0 of 2 checked
Identity, scope, and contact
The policy should give consumers a working way to reach the business behind it — the comprehensive-act notice must carry an active email address or other online mechanism the consumer can use to contact the controller. A policy that offers no reachable contact point fails the most basic disclosure test before any substantive question is reached.
The policy should carry an effective date. It is a fixed element of the website-operator notice and the anchor for the change-notification and refresh items below — without it, a reader cannot tell which version of the policy governs.
Sources for this section
Primary law
A.2 NRS 603A.340An operator must make available an accessible notice with five fixed elements: categories of covered information collected and categories of third parties it may be shared with, any review-and-change process, the material-change notification process, third-party cross-site collection, and the effective date.
Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice.
See NRS 603A.340(1).
Primary law
A.1 N.J.S.A. 56:8-166.6PDFA controller's privacy notice must include an active electronic mail address or other online mechanism the consumer may use to contact the controller.
(7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
See N.J.S.A. 56:8-166.6(a)(7).
0 of 3 checked
Data collection and use disclosures
The policy should list the categories of personal data the business processes, calling out any sensitive-data categories separately. The comprehensive-act notice lists open with exactly this element, so an omission here is a substantive gap, not a stylistic one.
The policy should state the purposes for which it processes personal data. The purpose statement sits alongside the data categories in the statutory notice list, and a vague or missing purpose is the disclosure most often challenged as inadequate.
The policy should list the categories of personal data shared with third parties and describe the categories of recipients at a level of detail that lets a consumer understand what type of entity each one is. A bare statement that data may be shared with partners does not meet this bar.
Sources for this section
Primary law
B.1 Tex. Bus. & Com. Code § 541.102A controller must provide a reasonably accessible and clear privacy notice that begins with the categories of personal data processed, including any sensitive data, and the purpose for processing.
A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) the purpose for processing personal data;
See Tex. Bus. & Com. Code § 541.102(a).
Primary law · 2023-07-01
B.2 Or. Rev. Stat. § 646A.578The privacy notice must also explain how consumers exercise and appeal their rights, list all categories of personal data shared with third parties, and describe the categories of recipient third parties at a level of detail that lets the consumer understand what type of entity each one is.
(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
See Or. Rev. Stat. § 646A.578(4).
0 of 4 checked
Consumer rights and request handling
When a comprehensive state privacy act covers the business, the policy should describe the rights that act grants consumers — to confirm processing and access the data, to correct inaccuracies, to delete personal data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling that drives significant decisions. The catalog is consistent across the acts, with some states adding opt-outs for sensitive-data collection and for voice- and facial-recognition features, so confirm the governing state's list before signing off on the rights section.
The policy should describe how a consumer exercises each disclosed right and give the request channel. The notice lists pair the rights catalog with the mechanics for using it, so a rights section that names the rights but not the route to use them is incomplete.
The policy should state the response timeline — a response without undue delay and no later than the statutory window, extendable once with in-window notice and a reason. Many states set an initial 45-day window; the cited Florida act allows a single 15-day extension, while several other states allow a longer (often 45-day) extension, so confirm the governing state's clock.
The policy should describe a conspicuously available process to appeal a refused request, answered in writing with reasons within the statutory window. A refusal is not the end of the road, and an appeal route that is missing or buried is itself a compliance gap.
Sources for this section
Primary law
C.1 Fla. Stat. § 501.705(2)A controller must honor authenticated requests for confirmation and access, correction, deletion, and portability, plus opt-outs from targeted advertising, sale, significant-effect profiling, sensitive-data collection or processing, and collection via voice- or facial-recognition features.
(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
See Fla. Stat. § 501.705(2).
Primary law · 2023-07-01
C.2 Or. Rev. Stat. § 646A.578The privacy notice must also explain how consumers exercise and appeal their rights, list all categories of personal data shared with third parties, and describe the categories of recipient third parties at a level of detail that lets the consumer understand what type of entity each one is.
(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
See Or. Rev. Stat. § 646A.578(4).
Primary law
C.3 Fla. Stat. § 501.706(2)A controller must respond to a consumer request within 45 days and may extend the period once by an additional 15 days, with in-window notice of the extension and its reason.
(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.
See Fla. Stat. § 501.706(2).
Primary law
C.4 Fla. Stat. § 501.707A controller must establish a conspicuously available appeal process for refused requests and answer the appeal in writing, with reasons, within 60 days.
(1) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under s. 501.706(3). (2) The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.
See Fla. Stat. § 501.707.
