US privacy law compliance for your site, app and business
State laws are placing new requirements on businesses, and, as a result, new legal and technical burdens as well. Compliance can be complicated. Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting so that you can focus on growing your business.
In general, US state privacy laws like the CPRA (CCPA amendment) and VCDPA may apply to you if you target users based in those states and simultaneously meet any of the requirements outlined below.
CPRA
VCDPA
CPA
CTDPA
UCPA
TDPSA
MTCDPA
OCPA
NJDPA
DPDPA
NHDPA
Nevada Privacy Law
NDPA
The California Privacy Rights Act (CPRA) builds on the CCPA’s existing provisions, enriches consumer rights, and adds new requirements for companies that process personal data from California residents.
It applies to legal entities doing business in California for profit, that process consumers' personal information and that meet any one or more of the following requirements:
annual gross revenues in excess of $25M;
annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or
derives 50% or more of its annual revenues from selling, or sharing* consumers' personal information.
* Can include third-party integrations on your website.
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California. The VCDPA went into effect on January 1, 2023.
It applies to persons that conduct business in Virginia or provide products or services that are targeted to residents of Virginia and that:
during a calendar year, control or process personal data of at least 100,000 consumers; or
control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
The Colorado Privacy Act (CPA) went into effect July 1, 2023 and is designed to protect the privacy rights of Colorado residents by regulating how businesses collect, process, and store personal data.
It applies to controllers that conduct business in Colorado or intentionally target Colorado residents with commercial products or services, and:
control or process the personal data of 100,000 consumers or more during a calendar year; or
derive revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more.
The Connecticut Data Privacy Act (CTDPA) went into effect on July 1, 2023 and requires you to provide consumers with clear and meaningful privacy notices that include information on personal data processing, purposes, consumer rights, and third-party sharing, among other requirements.
It applies to persons that conduct business in Connecticut or produce products or services that are targeted to Connecticut’s residents and that during the preceding calendar year:
Controlled or processed personal data of at least 100,000 consumers (excluding personal data controlled or processed to exclusively complete a payment transaction); or
Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The Utah Consumer Privacy Act (UCPA) is a new consumer privacy law in Utah that went into effect on December 31, 2023. The UCPA takes a business-friendly approach to consumer privacy. The UCPA is intended to provide a workable standard for businesses while also protecting Utah consumers’ guaranteed rights.
It applies to any organization that:
Conducts business in Utah; or
Produces a product or service that is targeted to consumers who are Utah residents;
Has annual revenue of $25,000,000 or more; and
Satisfies one or more of the following thresholds:
During a calendar year, controls, or processes personal data of 100,000 or more consumers; or
Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, was signed into law on June 18 by Governor Greg Abbott and went into effect on July 1, 2024.
The Act applies to:
Businesses that conduct operations in Texas;
Produce products or services for Texas residents;
Process or sell personal data; and
Do not qualify as small businesses under the U.S. Small Business Administration guidelines.
The Montana Consumer Data Privacy Act (MTCDPA) went into effect on October 1, 2024. This legislation aims to give Montana residents more control over their personal data, ensuring their privacy in a rapidly evolving digital world.
The act applies to businesses operating in Montana or targeting its residents that meet one of the following criteria:
Control or process the personal data of at least 50,000 consumers (excluding payment transaction data), or
Control or process data of at least 25,000 consumers and earn more than 25% of their gross revenue from selling personal data.
Non-profits and certain other entities are exempt from this law.
The Oregon Consumer Privacy Act (OCPA) was signed into law by Governor Tina Kotek on July 18, 2023, and went into effect on July 1, 2024. This law is designed to enhance the privacy rights of Oregon residents.
The OCPA applies to businesses operating in Oregon or providing products or services to Oregon residents that:
Control or process personal data of 100,000 or more Oregon consumers, or
Control or process personal data of 25,000 or more Oregon consumers and derive 25% of their annual revenue from selling this data.
Non-profit businesses have an additional year, until July 1, 2025, to comply with this law.
The New Jersey Data Protection Act (NJDPA) aims to enhance the privacy rights of New Jersey residents by regulating how businesses collect, use, and manage personal data.
It applies to entities that:
Conduct business in New Jersey; or
Produce products or services that are targeted to New Jersey residents, and:
Control or process the personal data of 100,000 or more consumers; or
Derive more than 50% of their gross revenue from the sale of personal data.
