US Data Privacy Laws Tracker: State-by-State Map

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• For-profit businesses that collect personal information from California residents, determines the purposes in California.

• Pubic sector organizations in CaliforniaNon-profit organizations

• Gross annual revenue of over $25 million

OR

• Buying, receiving, or selling the personal information of 50,000 or more California residents, households, or devices annually

OR

• Deriving 50% or more of their annual revenue from selling California residents’ personal information.

• Right to Know what personal information is collected
• Right to Know if personal information is shared or sold and to whom
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Share or Sale
• Right to Non-Discrimination
• Right to Limit Use and Disclosure of Sensitive Personal Information
• Right to No Retaliation for Following Opt Out or Exercise of Other Rights

• Sale of personal information

• 45 days with the possibility of a 45 day extension.

• Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

• Does not include publicly available information.
• Does not include consumer information that is de-identified or aggregate consumer information.

• “Publicly available” means information that is lawfully made available from federal, state, or local government records.
• “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

• A natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations . . ., however identified, including by any unique identifier.
• A California resident is any individual who is:
  • In the state of California for other than a temporary or transitory purpose or
  • Domiciled in the state of California and is outside of the state for a temporary or transitory purpose

• Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

• A consumer uses or directs the business to intentionally (i) Disclose personal information (ii) Interact with one or more third parties.
• The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
• The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• For-profit businesses that collect personal information from California residents, determines the purposes in California.

• Pubic sector organizations in CaliforniaNon-profit organizations

• Gross annual revenue of over $25 million

OR

• Buying, selling, or sharing the personal information of 100,000 or more California residents or households annually

OR

• Deriving 50% or more of their annual revenue from selling or sharing California residents’ personal information.

• Right to Know what personal information is collected, shared, or sold
• Right to Know to whom personal information is shared or sold to
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Share or Sale
• Right to Non-Discrimination
• Right to Limit Use and Disclosure of Sensitive Personal Information
• Right to No Retaliation Following Opt Out or Exercise of Other Rights

• Sale of personal information
• Sharing of personal information for behavioral advertising
• Consumers can also limit the use and disclosure of their sensitive personal information

• Same as CCPA

• Same as CCPA

• Same as CCPA

• Same as CCPA

• Social security, driver’s license, passport, state ID card numbers
• Account log-in
• Financial account combined with any required security or access code, password, or credentials allowing access to an account
• Debit card or credit card number combined with any required security or access code, password, or credentials
• A consumer’s exact geolocation
• Racial origin, religious beliefs, or union membership
• A consumer’s mail, email, or text message content unless the information was intentionally sent to the business
• Genetic data
• Biometric data
• Health data
• Sexual orientation data

• Sensitive personal information that is “publicly available” shall not be considered sensitive personal information.

• Same as CCPA

• Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

• Same as CCPA

• Same as CCPA

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• An operator of a commercial website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial website or online service.

• Any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owner

• Right to Know what personal information is collected
• Right to Correct

• Tracking by websites

• Individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.

• Any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Any data controller that conducts business in Colorado or data controllers that produce or deliver commercial products or services intentionally targeted to residents of Colorado.

• Airlines
• Public utilities
• Organizations that process data for Colorado Health Insurance laws
• State government organizations
• Consumer reporting agencies
• Higher education institutions

• Processing or controlling the personal data of at least 100,000 consumers annually

OR

• Processing or controlling the personal data of 25,000 consumers or more and deriving revenue or receive discount on the price of goods or services from the sale of personal data.

• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Targeted Advertising, Profiling via a Universal Opt Out Mechanism, or Sale of Personal information
• Right to Appeal

• Sale of personal data
• Profiling
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 45 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Information that is linked or reasonably linkable to an identified or identifiable individual.

• “Personal data” does not include de-identified data or publicly available information.

• “Publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship status
• Genetic or biometric data
• Personal data from a known child

• An individual who is a Colorado resident acting only in an individual or household context.
• “Consumer” does not include and individual acting in a commerical or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

• The exchange of personal data for monetary or other valuable consideration by a controller to a third party.

• (I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller
• (II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
• (III) The disclosure or transfer of personal data to an affiliate of the controller
• (IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
• (V) The disclosure of personal data (a) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party or (b) intentionally made available by a consumer to the general public via a channel of mass media.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state

• Connecticut state agencies
• Non-profit organizations
• Higher education institutions
• Certain national securities associations
• Financial institutions subject to GLBA
• “Covered entities” or “business associates” as defined under HIPAA

• Controlled or processed the personal data of 100,000 or more consumers annually, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• Controlled or processed the personal data of 25,000 or more consumers annually and derived more than 25% of their gross annual revenue from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
• Right to Non-Discrimination

• Sale of personal data
• Profiling
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Information that is linked or reasonably linkable to an identified or identifiable individual.