0 of 3 checked
Sale, targeted advertising, and opt-out signals
When a state privacy regime covers the business and it sells personal data or processes it for targeted advertising, the policy should clearly and conspicuously disclose that activity and how the consumer opts out. This gate is not comprehensive-act-only: a covered website operator or commercial site can owe the disclosure under a limited-scope regime too.
When the business profiles consumers to make decisions that carry legal or similarly significant effects, the policy should disclose the right to opt out of that profiling.
When the governing comprehensive act requires a universal opt-out mechanism, the policy should state that it treats a user-selected signal — such as Global Privacy Control — as a valid opt-out from targeted advertising and the sale of personal data. A growing minority of states makes honoring the signal mandatory, and the duty attaches to what the site actually does, not just to what the policy says.
Sources for this section
Primary law · 2025-01-01
D.1 Iowa Code § 715D.4PDFA controller that sells personal data or engages in targeted advertising must clearly and conspicuously disclose that activity and how a consumer may opt out.
If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.
See Iowa Code § 715D.4(6).
Primary law
D.2 Fla. Stat. § 501.705(2)A controller must honor authenticated requests for confirmation and access, correction, deletion, and portability, plus opt-outs from targeted advertising, sale, significant-effect profiling, sensitive-data collection or processing, and collection via voice- or facial-recognition features.
(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
See Fla. Stat. § 501.705(2).
Primary law
D.3 Colo. Rev. Stat. § 6-1-1306PDFSince July 1, 2024, a controller that processes personal data for targeted advertising or sells it must allow consumers to opt out through a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications.
a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.
See Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).
0 of 2 checked
Sensitive-data consent
When a state privacy regime covers the business and it processes sensitive data, it must satisfy the governing state's sensitive-data rule before processing. Opt-in affirmative consent is the rule in most states and the strict baseline a multistate policy should adopt; a few states, such as Iowa, instead require clear notice and an opt-out . Where consent governs, it is captured by an affirmative flow, not implied by a paragraph in the policy.
When the business has known child users — a child under 13, as COPPA defines the term — it must handle that child's data in accordance with COPPA, as the comprehensive acts incorporate. This is a federal duty, tied to online collection by covered operators, independent of any state coverage flag, and it is narrower than the separate minor-user duties some states impose for teens.
Sources for this section
Primary law
E.2 Tex. Bus. & Com. Code § 541.101A controller may not process a consumer's sensitive data without consent, and must handle a known child's data in accordance with COPPA.
process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.).
See Tex. Bus. & Com. Code § 541.101(b)(4).
Primary law · 2025-01-01
E.1 Iowa Code § 715D.4PDFA controller may process sensitive data only after presenting the consumer with clear notice and an opportunity to opt out, and must handle a known child's data in accordance with COPPA — Iowa uses notice-and-opt-out, not opt-in consent.
A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq.
See Iowa Code § 715D.4(2).
0 of 3 checked
Maintenance and accuracy
The policy should be reviewed and updated, and should carry a current effective or last-updated date, because laws such as the CCPA require a business to update its disclosures at least once every 12 months. A stale policy that no longer matches practice is both a contents gap and an accuracy exposure.
The policy should describe how the business notifies consumers of material changes to it. This is a fixed element of the website-operator notice.
The policy must accurately describe the business's actual data practices, and the business must follow the practices it describes. A policy that misstates actual practice is an unfair or deceptive act under FTC Act Section 5, and state consumer-protection (UDAP) statutes commonly reach the same conduct — in several states through a private right of action. This is the floor that makes every controls-promising disclosure above enforceable.
Sources for this section
Primary law
F.1 Cal. Civ. Code § 1798.130A business must disclose the CCPA-required information in its online privacy policy — or on its website if it maintains no policy — and update that information at least once every 12 months.
Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:
See Cal. Civ. Code § 1798.130(a)(5).
Primary law
F.2 NRS 603A.340An operator must make available an accessible notice with five fixed elements: categories of covered information collected and categories of third parties it may be shared with, any review-and-change process, the material-change notification process, third-party cross-site collection, and the effective date.
Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice.
See NRS 603A.340(1).
Primary law
F.3 FTC Act § 5Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
See 15 U.S.C. § 45(a)(1).
0 of 9 checked
Data-type and status modules (conditional)
When the Texas Data Privacy and Security Act covers the business and it sells sensitive personal data, the policy must include the fixed statutory notice Texas prescribes word for word. Because the governing act prescribes exact language, copy the notice verbatim rather than paraphrasing it; other states scope their sensitive-data-sale disclosures differently.