The Delaware Personal Data Privacy Act (DPDPA) requires businesses to implement clear data processing practices and provides Delaware residents with rights over their personal data.
It applies to any entity that:
Conducts business in Delaware; or
Offers products or services targeted to Delaware residents, and:
Controls or processes the personal data of at least 100,000 Delaware residents; or
Derives more than 50% of its gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 Delaware residents.
The New Hampshire Data Protection Act (NHPA) enforces strict data privacy protections for New Hampshire residents, outlining businesses’ responsibilities regarding personal data processing.
It applies to any entity that:
Conducts business in New Hampshire; or
Targets its products or services to New Hampshire residents, and:
Controls or processes the personal data of at least 100,000 consumers during the preceding calendar year; or
Derives more than 50% of its revenue from the sale of personal data and processes the personal data of at least 25,000 consumers.
The Nevada Privacy Law provides important consumer protections for Nevada residents concerning how their personal data is processed by businesses.
It applies to:
Any business that conducts business in Nevada; or
Offers products or services to Nevada residents, and:
Controls or processes the personal data of 100,000 or more consumers during a calendar year; or
Derives more than 50% of its revenue from the sale of personal data and processes the personal data of at least 25,000 consumers.
The Nebraska Data Privacy Act (NDPA) is designed to give Nebraskan consumers rights to control their personal data, ensuring that businesses comply with transparency and accountability in data processing.
It applies to:
Any business that operates in Nebraska; or
Produces or delivers products or services targeted to Nebraska residents, and:
Controls or processes personal data of at least 100,000 consumers during the preceding calendar year; or
Derives over 50% of its revenue from the sale of personal data and processes personal data of at least 25,000 consumers.
CPRA
The California Privacy Rights Act (CPRA) builds on the CCPA’s existing provisions, enriches consumer rights, and adds new requirements for companies that process personal data from California residents.
It applies to legal entities doing business in California for profit, that process consumers' personal information and that meet any one or more of the following requirements:
annual gross revenues in excess of $25M;
annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or
derives 50% or more of its annual revenues from selling, or sharing* consumers' personal information.
* Can include third-party integrations on your website.
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California. The VCDPA went into effect on January 1, 2023.
It applies to persons that conduct business in Virginia or provide products or services that are targeted to residents of Virginia and that:
during a calendar year, control or process personal data of at least 100,000 consumers; or
control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
CPA
The Colorado Privacy Act (CPA) went into effect July 1, 2023 and is designed to protect the privacy rights of Colorado residents by regulating how businesses collect, process, and store personal data.
It applies to controllers that conduct business in Colorado or intentionally target Colorado residents with commercial products or services, and:
control or process the personal data of 100,000 consumers or more during a calendar year; or
derive revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more.
CTDPA
The Connecticut Data Privacy Act (CTDPA) went into effect on July 1, 2023 and requires you to provide consumers with clear and meaningful privacy notices that include information on personal data processing, purposes, consumer rights, and third-party sharing, among other requirements.
It applies to persons that conduct business in Connecticut or produce products or services that are targeted to Connecticut’s residents and that during the preceding calendar year:
Controlled or processed personal data of at least 100,000 consumers (excluding personal data controlled or processed to exclusively complete a payment transaction); or
Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
UCPA
The Utah Consumer Privacy Act (UCPA) is a new consumer privacy law in Utah that went into effect on December 31, 2023. The UCPA takes a business-friendly approach to consumer privacy. The UCPA is intended to provide a workable standard for businesses while also protecting Utah consumers’ guaranteed rights.
It applies to any organization that:
Conducts business in Utah; or
Produces a product or service that is targeted to consumers who are Utah residents;
Has annual revenue of $25,000,000 or more; and
Satisfies one or more of the following thresholds:
During a calendar year, controls, or processes personal data of 100,000 or more consumers; or
Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
TDPSA
The Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, was signed into law on June 18 by Governor Greg Abbott and went into effect on July 1, 2024.
The Act applies to:
Businesses that conduct operations in Texas;
Produce products or services for Texas residents;
Process or sell personal data; and
Do not qualify as small businesses under the U.S. Small Business Administration guidelines.
MTCDPA
The Montana Consumer Data Privacy Act (MTCDPA) went into effect on October 1, 2024. This legislation aims to give Montana residents more control over their personal data, ensuring their privacy in a rapidly evolving digital world.