• “Personal data” does not include de-identified data or publicly available information.

• (A) is lawfully made available through federal, state or municipal government records or widely distributed media, and
• (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic or biometric data for the purpose of uniquely identifying an individual
• Personal data from a known child
• Specific geolocation data (GPS)

• An individual who is a resident of Connecticut
• “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.

• The exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
• (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
• (C) the disclosure or transfer of personal data to an affiliate of the controller
• (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses Substitute Senate Bill No. 6 Public Act No. 22-15 6 of 27 the controller to interact with a third party
• (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience
• (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Persons that conduct business in Florida or produce products or services that are targeted to residents of Florida

• State agency or a political subdivision of the state
• Financial institution or data subject to Title V of the GLBA
• Covered entity or business associate governed by the HIPAA
• Non-profit organization
• Postsecondary education institution

• Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
• Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation
• Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, the collection of sensitive data (including precise geolocation data), the processing of sensitive data, or the collection of personal data collected through the operation of a voice recognition or facial recognition feature
• Right to Portability

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising
• Collection of sensitive data (including precise geolocation data) or the processing of sensitive data
• Collection of personal data collected through the operation of a voice recognition or facial recognition feature

• Without undue delay and within 45 days with the possibility of a 15 day extension.

• The controller must act on a consumer’s appeal within 60 days.

• Information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.

• The term does not include de-identified data or publicly available information.

• Information lawfully made available through government records, or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of or is domiciled in this state acting only in an individual or household context.
• The term does not include an individual acting in a commercial or employment context.

• “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.

• (a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf.
• (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
• (c) The disclosure of information that the consumer:
  • 1. Intentionally made available to the general public through a mass media channel; and
  • 2. Did not restrict to a specific audience.
• (d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applies to a person that conducts business in Indiana or produces products or services that are targeted to consumers who are residents of Indiana.

• State or government organizations.
• Third parties under contract with a state or government organization, when acting on behalf of the entity.
• Financial institutions and affiliates, or data subject to GLBA
• Any covered entity or business associate governed by HIPAA.
• Any nonprofit organization.
• Any institution of higher education.
• Any public utility or service company affiliated with a public utility.

• Controls or processes personal data of at least 100,000 Indiana residents

OR

• Controls or processes personal data of at least 25,000 Indiana residents and derives more than 50% of gross revenue from the sale of personal data.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling, or automated decision making
• Right to Portability
• Right to Non-Discrimination
• Right to Opt-in for processing of sensitive data

• Sale of personal data
• Profiling
• Targeted Advertising
• Automated decision making

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 45 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Personal data meansinformation that is linked or reasonably linkable to an identified or identifiable individual.

• (1) de-identified data;
• (2) aggregate data; or
• (3) publicly available information

• (1) that is lawfully made available through federal, state, or local government records; or
• (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis made by a healthcare provider
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
• Personal data collected from a known child
• Precise geolocation data

• (1) is a resident of Indiana; and
• (2) is acting only for a personal, family, or household purpose

The term does not include an individual acting in a commercial or employment context.

• “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.

• (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
• (3) the disclosure or transfer of personal data to an affiliate of the controller;
• (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
• (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in Iowa or produce products or services that are targeted to Iowa residents

• State or government organizations.
• Financial institutions and affiliates, or data subject to GLBA
• Any covered entity or business associate governed by HIPAA.
• Any nonprofit organization.
• Any institution of higher education.

• Controls or processes personal data of at least 100,000 consumers.

OR

• Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out sale of personal data
• Right to Portability

• Sale of personal data

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.

• “Personal data” does not include de-identified or aggregate data or publicly available information.

• (1) that is lawfully made available through federal, state, or local government records; or
• (2) that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media; by the consumer to whom the information pertains; or by a person to whom the consumer has disclosed the information;

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis made by a healthcare provider
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual
• Personal data collected from a known child
• Precise geolocation data

• (1) is a resident of Indiana; and
• (2) is acting only for a personal,family, or householdpurpose.

The term does not include an individual acting in a commercial or employment context.

• “Sale of personal data” means the exchange of personal data for monetary consideration by a controller to a third party.

