• California

• Colorado

• Connecticut

• Delaware

• Florida

• Indiana

• Iowa

• Kentucky

• New Hampshire

• New Jersey

• Nevada

• Montana

• Oregon

• Tennessee

• Texas

• Utah

• Virginia

• California

• January 1, 2023

• Colorado

• July 1, 2023

• Connecticut

• July 1, 2023

• Delaware

• January 1, 2025

• Florida

• July 1, 2024

• Indiana

• January 1, 2026

• Iowa

• January 1, 2025

• Kentucky

• January 1, 2026

• New Hampshire

• January 1, 2025

• New Jersey

• January 16, 2025

• Nevada

• 2005

• Montana

• October 1, 2024

• Oregon

• July 1, 2024

• Tennessee

• July 1, 2024

• Texas

• July 1, 2024

• Utah

• December 31, 2023

• Virginia

• January 1, 2023

OVERVIEW

State data protection laws will generally apply to businesses doing business in the specific state and that meet specific applicability thresholds. The applicability thresholds are generally tied to collecting a certain quantity of the state’s residents’ data or whether a business is selling personal data.

Some states are narrower, such as Utah and Florida, which provide that a business must first meet a certain annual revenue threshold before it needs to consider whether the law applies.

It’s important to note that California is the only state thus far that regulates employee and business-to-business personal data. All other states only regulate consumer personal data.

• California

• Over $25 million in gross, worldwide annual revenue; OR

• Annually processing 100,000 or more California residents’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data

• Colorado

• Annually processing 100,000 or more Colorado consumers’ personal data; OR

• Receiving any profit from selling personal data and processing at least 25,000 Colorado consumers’ personal data per year

• Connecticut

• Annually processing 100,000 or more Connecticut consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

• 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Connecticut consumers’ personal data per year

• Delaware

• Annually processing 35,000 Delaware consumers’ personal data (excluding, personal data processed solely to complete a payment transaction);

• 20% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 Delaware consumers’ personal data per year

• Florida

• $1 billion in gross, worldwide annual revenue; AND

• 50% of gross, worldwide annual revenue from the sale of advertisements online; including targeted advertising; OR

• Operates a consumer-facing smart speaker and voice command service connected to cloud computing services that are hands-free

• Indiana

• Annually processing 100,000 or more Indiana consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Indiana consumers’ personal data per year

• Iowa

• Annually processing 100,000 or more Iowa consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Iowa consumers’ personal data per year

• Kentucky

• Annually processing 100,000 or more Kentucky consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Kentucky consumers’ personal data per year

• New Hampshire

• Annually processing 35,000 or more New Hampshire consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

• Over 25% of gross, worldwide annual revenue from selling personal data and processing at least 10,000 New Hampshire consumers’ personal data per year

• New Jersey

• Annually processing 100,000 or more New Jersey consumers’ personal data; OR

• Receiving any profit from selling personal data and processing at least 25,000 New Jersey consumers’ personal data per year

• Nevada

• Own or operate a website or online service for a commercial purpose; AND

• Collecting or storing personal information from Nevada consumer visiting the website or online service; AND

• Purposefully directing activity and doing business in the state

• Montana

• Annually processing 50,000 or more Montana consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

• 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Montana consumers’ personal data per year

• Oregon

• Annually processing 100,000 or more Oregon consumers’ personal data (excluding, personal data processed solely to complete a payment transaction); OR

• 25% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Virginia consumers’ personal data per year

• Tennessee

• Annually processing 100,000 or more Tennessee consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Tennessee consumers’ personal data per year

• Texas

• Conduct business in Texas; AND

• Process or sell any amount of Texas consumers’ personal data; AND

• Are not a small business as defined by Federal regulations

• Utah

• $25 million in gross, worldwide annual revenue; AND

• Annually processing 100,000 or more Utah consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Utah consumers’ personal data per year

• Virginia

• Annually processing 100,000 or more Virginia consumers’ personal data; OR

• 50% of gross, worldwide annual revenue from selling personal data and processing at least 25,000 Virginia consumers’ personal data per year

OVERVIEW

Privacy notices and policies have become common place. All of the U.S. state data protection laws (1) generally require businesses adhere to a general principle of transparency; and (2) provide specific information to individuals via privacy notices.

The U.S. state data protection laws still largely rely on the U.S. principle of notice and implied consent with regard to the collection and use of personal data (outside of some states that require consent for sensitive personal data).

OVERVIEW

Privacy rights have proliferated with the advent of broad, data protection laws—both in foreign data protection laws and U.S. state data protection laws. The privacy rights are generally tied to furthering transparency requirements (e.g., rights to know, access, correct, delete, data portability) and to further give individuals control over their information (e.g., opt-out rights related to selling, targeted advertising, profiling, and sensitive data).