The act applies to businesses operating in Montana or targeting its residents that meet one of the following criteria:
Control or process the personal data of at least 50,000 consumers (excluding payment transaction data), or
Control or process data of at least 25,000 consumers and earn more than 25% of their gross revenue from selling personal data.
Non-profits and certain other entities are exempt from this law.
NJDPA
The New Jersey Data Protection Act (NJDPA) aims to enhance the privacy rights of New Jersey residents by regulating how businesses collect, use, and manage personal data.
It applies to entities that:
Conduct business in New Jersey; or
Produce products or services that are targeted to New Jersey residents, and:
Control or process the personal data of 100,000 or more consumers; or
Derive more than 50% of their gross revenue from the sale of personal data.
DPDPA
The Delaware Personal Data Privacy Act (DPDPA) requires businesses to implement clear data processing practices and provides Delaware residents with rights over their personal data.
It applies to any entity that:
Conducts business in Delaware; or
Offers products or services targeted to Delaware residents, and:
Controls or processes the personal data of at least 100,000 Delaware residents; or
Derives more than 50% of its gross revenue from the sale of personal data and controls or processes the personal data of at least 25,000 Delaware residents.
NHDPA
The New Hampshire Data Protection Act (NHPA) enforces strict data privacy protections for New Hampshire residents, outlining businesses’ responsibilities regarding personal data processing.
It applies to any entity that:
Conducts business in New Hampshire; or
Targets its products or services to New Hampshire residents, and:
Controls or processes the personal data of at least 100,000 consumers during the preceding calendar year; or
Derives more than 50% of its revenue from the sale of personal data and processes the personal data of at least 25,000 consumers.
Nevada Privacy Law
The Nevada Privacy Law provides important consumer protections for Nevada residents concerning how their personal data is processed by businesses.
It applies to:
Any business that conducts business in Nevada; or
Offers products or services to Nevada residents, and:
Controls or processes the personal data of 100,000 or more consumers during a calendar year; or
Derives more than 50% of its revenue from the sale of personal data and processes the personal data of at least 25,000 consumers.
NDPA
The Nebraska Data Privacy Act (NDPA) is designed to give Nebraskan consumers rights to control their personal data, ensuring that businesses comply with transparency and accountability in data processing.
It applies to:
Any business that operates in Nebraska; or
Produces or delivers products or services targeted to Nebraska residents, and:
Controls or processes personal data of at least 100,000 consumers during the preceding calendar year; or
Derives over 50% of its revenue from the sale of personal data and processes personal data of at least 25,000 consumers.
See it in action
Timeline US state laws
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) becomes effective, with a grace period of 6 months.
California Consumer Privacy Act (CCPA)
CCPA’s compliance is now actively monitored and enforced by the Office of the Attorney General, issuing non-compliance notices and fines if the violations persist after the 30-day cure period.
California Privacy Rights Act (CPRA)
CPRA starts its look-back period of 12 months. Businesses must now take into consideration the personal information collected and processed over a 12-month period preceding a consumer’s request.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) amends the CCPA and becomes effective. The 30-day cure period no longer applies.
To comply with the CPRA, you may need to take the following steps:
It is important to note that the steps you need to take to comply will depend on the nature of your business and the type of personal information you collect and process. See if your business qualifies with this 1-min quiz
The Virginia Consumer Data Protection Act (VCDPA) becomes effective and is enforced.
To comply with the VCDPA, you may need to take the following steps:
It is important to note that the specific steps you need to take to comply will depend on the nature of your business, the type of personal information you collect and process, and other factors.
The CPRA is now actively monitored and enforced by the California Privacy Protection Agency (CPPA), issuing fines or penalties for non-compliance.
Please be informed that following the decision of the Sacramento County Superior Court, the enforcement of the final regulations issued by the California Privacy Protection Agency has been delayed to March 29, 2024. The decision, however, does not affect the CPRA statutory provisions, which are enforced as of July 1, 2023.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) goes into effect.
To comply with the CPA, you may need to take the following steps:
The Connecticut Data Privacy Act (CTDPA) goes into effect.
To comply with the CTDPA, you may need to take the following steps:
For further information on how to comply with the above, see here.
Utah Consumer Privacy Act (UCPA)
The Utah Consumer Privacy Act (UCPA) goes into effect.