• (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; or the parent of a child
• (3) the disclosure or transfer of personal data to an affiliate of the controller;
• (4) the disclosure of information that the consumer intentionally made available to the general public and did not restrict to a specific audience; or
• (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in Montana or produce products or services that are targeted to Montana residents

• Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
• Nonprofit organization
• Institution of higher education
• National securities association that is registered under the Securities Exchange Act of 1934
• Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
• Covered entity or business associate as defined in the privacy regulations of HIPAA

• Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
• Right to Portability

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising
• Automated decision making

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.

• The term does not include deidentified data or publicly available information.

• (a) is lawfully made available through federal, state, or municipal government records or widely distributed media; or
• (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the public.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Information about a person’s sex life or sexual orientation
• Citizenship or immigration status
• Genetic or biometric data for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of this state.
• The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

• “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
• (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• (iii) the disclosure or transfer of personal data to an affiliate of the controller
• (iv) the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• (v) the disclosure of personal data that the consumer: (A) intentionally made available to the public via a channel of mass media; and (B) did not restrict to a specific audience
• (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in Oregon or produce products or services that are targeted to Oregon residents

• Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
• Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
• An individual, firm, association, corporation, or other entity that is licensed in this state as an insurance company and transacts insurance business
• Nonprofit organization
• Institution of higher education
• Covered entity or business associate as defined in the privacy regulations of HIPAA

• The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• The personal data of 25,000 or more consumers, while deriving 25% or more of the annual gross revenue from selling personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect, or automated decision making
• Right to Portability

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising
• Automated decision making

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.

• (i) Publicly available information; or
• (ii) De-identified or aggregate consumer information

• “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
• The personal information collected from a known child
• Precise geolocation data

• (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
• (B) Does not include a natural person acting in a commercial or employment context

• “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
• (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
• (iii) The disclosure or transfer of personal information to an affiliate of the controller;
• (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
• (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applies to persons that conduct business in Tennessee producing products or services that target residents of Tennessee

• Exceed $25,000,000 in revenue;

AND

• Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information;

OR

• During a calendar year, control or process personal information of at least 175,000 consumers.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
• Right to Portability
• Right to Non-Discrimination
• Right to Opt-in for processing of sensitive data

• Sale of personal data
• Profiling
• Targeted Advertising
• Automated decision making

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 45 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Means information that is linked or reasonably linkable to an identified or identifiable natural person

• (i) Publicly available information; or
• (ii) De-identified or aggregate consumer information

• “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
• The personal information collected from a known child
• Precise geolocation data

• (A) Means a natural person who is a resident of Tennessee acting only in a personal context; and
• (B) Does not include a natural person acting in a commercial or employment context

• Means the exchange of personal information for valuablemonetary consideration by the controller to a third party

• (i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
• (ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
• (iii) The disclosure or transfer of personal information to an affiliate of the controller;
• (iv) The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
• (v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• (1) conducts business in Texas or produces a product or service consumed by residents of Texas
• (2) processes or engages in the sale of personal data;

AND

• (3) is not a small business as defined by the United States Small Business Administration, except to the extent that the small business is engaged in the sale of sensitive personal data

• State agency or subdivision
• Financial institutions and affiliates, or data subject to GLBA
• Any covered entity or business associate governed by HIPAA
• A nonprofit organization
• An institution of higher education

• The SBA defines a small business as an independent business having fewer than 500 employees

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling, automated decision making
• Right to Portability
• Right to Non-Discrimination
• Right to Opt-in for processing of sensitive data

• Sale of personal data
• Profiling
• Targeted Advertising
• Automated decision making

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.
• The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

• Does not include de-identified data or publicly available information.

• “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
• The term does not include an individual acting in a commercial or employment context.

• Means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.

• (A) the disclosure of personal data to a processor that processes the personal data on the controller ’s behalf;
• (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• (C) the disclosure or transfer of personal data to an affiliate of the controller;
• (D) the disclosure of information that the consumer intentionally made available to the general public through a mass media channel; and did not restrict to a specific audience; or the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Persons that do business in the Commonwealth of Virginia or persons who produce products or services that are targeted to residents of the Commonwealth of Virginia.

• Public sector organizations in Virginia
• Non-profit organizations
• Higher education institutions

• Processing or controlling personal data of at least 100,000 consumers annually

OR

• Processing or controlling the personal data of at least 25,000 consumers and deriving over 50% of gross revenue from selling that data.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of Targeted Advertising, Profiling, or Sale of Personal information
• Right to Appeal
• Right to Data Portability
• Right to Non-Discrimination

• Sale of personal data
• Profiling
• Targeted Advertising reasonable efforts

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• Information that is linked or reasonably linkable to an identified individual or an identifiable individual.

