Share:
Last Updated: December 31, 2023
Privacy law passed state legislature, signature pending
Privacy law coming into effect
Privacy law in effect
Privacy Laws
U.S. State
Click on each state for
more details.
California
The California Privacy Rights Act (CPRA) expanded and amended the California Consumer Privacy Act (CCPA) granting employees and business contacts in addition to consumers, rights over their personal information. Companies doing business with California residents must honor these rights and align to a number of obligation intended to protection individuals’ personal data. As of July 1, 2023, enforcement is through the newly created California Privacy Protection Agency (CPPA).
CPRA carries maximum fines of $7,500 per intentional or $2,500 per unintentional violation, and $7,500 for violation of the privacy rights of minors, and tightened expectations on organizations by removing the 30-day window businesses had to correct the situation before the Attorney General could take action.
California was the first U.S. state to pass comprehensive consumer privacy rights legislation.
California Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Effect
Effective Date: January 1, 2023
Right to Access
Right to Correction
Right to Deletion
Right to Data Portability
Automated Decision Making
Opt-out of Processing – Sensitive Data (only)
PRoA - Limited to Certain Violations
Colorado
Related Resource
The Colorado Privacy Act (CPA) was the third state to enact comprehensive consumer privacy legislation. The CPA's personal data definition is broad, including any information linked or reasonably linked to an identified or identifiable individual, excluding de-identified or publicly available information as defined.
Alongside typical expectations seen in similar state laws, covered businesses must implement and maintain reasonable administrative, technical, and physical safeguards, and must establish technical specifications of a user-selected universal opt-out mechanism by July 1, 2024.
The CPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until January 1, 2025.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Colorado Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Effect
Effective Date: July 1, 2023
Connecticut
Related Resource
The Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is similar to the four states (CA, VA, CO, UT) that passed comprehensive consumer privacy legislation before it, but differs is significant ways. The CTDPA does not have an overriding revenue threshold like CPRA, and narrows its scope by carving out data that is collected solely for payment transactions.
Similar to Colorado and California, Connecticut defines the "sale of personal data" to include "the exchange of personal data for monetary or other valuable consideration" to a third party, which is a broader definition compared to Utah and Virginia. Also broader than Utah or Virginia, Connecticut consumers may "obtain a copy of the Consumer's perosnal data processed by the Controller" without limit to only their "previously provided" personal data.
Like Colorado, the CTDPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until January 1, 2025.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Connecticut Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Effect
Effective Date: July 1, 2023
Delaware
Related Resource
Delaware's Personal Data Privacy Act (HB154) makes them the twelfth state to enact comprehensive consumer privacy legislation. The DPDPA is closely aligned to Connecticut and will provide rights to consumers and prohibit processing sensitive personal data without consent. Similar to Montana, the DPDPA lowers the typical 100,000 consumer threshold to just 35,000, which is just under 3.5% of the state's population.
The DPDPA incorporates privacy by design principles such as purpose limitation and reasonable data security practices, as well as compliance with universal opt-out mechanisms.
Like Colorado and Connecticut, the DPDPA provides businesses a 60-day window to correct a violation, but this cure period is only in effect until December 31, 2025.
The requirements of the DPDPA are in addition to requirements outlined by the existing, less stringent Delaware Online Privacy and Protection Act (DelOPPA).
Download the Infographic “Your Guide to Changing US Consumer Privacy Laws in 2023”
Delaware Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: January 1, 2025
Indiana
Related Resources
Lucky number seven to pass comprehensive consumer privacy legislation, Indiana's Consumer Data Privacy Act (ICDPA) is closely aligned to Virginia's CDPA, but like Connecticut, does not have a revenue threshold for businesses.
The IDPL gives businesses an option to streamline responses to consumer requests by providing a representative summary of a consumer's personal data in lieu of the data itself. Certain activities such as targeted advertising, sale of data, profiling, and processing of sensitive data require a data protection impact assessment, but assessments prepared for compliance with other laws may be considered sufficient.
While the ICDPA is closely aligned to existing states' requirements and businesses who have taken steps to comply with those should be well positioned for Indiana's law to take effect, the Indiana Attorney General is quite active in the area of privacy enforcement, so businesses processing consumer personal data should take this time to ensure preparedness.
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Indiana Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: January 1, 2026
Iowa
Related Resource
Lucky number seven to pass comprehensive consumer privacy legislation, Indiana's Consumer Data Privacy Act (ICDPA) is closely aligned to Virginia's CDPA, but like Connecticut, does not have a revenue threshold for businesses.