• California

• Right to know or access a consumer's personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to limit the processing of sensitive personal data to what is necessary

• Right to not be discriminated against for exercising the above rights

• Colorado

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Connecticut

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Delaware

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to obtain a list of specific third parties receiving personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Florida

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to opt-out of the collection and processing of sensitive personal data

• Right to opt-out of collection or personal data through the operation of voice recognition or facial recognition features

• Right to appeal

• Indiana

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Iowa

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Kentucky

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• New Hampshire

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• New Jersey

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Nevada

• Right to opt-out of the selling their personal data

• If a business has a pre-existing process, a right for consumers to review and request changes to their personal information collected through the website or online services

• Montana

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Oregon

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to request a list of specific third parties receiving personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Tennessee

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Texas

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

• Utah

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to limit the processing of sensitive personal data to what is necessary

• Virginia

• Right to confirm whether a business is processing a consumer’s personal data

• Right to access their personal data

• Right to correct their personal data

• Right to have their personal data deleted

• Right to receive a copy of their personal data (data portability)

• Right to opt-out of the sale of personal data

• Right to opt-out of cross-contextual behavioral targeted advertising

• Right to opt-out of automated profiling in furtherance of decisions with legal or similar effect

• Right to appeal

OVERVIEW

“Sensitive” personal data can generally be understood to be that information, which if mishandled, has increased risk of causing harm to an individual (e.g., Social Security #'s, race, ethnicity, sexual orientation, religion, citizenship and immigration, health data, genetic and biometric information, precise geolocation information)

U.S. states have diverged on whether to require businesses to obtain prior consent for collecting and processing sensitive personal data, or to provide a right to opt-out of collecting and processing sensitive personal data after the fact.

Most have landing on requiring prior consent.

• California

• Requires ability to limit

• Categories of sensitive personal data: (i) government identifications (e.g., Social Security Numbers, Driver License or Passport Numbers, etc.); (ii) financial account or card numbers, or log-in information in combination with requires security codes, passwords or credentials; (iv) race, ethnicity, or religion; (v) mental or physical health diagnosis; (vi) sexual orientation; (vii) union membership; (viii) genetic or biometric data processed with the purpose of identifying an individual; (ix) the contents of an individual’s mails, email, or text messages unless the business was the intended recipient; and (x) a person’s precise geolocation (within a radius of 1,850 feet).

• Colorado

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Connecticut

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Delaware

• Requires opt-in consent

• Categories of sensitive personal data: Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation, or transgender or non-binary status; (iv) status as a victim of a crime; (v) citizenship or immigration status; (vi) genetic or biometric data; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

• Florida

• Requires opt-in consent and ability to opt-out

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 18); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Indiana

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Iowa

• Requires ability to opt-out

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Kentucky

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• New Hampshire

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• New Jersey

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health data; (iii) sexual orientation, or transgender or non-binary status; (iv) financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; (v) citizenship or immigration status; (vi) genetic or biometric data processed with the purpose of identifying an individual; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

• Nevada

• N/A

• Montana

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Oregon

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, national origin, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation, or transgender or non-binary status; (iv) status as a victim of a crime; (v) citizenship or immigration status; (vi) genetic or biometric data processed with the purpose of identifying an individual; (vii) the personal information of a child (younger than 13); and (viii) a person’s precise geolocation (within a radius of 1,750 feet).

• Tennessee

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Texas

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexuality; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Utah

• Requires ability to opt-out

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

• Virginia

• Requires opt-in consent

• Categories of sensitive personal data: (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

OVERVIEW

All of the U.S. state data protections require some form of audit or review if a business’s processing of personal data is or could be considered “high risk”. However, practically, in order to determine if a business’s processing of personal data falls within the high risk category, there must be on-going regular reviews in place by default.

• California

• Annual cybersecurity audit required if a business’s processing of personal data presents significant risk to security. Businesses must consider (i) the size and complexity of the business; and (ii) the nature and scope of the personal data processing (e.g., type of data, quantity of data, etc.).

• Must submit an annual risk assessment to the California Privacy Protection Agency if a business’s processing of personal data presents significant risk to security.

• Colorado

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Connecticut

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Delaware

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Florida

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Indiana

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Iowa

• None

• Kentucky

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• New Hampshire

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• New Jersey

• Prohibited from processing personal data in a manner that presents a heightened risk of harm to the consumer without first conducting a data protection assessment. Heightened risk includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Nevada

• None

• Montana

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Oregon

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Tennessee

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Texas

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

• Utah

• None

• Virginia

• Prohibited from processing personal data in a manner that presents a high risk of harm to the consumer without first conducting a data protection assessment. High risk processing includes, for example, targeted advertising or profiling, processing that creates a high risk of financial harm or substantial injury, processing that could lead to unfair or deceptive treatment, sale of personal data, or processing of sensitive personal data.

• The data protection assessment must be made available to applicable regulators upon request.

OVERVIEW

All of the U.S. state data protection laws require businesses to adhere to the data protection principle of data minimization. The principle of data minimization requires a business to (1) collect the least amount of personal data; (2) for specified purposes (e.g., expressed in a privacy notice); (3) retained for the least amount of time; and (4) after such retention, securely destroy or delete such personal data.

Data retention and destruction policies and procedures are therefore key aspects to maintaining adherence to the data minimization requirement.