• “Personal data” does not include de-identified data or publicly available information.

• “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Immigration or citizenship standing
• Genetic or biometric data
• Personal data from a known child
• Precise geolocation data

• A natural person who is a resident of Virginia acting only in anindividual or household context.
• “Consumer” does not include a natural person acting in a commercial or employment context.

• The exchange of personal data for monetary consideration by the controller to a third party.

• 1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller
• 2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
• 3. The disclosure or transfer of personal data to an affiliate of the controller
• 4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience
• 5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Alabama was the 50th state to enact this type of breach notification law.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Persons that conduct business in the Delaware or persons that produce products or services that are targeted to residents of the Delaware

• Delaware state agenciesNon-profit organizations dedicated exclusively to preventing and addressing insurance crime
• Certain national securities associations
• Financial institutions subject to GLBA

• During the preceding calendar year:Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal informationRight to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Obtain a List of Categories of Third Partes to which the controller disclosed the personal information
• Right to Opt Out of Targeted Advertising, Sale of Personal information, or Automated Profiling
• Right to Appeal

• Sale of personal data
• Profiling
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.The controller must provide the consumer with a means to refer his or her concerns to the Departement of Justice.

• Information that is linked or reasonably linkable to an identified or identifiable individual.

• “Personal data” does not include de-identified data or publicly available information.

• a. Information that is lawfully made available through federal, state, or local government records.
• b. Information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis (including pregnancy)
• Sex life, sexual orientation, status as transgender or nonbinary
• Citizenship or immigration status
• Genetic or biometric data
• Personal data of a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of this State.
• “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.

• The exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.
• b. The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.
• c. The disclosure or transfer of personal data to an affiliate of the controller.
• d. The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
• e. The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.
• f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky

• City, state agency, or any political subdivision of the state
• Financial institutions and affiliates, or data subject to GLBA
• Any covered entity or business associate governed by HIPAA
• Any nonprofit organization
• Any institution of higher education
• Certain insurance fraud-related organizations
• Small telephone utility, a Tier III CMRS provider, or a municipally owned utility that does not sell or share personal data with any third-party processor

• Controls or processes personal data of at least 100,000 consumers.

OR

• Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
• Right to Portability
• Right to Non-Discrimination

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.

• Personal data does not include de-identified data or publicly available information.

• “Publicly available information” means information that lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context.
• Consumer does not include a natural person acting in a commercial or employment context.

• “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.

• (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• (c) The disclosure or transfer of personal data to an affiliate of the controller;
• (d) The disclosure of information that the consumer:
  • 1. Intentionally made available to the general public via a channel of mass media; and
  • 2. Did not restrict to a specific audience; or
• (e) The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

• Applicable to a person that conducts business in Maryland or provides products or services that are targeted to residents of Maryland

• A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the state including a board, bureau, commission, or unit of the state or any political subdivision of the state
• Nonprofit organization
• National securities association that is registered under the Securities Exchange Act of 1934
• Financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with the GLBA
• Covered entity or business associate as defined in the privacy regulations of HIPAA

• Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction,

OR

• Controlled or processed the personal data of at least 10,000 consumers and derived over 20% of gross revenue from the sale of personal data.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Obtain a List of Categories of Third Partes to which the controller disclosed the consumer’s personal data
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
• Right to Portability
• Right to Non-Discrimination

• Sale of personal data
• Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Division.

• “Personal data” means any information that is linked or can be reasonably linked to an identified or identifiable consumer.

• “Personal data” does not include de-identified data or publicly available information.

• (I) Lawfully obtains from a record of a governmental entity;
• (II) Reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or
• (III) If the conumser has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.

• Racial or ethnic origin
• Religious beliefs
• Consumer health data
• Sex life
• Sexual orientation
• Status as transgender or nonbinary
• National origin
• Citizenship or immigration status
• Genetic or biometric data
• Personal data of a consumer that the controller knows or has reason to know is a child
• Precise geolocation data

• “Consumer” means an individual who is a resident of Maryland.
• “Consumer” does not include:
  • (I) An individual acting in a commercial or employment context
  • (II) An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.

• “Sale of personal data” means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.