To comply with the UCPA, you may need to take the following steps:
For further information on how to comply with the above, see here.
Colorado Privacy Act (CPA)
The Colorado Privacy Act’s requirement to honor consumers’ opt-out requests made through a universal opt-out mechanism is now effective.
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA) is now effective
Please note that non-profit businesses have an additional year, until July 1, 2025, to comply with this law.
Texas Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA) is now effective.
Montana Consumer Data Privacy Act (MTCDPA)
The Montana Consumer Data Privacy Act (MTCDPA) is now effective.
Please note that non-profits and certain other entities are exempt from this law.
Montana Consumer Data Privacy Act (MTCDPA)
The Montana Consumer Data Privacy Act now requires businesses to recognize and honor universal opt-out signals from consumers electing to opt out of the sale of their personal data or targeted advertising.
Utah Consumer Privacy Act (UCPA)
Enforcement begins.
Oregon Consumer Privacy Act (OCPA)
Enforcement begins.
Key Deadline: Businesses must comply with consumer rights requests and other requirements of the OCPA.
Texas Data Privacy and Security Act (TDPSA)
Enforcement begins.
Key Deadline: Businesses must start implementing consumer rights and data security measures under TDPSA.
Montana Consumer Data Privacy Act (MTCDPA)
Enforcement begins.
Key Deadline: Businesses must ensure compliance with the consumer rights and data processing obligations set by MTCDPA.
Iowa Consumer Data Privacy Act (ICDPA)
Enforcement begins.
Key Deadline: Companies must comply with new privacy rights requirements under the Iowa law.
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act now requires that businesses recognize “ Global Privacy Control” signals from browsers like Chrome, which allow users to opt out of data sales or targeted ads.
New Jersey Data Protection Act (NJDPA)
Enforcement begins.
New Hampshire Data Protection Act (NHDPA)
Enforcement begins.
Delaware Personal Data Privacy Act (DPDPA)
Enforcement begins.
Nevada Privacy Law
Enforcement begins.
Key Deadline: Businesses must comply with the consumer rights and data security provisions under Nevada’s revised privacy law.
Nebraska Data Privacy Act (NDPA)
Enforcement begins.
Key Deadline: Companies must meet all compliance deadlines outlined in the Nebraska law.
What's required to comply with laws in the US?
As regulations differ slightly from state to state, keeping up with every scenario can be a tiresome job. iubenda’s smart solutions apply the most robust standards to help you comply with minimum effort. Simply select US State Laws in your generator to comply with the main regulations across the US.
Detailed disclosures via Privacy Policy
US Requirement
Businesses must include specific disclosures in their privacy policies. These disclosures include descriptions of consumer rights, processing partners, purposes, sources and more. This information must be complete, up-to-date and easily accessible throughout your website/app.
Policies are invalid if they're missing the right information
In order to be compliant, your policy must at the very least contain:
Include the categories of personal information that your business has sold or shared with third parties in the last 12 months, a list of relevant third parties, and your business purpose. You also need to disclose if you have not sold or shared users’ personal information within the last 12 months.
Add a statement regarding whether or not your business knowingly sells or shares the personal information of users under the age of 16.
Include the categories of personal information that your business has disclosed (for business purposes) to third parties in the last 12 months, a list of relevant third parties, and your business’s purpose. You shall also disclose if you have not disclosed consumers’ personal information in the preceding 12 months.
State whether or not your business uses or discloses sensitive personal information for purposes other than those specified in the act.
Provide any links to online request forms or portals so your users can make requests regarding their personal information being collected, disclosed, or sold.
Include the categories of personal data processed by your organization.
Include your organization’s purpose for processing personal data.
Inform your users of how they may exercise their rights (see below), including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.
Include the categories of personal data that your organization shares with third parties, if any.
Include the categories of third parties, if any, with whom your organization shares personal data.
Specifically, the CPA requires you to provide a privacy notice that includes the following information:
Categories of personal data collected or processed.
Purposes for which the categories of personal data are processed.
How and where consumers can exercise their rights, including the contact information and how to appeal a controller’s action with regard to a consumer’s request.
Categories of personal data that are shared with third parties, if any;
Categories of third parties with whom the personal data are shared, if any.
Connecticut’s new privacy law requires that you provide consumers with a clear and meaningful privacy notice that is reasonably accessible. Here’s a checklist of what needs to be included in your privacy policy to comply with the new law:
Categories of Personal Data: Your privacy policy must include a list of the categories of personal data that you process.
