State laws in the United States, including the California Consumer Privacy Act (CCPA), are privacy regulations that vary from state to state. These laws aim to protect the privacy rights of individuals within their respective states. It is important to understand and comply with the specific privacy laws applicable to your state.
When generating privacy policies with iubenda or any other service, ensure that the generated documents comply with the relevant state laws. These documents should include provisions that align with the legal standards defined by the specific state’s privacy laws. The added provisions should apply only to users to whom you are required to offer specific rights and protections under the applicable state law.
When enabling specific options related to state laws, the generator should indicate which services or activities may be considered a sale under the state’s definition. This helps ensure transparency and compliance with the respective state’s privacy regulations.
How to activate the US State law Text
- log in to your admin area
- under the heading “Enable disclosures for users residing in the United States” select Enable
How to activate/modify a Service’s declaration of sale within the generator
The solution will also indicate and highlight services that may be considered to be a sale under the definitions – as consumers must be able to identify and opt out of these services.
In the services panel, whenever you add a service that could be considered a sale, the following options will be made available. If the service has fields that require customization, you will see these checkboxes within the usual customization screen (which typically appears after adding that service).
Caution should be exercised when determining whether a specific activity constitutes a “sale” under the various state privacy laws. While default settings may be in place to help guide the classification, it is highly recommended to double-check and assess your specific situation. Consulting with a legal professional can provide valuable insights and ensure accurate interpretation and application of the relevant state laws.
California Consumer Privacy Act (CCPA)
Important note regarding the personal information of minors
If your processing activities constitute as sale (as mentioned above) under the CCPA, and this processing potentially includes the personal information of minors, you will need to make some additional disclosures by selecting from the following services within the generator.
Please note that 2) and 3) are not mutually exclusive, they can be used at the same time. Additionally, be sure to review your processes to ensure that you meet CCPA requirements regarding minors.
Additional CCPA Requirements
Toll-free number indication
If you run a business that doesn’t operate exclusively online and has a direct relationship with the user, then you must indicate “two or more designated methods” for submitting CCPA requests. One of these methods must be a toll-free telephone number. You can easily add this information via the “Owner field” within the generator.
The CCPA also requires the following:
What changes have been made to the policy text?
In addition to the above information, you can find a summary of the changes introduced to meet CCPA requirements here.
CCPA policy additions
- plain-language clauses as recommended under US law;
- a section that holds the bulk of CCPA-relevant disclosures:
- outlining the purposes of processing,
- outlining the sources of the data collection,
- outlining the particular categories of personal information collected over the last 12 months,
- which informs users of their rights under the CCPA and how those rights can be exercised,
- which details how and when exercised rights will be honored,
- informing consumers on how they can opt out;
- any other CCPA terminology and definitions.
Want to learn more about the CCPA and its full requirements? Read the How to Comply section of our detailed CCPA guide.
Virginia Consumer Data Protection (VCDPA)
VCDPA policy additions
- Categories of personal data processed by your organization.
- Organization’s purpose for processing personal data.
- How users may exercise their rights, including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.
- Categories of personal data that your organization shares with third parties if any.
- Categories of third parties, if any, with whom your organization shares personal data.
Specific service clauses related to the VCDPA include:
- Profiling of Virginia consumers;
- Collection of personal data about Virginia consumers below the age of 13; and
- We do not collect personal data about Virginia consumers below the age of 13.
Want to learn more about the VCDPA and its full requirements? See here →
Colorado Privacy act (CPA)
CCPA policy additions
CPA privacy notice includes the following:
- Categories of personal data collected or processed.
- Purposes for which the categories of personal data are processed.
- How and where consumers can exercise their rights, including the contact information and how to appeal a controller’s action with regard to a consumer’s request.
- Categories of personal data that are shared with third parties, if any;
- Categories of third parties with whom the personal data are shared, if any.
Want to learn more about the CPA and its full requirements? See here →
Utah Consumer Privacy Act (UCPA)
UCPA policy additions
- Categories of Personal Data Processed: Identify the types of personal data that your organization collects and processes, such as names, email addresses, and payment information.
- Purposes for Processing Personal Data: Describe the reasons why your organization collects and processes personal data, such as to fulfill orders, provide customer support, or improve products or services.
- Consumer Rights: Explain how consumers can exercise their rights, such as the right to access and delete their personal data. Note that the UCPA does not grant consumers the right to request the correction of inaccurate personal data.
- Sharing of Personal Data: Disclose the categories of personal data that your organization shares with third parties, if any. For example, you may share payment information with a payment processor or mailing addresses with a shipping provider.
- Third Parties: Identify the categories of third parties with whom your organization shares personal data, if any. This could include vendors, service providers, or marketing partners.
Unlike other US state-level privacy legislations, it’s important to note that, under UCPA, opt-out links come into consideration only in relation to consumers’ right to opt out of the processing of sensitive data.
Want to learn more about the UCPA and its full requirements? See here →
Connecticut Data Privacy Act (CTDPA)
CTDPA policy additions
Effective January 1, 2025, you must also allow consumers to opt out of the processing of their personal data for targeted advertising or sale through an opt-out preference signal sent via a platform, technology, or mechanism, with the consumer’s consent.
Want to learn more about the CTDPA and its full requirements? See here →