• Applicable to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota

• A government entity
• Nonprofit organizations established to detect and prevent insurance fraud
• A federally recognized Indian tribe
• Certain kinds of banks, credit unions, or insurance companies
• Small businesses as defined by the US Small Business Administration regulations
• Air carriers under the Airline Deregulation Act
• Protected health information governed by HIPAA, financial data regulated by the GLBA, consumer credit-reporting data, and data covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, the Farm Credit Act, and the Minnesota Insurance Fair Information Reporting Act
• Data for the purposes of job applications or employment, data necessary to administer benefits, as well as data processed or maintained for emergency contact purposes

• Controls or processes the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Obtain a List of Specific Third Partes to which the controller disclosed the consumer’s personal data
• Right to Opt Out of targeted advertising, sale of personal data, profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer
• Right to Question the Results of a Controller’s Profiling, to be informed of the reason that the profiling resulted in the decision, and to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future, to review the consumer’s personal data used in the profiling, and to have the data corrected and the profiling decision reevaluated based upon the corrected data.
• Right to Portability
• Right to Non-Discrimination

• Sale of personal data
• Profiling in furtherance of automated decisions that produces a legal or similarly significant effect
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 45 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person.

• “Personal data” does not include deidentified data or publicly available information.

• (1) is lawfully made available from federal, state, or local government records or widely distributed media, or
• (2) a controller has a reasonable basis to believe has lawfully been made available to the general public

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Personal data of a known child
• Specific geolocation data

• “Consumer” means a natural person who is a Minnesota resident acting only in an individual or household context.
• “Consumer” does not include a natural person acting in a commercial or employment context.

• “Sale,” “sell,” or “sold” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (1) the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
• (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• (3) the disclosure or transfer of personal data to an affiliate of the controller;
• (4) the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
• (5) the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
• (6) the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer’s agents.

• Applicable to persons that conduct business in Nebraska or produce products or services that are consumed by Nebraska residents

• State agency or political subdivision of this state
• Nonprofit organization
• Institution of higher education
• National securities association that is registered under the Securities Exchange Act of 1934
• Financial institution, affiliate of a financial institution, or data subject to Title V of the GLBA
• Covered entity or business associate governed by the privacy, security, and breach notification rules of regulations of HIPAA
• Electric supplier
• Natural gas public utility
• Natural gas utility owned or operated by a city or metropolitan utilities district

• Processes or engages in the sale of personal data

AND

• Is not a small business as determined under the federal Small Business Act

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of a decision that produces a legal or similarly significant effect
• Right to Portability
• Right to Non-Discrimination

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with the online mechanism through which to contact the Attorney General.

• “Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

• The term does not include deidentified data or publicly available information.

• “Publicly available information” means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of this state acting only in an individual or household context.
• Consumer does not include an individual acting in a commercial or employment context.

• “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller
• (ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• (iii) the disclosure or transfer of personal data to an affiliate of the controller
• (iv) the disclosure of information that the consumer:
  • (A) Intentionally made available to the public through a mass media channel; and
  • (B) Did not restrict to a specific audience
• (v) the disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller’s assets that is part of a proposed or actual:
  • (A) Merger;
  • (B) Acquisition;
  • (C) Bankruptcy; or
  • (D) Other Transaction

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents

• Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
• Nonprofit organization
• Institution of higher education
• National securities association that is registered under the Securities Exchange Act of 1934
• Financial institution or data subject to Title V of the GLBA
• Covered entity or business associate as defined in the privacy regulations of HIPAA

• (a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• (b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect
• Right to Portability

• Sale of personal data
• Profiling in furtherance of a decision that produces a legal or similarly significant effect
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.

• “Personal data” does not include de-identified data or publicly available information.

• “Publicly available information” means information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
• The personal information collected from a known child
• Precise geolocation data

• “Consumer” means an individual who is a resident of this state.
• “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.

• “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller
• (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
• (c) The disclosure or transfer of personal data to an affiliate of the controller
• (d) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• (e) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience
• (f) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Applicable to persons that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents

• Some insurance institutions
• Some secondary market institutions
• Financial institution or an affiliate of a financial institution this is subject to the GLBA
• Covered entity or business associate as defined in the privacy regulations of HIPAA

• Control or process the personal data of not less than 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction

OR

• Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Targeted Advertising, sale of personal information, or automated profiling
• Right to Appeal

• Sale of personal data
• Profiling
• Targeted advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 45 days.
• The controller must provide the consumer with a means to contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable person.

• The term does not include deidentified data or publicly available information.