Purposes for Processing: Your privacy policy must clearly state the purposes for processing personal data. This includes any reason why you collect and use personal data, such as to fulfill a contract or provide a service.
Consumer Rights: Your privacy policy must explain how consumers can exercise their rights under the law. This includes how a consumer can access, correct, delete, or restrict the processing of their personal data. You must also include information on how a consumer can appeal a decision related to their request.
Third-Party Sharing: If you share personal data with third parties, your privacy policy must specify the categories of personal data that you share.
Third-Party Categories: Your privacy policy must also specify the categories of third parties with which you share personal data.
Contact Information: Your privacy policy must provide an active electronic mail address or other online mechanism that consumers can use to contact you with questions or concerns about their personal data.
Sale or Targeted Advertising: If you process personal data for the purposes of sale or targeted advertising, your privacy policy must clearly and conspicuously disclose this fact. You must also provide information on how consumers can exercise their right to opt out of such processing.
If you’re subject to the Utah Consumer Privacy Act (UCPA), you must provide a privacy policy that is reasonably accessible and clear to consumers. Your privacy policy should include the following:
Categories of Personal Data Processed: Identify the types of personal data that your organization collects and processes, such as names, email addresses, and payment information.
Purposes for Processing Personal Data: Describe the reasons why your organization collects and processes personal data, such as to fulfill orders, provide customer support, or improve products or services.
Consumer Rights: Explain how consumers can exercise their rights, such as the right to access and delete their personal data. Note that the UCPA does not grant consumers the right to request the correction of inaccurate personal data.
Sharing of Personal Data: Disclose the categories of personal data that your organization shares with third parties, if any. For example, you may share payment information with a payment processor or mailing addresses with a shipping provider.
Third Parties: Identify the categories of third parties with whom your organization shares personal data, if any. This could include vendors, service providers, or marketing partners.
The Texas Data Privacy and Security Act requires controllers to provide a reasonably accessible and clear privacy notice to consumers, outlining, among others:
the categories of personal data, including sensitive data, if applicable, being processed and the purposes of processing;
how consumers can exercise their rights; and
the categories of personal data shared with third parties and the categories of third parties with whom the information is shared.
If controllers perform the sale of sensitive data, they are required to provide an appropriate disclosure to consumers.
For certain types of data processing, data controllers must complete data protection assessments.
Provide clear privacy notice detailing:
the categories of personal data processed;
processing purposes;
sharing practices;
contact information; and
how to exercise consumers’ rights.
The OCDPA mandates that controllers offer consumers a clear, accessible, and meaningful privacy notice. This notice must include:
The categories of personal data (including sensitive data) processed by the controller and the purposes of processing.
The categories of personal data shared with third parties and the identities of these third parties.
Details of any processing activities related to targeted advertising.
Instructions on how consumers can contact the controller and exercise their privacy rights, including the process for appeals.
The New Jersey Data Protection Act (NJDPA) requires businesses to provide a privacy notice that includes the following key details:
Categories of Personal Data Collected: Your privacy policy must specify the types of personal data you collect or process (e.g., names, contact details, and payment information).
Purposes for Processing: You must clearly state the reasons for processing personal data, such as fulfilling orders, providing services, or marketing.
Consumer Rights: Your privacy policy must explain how consumers can exercise their rights under the NJDPA, including how they can access, correct, or delete their personal data, and how to opt out of the sale or targeted advertising processing of their personal data.
Third-Party Sharing: Your policy must detail the categories of personal data shared with third parties, if applicable.
Categories of Third Parties: You must specify the types of third parties with whom you share personal data, such as service providers, marketing partners, or vendors.
The Delaware Personal Data Privacy Act (DPDPA) requires that your privacy notice includes the following:
Categories of Personal Data Collected: List the categories of personal data you process (e.g., names, contact details, and payment information).
Purposes for Processing: Clearly state the purposes for processing the data, including fulfilling contracts or providing services.
Consumer Rights: Explain how consumers can exercise their rights under the DPDPA, such as accessing, deleting, or restricting their personal data. It should also provide information on how to opt out of the sale or targeted advertising processing of their data.
Third-Party Sharing: Disclose the categories of personal data you share with third parties, if any.