OVERVIEW

All of the U.S. state data protection laws include a right to consumers to opt-out of targeted advertising; however, it is specific to what is called “cross-contextual behavioral advertising.” This includes advertising based on an individuals activity across the Internet, but may exclude a business’s advertising that is solely based on an individuals activity on the business’s specific website.

In some jurisdictions, the use of certain Ad Tech tools could also be considered as “sale” of information (see “Vendor Management” below for more information).

OVERVIEW

Procurement and contracting have become a key aspect to a successful and compliant data protection program, and now, for adherence to U.S. state data protection laws. Where vendors or service providers are processing or accessing personal data on behalf of a business, the business must ensure specific contractual provisions are included in the written contract—often in the form of a data protection or processing agreement.

If the specific contractual provisions are not in place, a business could be considered a “seller” of personal data, triggering additional requirements.

• California

• Specific contractual provisions required in any and all engagements with a third party that have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Colorado

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Connecticut

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Florida

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Indiana

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Indiana more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• Iowa

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Iowa more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• Kentucky

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Kentucky more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• New Hampshire

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• New Jersey

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, New Jersey more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• Nevada

• Does not require contractual provisions in place with third parties

• “Sale” defined narrowly to only include the exchange of personal information for monetary consideration.

• Montana

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Oregon

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Tennessee

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Texas

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data, which is defined broadly as disclosing personal data to a third party for monetary “or other valuable consideration”

• Utah

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Utah more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• Virginia

• Specific contractual provisions required to establish a controller-processor relationship between a business and a vendor or service provider to the extent they have access to or otherwise process personal data

• If proper contractual provisions are not in place, potentially considered a “sale” of personal data; however, Virginia more narrowly defines the concept of “sale” as disclosing personal data to a third party for just monetary consideration

• California

• Requires businesses to adhere to “opt-out preference signals” if selling or engaging in cross-contextual behavioral advertising is in-scope.

• Colorado

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Connecticut

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Delaware

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Florida

• Not applicable.

• Indiana

• Not applicable.

• Iowa

• Not applicable.

• Kentucky

• Not applicable.

• New Hampshire

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, and (ii) targeted advertising

• New Jersey

• Requires businesses to adhere to “universal opt-out mechanisms” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Nevada

• Not applicable.

• Montana

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Oregon

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Tennessee

• Not applicable.

• Texas

• Requires businesses to adhere to “opt-out preference signals” if any of the following are in-scope: (i) selling, (ii) cross-contextual behavioral advertising, or (iii) automated profiling.

• Utah

• Not applicable.

• Virginia

• Not applicable.

OVERVIEW

All of the U.S. state data protection laws give all or the vast majority of the enforcement power to specific state regulators. In California, a specific privacy agency was created, while in the other states, the state Attorney Generals are the lead enforcers and regulators. California is the only state that allows even a limited private right of action (tied to violations leading to a personal data breach).

• California

• Limited private right of action for personal data breaches caused by failure to meet security requirements.

• 30 day cure period

• California Privacy Protection Agency is the lead regulator

• No cure period

• Colorado

• No private right of action

• State AG is the lead regulator

• 60 day cure period (only if the AG thinks it can be cured)

• No cure periods beginning Jan. 1, 2025

• Connecticut

• No private right of action

• State AG is the lead regulator

• 60 day cure period (only if the AG thinks it can be cured)

• Cure periods only granted in AG’s discretion beginning Jan. 1, 2025

• Delaware

• No private right of action

• State AG is the lead regulator

• 60 day cure period (only if the AG thinks it can be cured)

• Cure periods only granted in AG’s discretion beginning Jan. 1, 2026

• Florida

• No private right of action

• State AG is the lead regulator

• 45 day cure period only granted in the AG’s discretion

• No cure period for violations involving personal data about a child (under 18 years old)

• Indiana

• No private right of action

• State AG is the lead regulator

• 30 day cure period

• Iowa

• No private right of action

• State AG is the lead regulator

• 90 day cure period

• Kentucky

• No private right of action

• State AG is the lead regulator

• 30 day cure period

• New Hampshire

• No private right of action

• State AG is the lead regulator

• 60 day cure period (only if the AG thinks it can be cured)

• No cure periods after Dec. 31, 2025

• New Jersey

• No private right of action

• State AG is the lead enforcer

• 30 day cure period

• Nevada

• No private right of action

• State AG is the lead regulator

• 30 day cure period for first violation

• Montana

• No private right of action

• State AG is the lead regulator

• 60 day cure period

• No cure period beginning April 1, 2026

• Oregon

• No private right of action

• State AG is the lead regulator

• 30 day cure period (only if the AG thinks it can be cured)

• Tennessee

• No private right of action

• State AG is the lead regulator

• 60 day cure period

• Tennessee Safe Harbor

• Businesses may have an affirmative defense to any violation of the Tennessee data protection law where their privacy program complies with the National Institute of Standards and Technology (“NIST”) privacy framework titled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0” or such successor or updated framework as might be promulgated by NIST from time to time.

• Texas

• No private right of action

• State AG is the lead regulator

• 30 day cure period

• Utah

• No private right of action

• State AG is the lead regulator

• 30 day cure period

• Virginia

• No private right of action

• State AG is the lead regulator

• 30 day cure period