The IDPL gives businesses an option to streamline responses to consumer requests by providing a representative summary of a consumer's personal data in lieu of the data itself. Certain activities such as targeted advertising, sale of data, profiling, and processing of sensitive data require a data protection impact assessment, but assessments prepared for compliance with other laws may be considered sufficient.
While the ICDPA is closely aligned to existing states' requirements and businesses who have taken steps to comply with those should be well positioned for Indiana's law to take effect, the Indiana Attorney General is quite active in the area of privacy enforcement, so businesses processing consumer personal data should take this time to ensure preparedness.
Visit the Blog Post "Iowa Enacts Comprehensive Privacy Legislation"
Iowa Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: January 1, 2025
Montana
Related Resources
The ninth comprehensive privacy state law to be passed, the Montana Consumer Data Privacy Act (MTCDPA), aligns closely to Connecticut's Data Privacy Act (CTDPA) in several ways. MTCDPA requires businesses to recognize universal mechanisms for opt out of sale of personal data and to opt out of targeted advertising, and permits deletion of all personal data a business has about them (not just deletion of information the business has collected directly). Also aligned to CTDPA, as well as California's CPRA, businesses may not sell data of 13 - 16 year olds without consent for the purposes of targeted advertising.
The MTCDPA has the second lowest threshold for applicability so far at 50,000 state residents or 25,000 with >25% of revenue from sale of data, which makes sense considering Montana is the least populous state. 50,000 is nearly 9% of the total population, whereas the 100,000 threshold applicable to the most populous state, California, is merely 0.25% of the state's population.
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Montana Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: October 1, 2024
Visit the Blog Post "Privacy Bracketology"
Oregon
Related Resource
With the passing of Senate Bill 619, Oregon is the 11th overall and sixth state in 2023 to pass a comprehensive consumer privacy law. The Bill lacks the broad exemptions of most other state laws such as HIPAA covered entities and business associates, nor, like Colorado, does it exempt non-profits.
Uniquely, the Oregon Bill has a broad definition of sensitive data that includes transgender or non-binary status. Like CA, CO, CT and MT, controllers that sell personal data or use personal data for targeted advertising must respond to universal opt-out signals.
For the first 6 months, there will be a 30 day cure period, terminating January 1, 2025. Private right of action is provided after January 1, 2026.
Oregon Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: July 1, 2024
Visit the Blog Post "Privacy Bracketology"
Tennessee
Related Resources
Tennessee's Information Protection Act (TIPA) is foundationally the most similar to Virginia, Utah and Iowa compared to the seven other states that have passed similar comprehensive consumer privacy laws. This is highlighted in the defined criteria for what constitutes sales of personal data that require opt-in consent and a 60 day cure period which does not expire. Notably, the TIPA raised the typical 100,000 consumer threshold to 175,000, which is approximately 2.5% of the state's population.
Unique to TIPA is the safe harbor allowing companies to defend themselves against claims of violations by pointing to a written privacy program aligned to the National Institute of Standards and Practices (NIST) Privacy Framework. TIPA does not provide for private right of action penalties of $7,500 per violation.
Tennessee Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: July 1, 2025
Visit the Blog Post "Privacy Bracketology"
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Texas
Related Resources
Texas has become the tenth state overall, and fifth in 2023, to enact a comprehensive consumer privacy law. Modeled after Virginia with aspects that align well to California, the Texas Data Privacy & Security Act (TDPSA) does not contain dollar thresholds, but rather includes businesses operating in Texas or whose products or services are consumed by Texans, processing consumer personal data of Texans, and who are NOT a "small business" as defined by the U.S. Small Business Administration. Uniquely, this extends applicability to companies whose products or services are merely used by Texas residents, even if Texas residents are not necessarily a targeted audience.
Texas is the first state since California to require "two or more" methods for individuals to submit requests to exercise their rights over their personal data unless, as in California, they operate only online, then an email address to submit requests to is the minimum required option.
Confusingly, TDPSA allows for individuals to use opt-out preference signals, but does not obligate businesses to comply if they do not possess the ability to process the request.
Stay tuned as Optiv looks closer at this unique law with a deep-dive blog coming soon!
Texas Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: July 1, 2024
Visit the Blog Post "Deep Dive: The Texas Data Privacy and Security Act"
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Utah
Related Resources
The fourth comprehensive state privacy bill to be signed, the Utah Consumer Privacy Act (UCPA) uses similar definitions and provisions as Virginia and Colorado but includes an exemption where "sensitive data" does not include information that reveals racial or ethnic origin when processed by a video communication service (undefined).
Further, the UCPA does not require businesses controlling the collection and processing of personal data to obtain opt-in consent to collect and process sensitive data, but individuals must receive a clear privacy notice and an opportunity to opt-out of processing.