• “Publicly available information” means information that is lawfully made available from federal, State, or local government records, or widely-distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition, treatment, or diagnosis
• Financial information which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account
• Sex life or sexual orientation
• Citizenship or immigration status
• Status as transgender or non-binary
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
• Personal data collected from a known child
• Precise geolocation data

• “Consumer” means an identified person who is a resident of this State acting only in an individual or household context.
• “Consumer” shall not include a person acting in a commercial or employment context.

• “Sale” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.

• The disclosure of personal data to a processor that processes the personal data on the controller’s behalf
• The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• The disclosure or transfer of personal data to an affiliate of the controller
• The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
• The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Together, they create the foundation for the New Jersey Disclosure and Accountability Transparency Act (NJ DATA), which now sits in the Senate Commerce Committee.

It describes requirements for disclosing and processing personally identifiable information and would establish an Office of Data Protection and Responsible Use in the Division of Consumer Affairs.

• Applicable to for-profit entities that conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents

• • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state
• • Nonprofit organization
• • Institution of higher education
• • National securities association that is registered under the Securities Exchange Act of 1934
• • Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act
• • Covered entity or business associate as defined in the privacy regulations of HIPAA

• • The personal data of 35,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction

OR

• • The personal data of 10,000 or more consumers and derived more than 25% of gross revenue from the sale of personal data

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Correct
• Right to Delete
• Right to Opt Out of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decision that produce a legal or similarly significant effects
• Right to Portability
• Right to Non-Discrimination
• Right to Opt-in for processing of sensitive data

• Sale of personal data
• Profiling in furtherance of solely automated decisions that produce a legal or similarly significant effects
• Targeted Advertising

• Without undue delay and within 45 days with the possibility of a 45 day extension.

• The controller must act on a consumer’s appeal within 60 days.
• The controller must provide the consumer with a means to refer his or her concerns to the Attorney General.

• “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.

• “Personal data” does not include deidentified data or publicly available information.

• “Publicly available information” means information that is lawfully made available through federal, state or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying an individual
• The personal data collected from a known child
• Precise geolocation data

• “Customer” means an individual residing in this state acting in an individual or household context.
• “Customer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.

• “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

• (i) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
• (ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the customer;
• (iii) The disclosure or transfer of personal data to an affiliate of the controller;
• (iv) The disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• (iv) The disclosure of personal data that the customer intentionally made available to the general public via a channel of mass media; and did not restrict to a specific audience; or
• (v) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

• Yes – Privacy Policy Generator
• Yes – Consent Management Platform

• Any controller or processor who conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah.

• Government organizations
• Third parties under contract with a government organization
• Tribes
• Higher education institutions
• Non-profit organizations
• Covered entities and business associates under HIPAA
• Consumer reporting agencies
• Air carriers

• Annually, controls or processes personal data of 100,000 or more consumers
• Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

• Right to Know if a controller is processing the consumer’s personal information
• Right to Access
• Right to Delete
• Right to Data Portability
• Right to Opt Out of Processing of Personal information for purposes of Target Advertising or Sale of Personal information
• Right to Non-Discrimination

• Sale of personal dataTargeted Advertising (doesn’t include the data gathered from your website, form/ticket)

• 45 days with the possibility of a 45 day extension.

• Information that is linked or reasonably linkable to an identified individual or an identifiable individual.

• “Personal data” does not include de-identified data, aggregated data, or publicly available information.

• Publicly available information” means information that a person (a) lawfully obtains from a record of a governmental entity (b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or (c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.

• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Citizenship or immigration status
• Medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional
• Genetic personal data
• Biometric data, if the processing is for the purpose of identifying a specific individual
• Specific geolocation data

• “Sensitive data” does not include personal data that reveals an individual’s racial or ethnic origin when processed by a video communication service or certain medical data processed by licensed healthcare providers.

• An individual who is a resident of the state acting in an individual or household context.”Consumer” does not include an individual acting in an employment or commercial context.

• The exchange of personal data for monetary consideration by a controller to a third party.

• (i) a controller’s disclosure of personal data to a processor who processes the personal data on behalf of the controller;
• (ii) a controller’s disclosure of personal data to an affiliate of the controller
• (iii) considering the context in which the consumer provided the personal data to the controller, a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations
• (iv) the disclosure or transfer of personal data when a consumer directs a controller to (A) disclose the personal data; or (B) interact with one or more third parties
• (v) a consumer’s disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child
• (vi) the disclosure of information that the consumer (A) intentionally makes available to the general public via a channel of mass media; and (B) does not restrict to a specific audience
• (vii) a controller’s transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller’s assets