When the business possesses biometric identifiers, it must maintain a written, publicly available policy with a retention schedule and destruction guidelines — destroying biometric data when the collection purpose is satisfied or within three years of the last interaction, whichever comes first.
Before collecting a biometric identifier, the business must give written notice of the collection, its specific purpose, and its retention term, and obtain a written release. This is a pre-collection flow, not a policy paragraph.
When the business collects consumer health data, it must maintain a dedicated consumer-health-data privacy policy disclosing the statutory elements, including the list of third-party categories and specific affiliates receiving the data.
The business must not collect consumer health data except with consent for a specified purpose, or to the extent necessary to provide a product or service the consumer requested. This is a consent-before-collection gate.
When the business is a covered website operator, the policy should make available the five-element accessible notice: categories of covered information and of third-party recipients, the review-and-change process if any, the material-change notification process, third-party cross-site collection, and the effective date.
When the business directs services to, or has actual knowledge of, minor users, the policy should provide the applicable states' minors'-disclosure duties. These components activate on staggered effective dates, so confirm the precise per-state contents and timing in the governing states' notes before drafting this section.
When the business is a data broker — it knowingly sells or licenses to third parties the brokered personal information of consumers with whom it has no direct relationship — the policy should disclose its opt-out practices: the method to request an opt-out, which activities or sales it covers, and whether a third party may exercise it, consistent with the broker's registration filing.
A data broker must register annually with the governing state — in Vermont, with the Secretary of State by January 31, paying the fee and providing the prescribed disclosures. This is a conduct duty that lives outside the policy's four corners; California, Texas, and Oregon impose parallel broker registration, detailed in the per-state notes.
Sources for this section
Primary law
G.1 Tex. Bus. & Com. Code § 541.102(b)A controller that sells sensitive personal data must include a fixed statutory notice to that effect in its privacy notice.
If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice: "NOTICE: We may sell your sensitive personal data."
See Tex. Bus. & Com. Code § 541.102(b).
Primary law · 2008-10-03
G.2 740 ILCS 14/15(a)A private entity in possession of biometric data must develop a written, publicly available policy establishing a retention schedule and destruction guidelines, with destruction when the collection purpose is satisfied or within 3 years of the individual's last interaction, whichever occurs first.
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.
See 740 ILCS 14/15(a).
Primary law · 2008-10-03
G.3 740 ILCS 14/15(b)Before obtaining biometric data, a private entity must first give written notice that the data is being collected or stored, give written notice of the specific purpose and length of term of the collection, and receive a written release from the subject.
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
See 740 ILCS 14/15(b).
Primary law
G.4 RCW 19.373.020(1)(a)Beginning March 31, 2024, a regulated entity and a small business must maintain a consumer health data privacy policy that clearly and conspicuously discloses five fixed elements, including a list of the categories of third parties and the specific affiliates receiving the data.
beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040
See Wash. Rev. Code § 19.373.020(1)(a).
Primary law
G.5 RCW 19.373.030(1)(a)A business may not collect consumer health data except with consent for a specified purpose or to the extent necessary to provide a product or service the consumer requested.
beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
See Wash. Rev. Code § 19.373.030(1)(a).
Primary law
G.6 NRS 603A.340An operator must make available an accessible notice with five fixed elements: categories of covered information collected and categories of third parties it may be shared with, any review-and-change process, the material-change notification process, third-party cross-site collection, and the effective date.
Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice.
See NRS 603A.340(1).
Primary law
G.7 9 V.S.A. § 2430A data broker is a business that knowingly collects and sells or licenses to third parties the brokered personal information of consumers with whom it has no direct relationship.
“Data broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
See 9 V.S.A. § 2430(4)(A).
Primary law
G.8 9 V.S.A. § 2446A data broker's annual registration must disclose whether it permits consumer opt-outs, the method for requesting one, the activities it covers, and whether a third-party agent may exercise it.
if the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data: (i) the method for requesting an opt-out; (ii) if the opt-out applies to only certain activities or sales, which ones; and (iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer’s behalf;
See 9 V.S.A. § 2446(a)(3)(B).
Primary law
G.9 9 V.S.A. § 2446A data broker must register with the Secretary of State annually by January 31, pay a $100 fee, and disclose its addresses, opt-out practices, and other prescribed information.
Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall: (1) register with the Secretary of State; (2) pay a registration fee of $100.00; and (3) provide the following information: (A) the name and primary physical, e-mail, and Internet addresses of the data broker;
See 9 V.S.A. § 2446(a).