UCPA includes a 30 day cure period, no private right of action, penalties up to $7,500 per violation, and preempts any other state and local privacy laws.
Utah Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Effect
Effective Date: December 31, 2023
Visit the Blog Post "Bi-Partisan U.S. Federal Privacy Bill Gains Momentum"
Download the infographic
A Guide to Changing Consumer Privacy Regulations within the United States"
Virginia
Related Resource
The second comprehensive privacy law in the country, Virginia's Consumer Data Privacy Act (VCDPA) contain similar scope and rights as California, with significant differences. There is no revenue threshold - businesses are subject to the requirements if they conduct business in Virginia, produces products or services targeted at Virginia residents, and control or process data of > 100,000 consumers or >25,000 consumers with >50% of gross revenue from selling personal data.
Virginia is the first state to require opt-in consent before businesses process sensitive personal data, similar to the European Union's General Data Protection Regulations (GDPR).
Both California and Virginia require clear privacy notices, though VCDPA does not include the annual update requirement. While VCDPA also allows for fines up to $7,500 per violoation, there is no private right of action.
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
Virginia Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: In Effect
Effective Date: January 1, 2023
Florida
Florida's Digital Bill of Rights is not a comprehensive approach like the other states profiled here. Florida has narrowly defined the businesses subject to the requirements to include those that operate in Florida, collect personal data, make in excess of $1B annual revenue and meets one or more of the following criteria:
Florida Privacy Rights - Hover Over Each for a Detailed Explanation
Law Status: Signed
Effective Date: July 1, 2024
>50% global revenue from online advertising
Operates a consumer smart speaker and voice command component service..., or
...operates an app store with at least 250k offerings.
There are strict requirements for establishing consumer consent which go beyond acceptance of general terms of use or a privacy notice. Consent must be specific, informed, and unambiguous and may not utilize "dark patterns".
The Florida AG will carry enforcement authority with provisions for penalties up to $50,000 per violation, or $150,000 in case of violations involving minors.
Related Resource
Visit the Blog Post "Privacy Bracketology"
Related Resources
Download the Infographic “A Guide to Changing Consumer Privacy Regulations within the United States”
View the blog post "California Consumer Privacy Act ....It’s Here"
Visit the Blog Post "Privacy Bracketology"
Opt-out of Sale
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement.
Right to request a business stop processing your sensitive personal information.
The ability of a private citizen to legally enforce their rights upon other people or organizations.
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Automated Decision Making – Limited to Certain Conditions
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement.
Automated Decision Making
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-out of Processing – Sensitive Data (only)
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information.
Opt-out of Processing is actually Opt-IN
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement.
Opt-out for Automated Decision Making – Limited
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to request a business stop processing your personal information.
PRoA - Limited to Certain Violations
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement.
Opt-out of Automated Decision Making
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Automated Decision Making – Limited to Certain Conditions
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Target Advertising
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Automated Decision Making – Limited to Certain Conditions
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Automated Decision Making – Limited to Certain Conditions
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Opt-out of Automated Decision Making – Limited
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Target Advertising
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information.
Opt-in for Sensitive Data Processing
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Opt-out of Automated Decision Making – Limited
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request pieces of your personal data be transmitted to another recipient in an easy-to-understand format and a commonly used, machine-readable format.
Right to Data Portability
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing – Profiling/Targeted Advertising
Also referred to as the “right to know”, this is the right to be informed about what personal information an organization collects about you, the purpose for which it is collected, and the third parties with which it is shared.
Right to Access
Also referred to as the “right to rectification”, this is the right to request a business correct or update inaccurate personal information they maintain about you.
Right to Correction
Also referred to as the “right to erasure” or “right to be forgotten”, this is the right to request deletion of personal information a business has collected from you. The business must also inform service providers of your request. (Note: there are exceptions, as a business may be legally required to keep your information, such as information related to completing a transaction)
Right to Deletion
The requirement for an entity to receive and document up front, specific permission to process sensitive data for specified purposes.
Opt-in for Sensitive Data Processing
Right to deny an organization the ability to sell your personal data. California’s CPRA expands this to include “sharing” as well.
Opt-out of Sale
Right to request a business stop processing your personal information for the purposes of profiling and targeted advertising.
Opt-out of Processing
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Opt-out of Automated Decision Making – Limited
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Opt-out of Automated Decision Making – Limited
Related Resources
Visit the Blog Post "Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws"
Visit the Blog Post "Privacy Bracketology"
This experience is best viewed on a Desktop device.
Go to Optiv.com
Right to opt-out or exclude yourself from automated data processing or decision making without human involvement, limited to certain circumstances detailed in law or regulation.
Opt-out of Automated Decision Making – Limited