Categories of Third Parties: Identify the third parties with whom you share personal data, such as analytics providers, service providers, or business partners.
Under the New Hampshire Data Protection Act (NHDPA), your privacy policy must include the following:
Categories of Personal Data Collected: Specify the types of personal data you collect, such as names, email addresses, or payment information.
Purposes for Processing: Describe why you collect and process personal data, whether for contract fulfillment, service provision, or marketing.
Consumer Rights: Inform consumers of their rights to access, correct, or delete their personal data and how they can exercise these rights under the New Hampshire law. Include information on opting out of the sale or processing for targeted advertising.
Third-Party Sharing: Your policy must disclose which categories of personal data are shared with third parties.
Categories of Third Parties: Identify the third-party categories with whom you share personal data, such as service providers, business partners, or marketing agencies.
The Nevada Privacy Law requires businesses to include the following information in their privacy policies:
Categories of Personal Data Collected: Specify the types of personal data you collect (e.g., contact details, online identifiers, etc.).
Purposes for Processing: State the reasons why you collect and process personal data, such as service provision, contract fulfillment, or marketing.
Consumer Rights: You must explain consumers' rights to opt out of the sale of their personal data and the steps to exercise this right.
Third-Party Sharing: Indicate which personal data, if any, is shared with third parties.
Categories of Third Parties: List the third parties with whom you share personal data, such as payment processors, service providers, or advertising partners.
The Nebraska Data Privacy Act requires that your privacy policy include the following:
Categories of Personal Data Collected: Identify the personal data categories you process (e.g., contact information, financial data, etc.).
Purposes for Processing: Describe the reasons for processing personal data, such as to fulfill contracts, provide services, or conduct marketing activities.
Consumer Rights: Explain how consumers can exercise their rights under the NDPA, such as accessing, deleting, or restricting the processing of their personal data, and opting out of data sale or targeted advertising.
Third-Party Sharing: Your privacy policy must disclose any personal data shared with third parties.
Categories of Third Parties: You must identify the types of third parties with whom you share personal data, such as vendors, service providers, or business partners.
Customizable from 2000+ clauses, available in up to 27 languages and automatically updated if the law changes, our generator allows you to create a legal document in minutes and seamlessly integrate it with your website or app.
The CPRA (CCPA amendment) requires you to display a notice at or before the point of collection which informs consumers of which categories of personal information will be collected and the purposes for the collection. Consumers must also be allowed to opt-out of this processing. As a business you are therefore responsible for informing consumers of this option and providing the actual means for opt-out.
In particular, you must:
Detect whether or not a consumer is California-based and whether or not they’ve visited your website before
Instruct relevant third-parties to cease processing the consumer's information when an opt-out request is received.
Serve them a notice at first site visit containing the necessary disclosures
Please be informed that under the VCDPA, there are no indications that opt-out links enabling users to opt-out of the processing of personal data for certain purposes are required.
The provisions of the VCDPA, in fact, treat users’ opt-out rights in the same manner as any other users’ rights granted under the Act.
Your business needs to comply with users’ requests as follows:
You need to comply with the request within 45 days. The response period may be extended one time by 45 additional days when reasonably necessary, as long as you inform your user of any extension within the initial 45-day response period, together with the reason for the extension;
If you decline to take action regarding your users’ request, inform the user of such rejection within 45 days, indicating the relevant justification and instructions on how to appeal the decision;
If you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with the request, and you may ask for additional information, which is reasonably necessary to authenticate the user and its request.
Please be informed that under the CPA, there are no indications that opt-out links enabling consumers to opt-out of the processing of personal data for certain purposes are required. However, if you are processing personal data for targeted advertising or sale, you are required to provide a clear and conspicuous method for consumers to exercise their right to opt out.
This method must be clearly and conspicuously described in the privacy notice and must be readily accessible outside the privacy notice.
You must also allow consumers to opt out of the processing of their personal data for targeted advertising or sale through an opt-out preference signal sent via a platform, technology, or mechanism, with the consumer’s consent. This mechanism must:
not unfairly disadvantage other controllers,
require an affirmative and unambiguous choice from the consumer,
be easy to use,
be as consistent as possible with other similar mechanisms required by federal or state laws or regulations, and
enable the controller to determine whether the consumer is a resident of Connecticut and has made a legitimate opt-out request.
