wording will be automatically added or removed in the privacy policy section dedicate to the relevant US state we cover.
Any predefined setup can be freely overwritten and you should customize it according to your specific case.
💡 Since the definition of targeted advertising, sale and sharing may vary from state to state, as well as the exceptions to such legal concepts, we strongly suggest you to check these concepts in depth, for example with the help of our US privacy cheatsheet – Comparison table.
When you enable “Enable disclosures for users residing in the United States”in legislation-specific standards, for some services, where applicable, you will see a new field at the service level called “Sensitive Personal Data”.
And for such a service, you can select one or multiple sensitive personal data types, as shown below:
The definition of sensitive personal data may vary according to the applicable US state law. When you select specific sensitive data here, it will be displayed in the privacy policy as sensitive data processed by you (only in the section of the policy with disclosures pertaining to the relevant US state).
đź’ˇ Consult our comparison table on the definition of sensitive data across the US state laws we cover.
Our Privacy and Cookie Policy Generator offers additional clauses related to specific processing activities, as required by some US state privacy laws. This includes, among others, clauses related to the processing of children’s personal information (in relation to both California and Virginia) and to the processing of personal data of Virginia consumers for the purpose of profiling activities.
These additional clauses can be of great help but they contain broad and generic descriptions since we do not know exactly how you process your users’ personal information. Therefore, we highly recommend that you check if they apply to your case and if needed describe your processing activities in more detail by adding custom clauses.
đź’ˇ For more information on privacy policies click here.
If you process consumers’ personal information for certain purposes, including but not limited to, targeted advertising, sale or sharing, some of the US state privacy laws such as the CPRA (CCPA amendment) and VCDPA, require you to:
Our Privacy Controls and Cookie Solution helps you comply with these requirements.
Once you have completed the activation of the new US-specific clauses within the Privacy and Cookie Policy Generator, make sure the “US State Laws” within the Privacy Controls and Cookie Solution are enabled: the solution will auto-configure to help you meet the new US requirements allowing your users to exercise their right to opt out.
👉 Simply select the regions where you’re based while configuring the Privacy Controls and Cookie Solution, and the solution will do the rest!
Haven’t generated a Privacy Policy with us, or simply want to customize things yourself?
Within the Privacy Controls and Cookie Solution Generator simply enable the US State Laws option and the support to manage users’ opt-out preferences (if applicable).
To do this, make sure you toggle on US State Laws and click on the Edit button.
Next, click on Manual configuration and select the options that apply to your case:
🚀 We thought this would be a good time to mention that support for Global Privacy Control signals (a universal opt-out signal) and IAB Global Privacy Platform (GPP) is included!
Short answer: no, you don’t need one.
Under the US state privacy laws, a privacy “banner” does not represent a specific requirement, as legislators have generally followed an opt-out approach (certain exceptions apply, see our dedicated guide on the processing of sensitive data, for example). This means that, in most cases, you may perform processing activities, without obtaining users’ prior consent, up until the moment in which users decide to actively deny their consent to such processing.
That’s why you don’t necessarely need a privacy “banner”. If, anyway, you would like to display an informative banner on your website/app that simply contains the links to the privacy policy and to the US privacy controls (if applicable) our Privacy Controls and Cookie Solution has a dedicated option for this.
Inside the US State Laws tile, under the Manual configuration select the option “Display an informative banner on the user’s first visit”
The Privacy Controls must be easily accessible, in order to allow your users to freely exercise their privacy preferences at any time. Furthermore, some US state laws, such as the CCPA, as amended by the CPRA, set a mandatory predefined format (the white and blue icon shown below) and label (“Your privacy choices”) for the link to the Privacy Controls.
Our Privacy widget helps you to comply with all these requirements in the easiest way possible: a small, unobtrusive widget, with a predefined format and label, will be displayed on every page of your website after your user has set their preferences.
The CCPA, as updated by the CPRA, requires you to make the Notice at Collection readily available where consumers will encounter it at or before the point of collection of any personal information, including sensitive personal information (if applicable). For example, by posting a conspicuous link to the notice on the introductory page of your website or in the settings menu of your app and on all web pages where personal information is collected.
The purpose of the Notice at Collection is to provide consumers with a timely notice about the categories of personal information, including sensitive personal information, to be collected from them, the purposes for which such information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over your use of their personal information.
To learn more about what should be included in the Notice at Collection, read our guide.
Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this CCPA/CPRA requirement.
To do so:
Under certain US state laws, in order to process sensitive personal information of users residing in the US, you need to obtain their prior consent.
That’s why you should provide a choice mechanism on your website/app that allows users to freely give (or withdraw) their consent to the processing of their sensitive personal information.
Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this requirement. To know how and learn more about the definition of sensitive personal information according to the different US state privacy laws, read our dedicated guide.
We dramatically increased the complexity of our solution to meet current US state-level laws, including what comes next.