Under the Utah Consumer Privacy Act (UCPA), consumers have the right to opt out of the processing of their personal data for targeted advertising purposes or the sale of their personal data to third parties. However, the Act does not provide specific guidelines on how you should enable consumers to exercise this right.
To comply with the UCPA, you must:
provide consumers with a means to submit opt-out requests; and
specify the right they intend to exercise.
It’s important to note that, under UCPA, opt-out links come into consideration only in relation to consumers’ right to opt out of the processing of sensitive data.
The TDPSA requires opt-in user consent in the following scenarios:
Opt-in Consent for Processing Sensitive Data: Controllers cannot process sensitive data without explicit user consent. When processing children's sensitive personal data, controllers must also comply with the Children’s Online Privacy Protection Act of 1998.
Opt-in Consent for Processing Children’s Data: For the purposes of this act, children are defined as minors under the age of 13.
Businesses can generally process consumers' data without their consent if the processing purposes are the same as initially disclosed. For purposes that are not reasonably necessary for and compatible with those originally specified in the privacy policy, obtaining user consent is necessary.
Businesses must obtain consumer consent for the following purposes:
Processing sensitive data.
Processing the personal data of children aged 13-16 for sale and targeted advertising, if the business is aware of their age.
Provide consumers with an easy method to withdraw their consent. Once a consumer revokes consent, stop the relevant processing of their personal data within 45 days.
Opt-out Mechanisms
Disclose if personal data will be sold or used for targeted advertising.
Provide methods for consumers to opt out of data sales, targeted advertising, and profiling.
Recognize verifiable opt-out signals from authorized agents, including global opt-out mechanisms.
By January 1, 2025, businesses must allow consumers to opt out of targeted advertising and the sale of their personal data using opt-out signals.
To process personal data beyond what is reasonably necessary for the purposes originally disclosed to consumers, entities must obtain active, opt-in consent from consumers. The same consent guidelines apply to the collection and processing of any sensitive information.
The OCPA outlines clear consent requirements:
Consumers must provide clear, affirmative action.
Consent must be unambiguous and informed.
The consent mechanism cannot obscure, subvert, or impair consumers' decision-making.
There must be an easy, similar way for consumers to withdraw their consent at any time.
Inaction by the consumer does not constitute consent.
Additionally, active consent from a legal guardian is required to process data about children under the age of thirteen, including for targeted advertising or the sale of their information.
Under the New Jersey Data Protection Act (NJDPA), businesses must provide a clear and conspicuous mechanism for consumers to opt out of the sale of their personal data, as well as from the processing of personal data for targeted advertising purposes. This mechanism must:
Be easy to use and accessible to consumers,
Require an affirmative and unambiguous choice from the consumer,
Be consistent with other opt-out mechanisms established by federal or state regulations.
Additionally, businesses must respect opt-out requests and implement the necessary actions promptly.
The Delaware Personal Data Privacy Act (DPDPA) mandates that businesses allow consumers to opt out of the sale of their personal data or the processing of personal data for targeted advertising. The opt-out mechanism must:
Be easily accessible and easy to use for consumers,
Provide clear instructions for submitting an opt-out request,
Be in compliance with any applicable federal or state regulations regarding privacy preferences.
The mechanism should also ensure that businesses can verify the identity of the consumer making the request.
Under the New Hampshire Data Protection Act, consumers have the right to opt out of the processing of their personal data for targeted advertising or sale. Businesses are required to:
Provide a clear and easy-to-use method for consumers to submit opt-out requests,
Allow consumers to submit requests through an easily accessible interface,
Ensure that opt-out mechanisms comply with both state and federal privacy laws.
The opt-out must be respected promptly, and consumers must be informed about how their personal data will be processed.
The Nevada Privacy Law gives consumers the right to opt out of the sale of their personal data. To comply with this law, businesses must:
Provide an easily accessible mechanism through which consumers can submit opt-out requests,
Clearly indicate how the consumer can exercise their right to opt-out of data sales,
Ensure that the opt-out mechanism is as simple and straightforward as possible.
Businesses must respect the consumer's request to opt out and notify the consumer that their preferences have been successfully recorded.
The Nebraska Data Privacy Act requires businesses to allow consumers to opt out of the sale of personal data or its processing for targeted advertising. To comply with the NDPA, businesses must:
Provide a clear and accessible opt-out method for consumers,
Ensure that the mechanism is easy to use and consistent with other federal and state regulations,
Make it clear to consumers how their data will be used and how they can exercise their opt-out rights.
Once an opt-out request is made, businesses must act on it promptly and in accordance with the consumer's stated preferences.
Solution
Privacy Controls and Cookie Solution for CPRA and VCDPA
Display a "Do Not Sell My Personal Information" (DNSMPI) link in the notice and elsewhere on your site/app thereby supporting opt-out from sale
Automatically detect and apply the correct standards (including multiple standards) based on location. Our solution allows you to apply both CPRA (CCPA amendment) and GDPR standards to the same users when legally required
Easily register and automatically pass user preferences (like opt-out) to ad vendors who support the IAB CCPA (CPRA) Compliance Framework (like Google and AdRoll)
iubenda’s Cookie Solution supports Opt-out Preference
Signals like the GPC
and GPP
as required under the CPRA
As mentioned above, similary to the CPRA (CCPA amendment), most of these state laws grant users the right to opt out. In cases where the processing is somewhat manual (i.e not related to onsite scripts such as in the case of Direct email marketing) businesses may need to manually implement the opt-out request.
Furthermore, laws like the CPRA mandates that users may not be contacted for a minimum of 12 months after the request. For this reason it's prudent to keep records of opt out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.
Solution
Consent Database
Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard. You can record all relevant details including date and time of opt-out, privacy policy version available to the user at the time of opt-out, User-Id, email and even IP address to aid in request verification.
Civil penalty of $2,500 per violation or; $7,500 per violation if it is intentional or involves the personal information of a child.
Civil penalty of up to $7,500 for each violation.
While these fines might not seem like a lot when compared to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
Overall, what are the main requirements for websites and app owners?
Sharing and profiling
If you have users from the US, then you may need to comply with laws like the CPRA & VCDPA when it comes to profiling or sharing user information. This means that you must inform users that you’re processing their data this way and give them the ability to stop sharing (opt out).
Consent Records
Some regions like Europe and Brazil require you to keep consent proofs (also known as records of consent). In many cases, without these records, the consents you collect may be considered invalid — placing you in violation of the law.
Cross-region requirements
If you have users from various regions (e.g Europe and the US) then you may need to simultaneously comply with laws from multiple regions like California’s CPRA or Europe’s GDPR. This means having region-specific disclosures available in your privacy documents and more.
Trusted by over 140,000 clients in 100+ countries
“If you, like me, are part of a smart team and hate updating your privacy policy every time you add some code to your site, then iubenda is for you. It's ridiculously affordable, and super easy to use.”
The CPRA becomes law on January 1, 2023, and will be enforced as of July 1, 2023.
At iubenda, we always keep an eye on the latest updates and ensure that all of our documents and products are adjusted in time to help you stay compliant.
If you already have CCPA procedures in place, it might be a good idea for you to start reviewing your processes and taking note of a few things:
The United States gains another data privacy regulation through Virginia’s Data Protection Act (VCDPA).
The VCDPA takes effect on January 1, 2023.
If your organization falls under the scope of the VCDPA, you should begin looking into compliance solutions that are well-trusted and drafted by lawyers.
So, if you haven’t got one already, start to set up all that you need today, and we’ll inform you when the clauses are available!
Or join us at our next webinar to get an overview of the legal requirements and ask live questions
All our products are WCAG Level AAA Compliant
A 360° solution to make your sites and apps compliant with the law
Compliance for websites and apps
Privacy and Cookie Policy Generator
Create your privacy and cookie policy in minutes.
Customizable from 2000+ clauses, available in up to 27 languages and automatically updated if the law changes, our generator allows you to create a legal document in minutes and seamlessly integrate it with your website or app.
Manage consent preferences for the ePrivacy, GDPR, CPRA (CCPA amendment) and LGPD. Integrated with the IAB TCF and CCPA Compliance Framework.
Our solution allows you to display a fully customizable cookie banner/consent banner, collect cookie consent, implement prior blocking (including auto-blocking), set advertising preferences, and more.
Our solution smoothly integrates with your consent collection forms, syncs with your legal documents and includes a user-friendly dashboard for reviewing consent records of your activities.
Document all the data processing activity within your organization.
To comply with privacy laws, and particularly the GDPR, companies need to record how they store and use the data they collect from their users. Our solution allows you to easily document all the data processing activities within your organization.
