# Privacy Policy Review Checklist[^about] A clause-by-clause reviewer checklist for privacy policies covering business identification, data disclosures, consumer rights, opt-outs, consent, and maintenance. ## Identity, scope, and contact {#identity-scope-and-contact} - [ ] **Business identified with a contact method** (Recommended) — The policy should give consumers a working way to reach the business behind it — the comprehensive-act notice must carry an active email address or other online mechanism the consumer can use to contact the controller. A policy that offers no reachable contact point fails the most basic disclosure test before any substantive question is reached. [^nj-notice-contact] [#identify-business] - [ ] **Effective date stated** (Recommended) — The policy should carry an effective date. It is a fixed element of the website-operator notice and the anchor for the change-notification and refresh items below — without it, a reader cannot tell which version of the policy governs. [^nv-operator-notice] [#state-effective-date] ## Data collection and use disclosures {#data-collection-and-use-disclosures} - [ ] **Categories of data collected** (Recommended) — The policy should list the categories of personal data the business processes, calling out any sensitive-data categories separately. The comprehensive-act notice lists open with exactly this element, so an omission here is a substantive gap, not a stylistic one. [^tx-tdpsa-notice-contents-2] [#disclose-personal-data-categories] - [ ] **Why the data is used** (Recommended) — The policy should state the purposes for which it processes personal data. The purpose statement sits alongside the data categories in the statutory notice list, and a vague or missing purpose is the disclosure most often challenged as inadequate. [^tx-tdpsa-notice-contents-2] [#disclose-processing-purposes] - [ ] **Who the data is shared with** (Recommended) — The policy should list the categories of personal data shared with third parties and describe the categories of recipients at a level of detail that lets a consumer understand what type of entity each one is. A bare statement that data may be shared with partners does not meet this bar. [^or-ocpa-notice-detail] [#describe-third-party-recipients] ## Consumer rights and request handling {#consumer-rights-and-request-handling} - [ ] **Rights catalog disclosed** (Recommended) — When a comprehensive state privacy act covers the business, the policy should describe the rights that act grants consumers — to confirm processing and access the data, to correct inaccuracies, to delete personal data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling that drives significant decisions. The catalog is consistent across the acts, with some states adding opt-outs for sensitive-data collection and for voice- and facial-recognition features, so confirm the governing state's list before signing off on the rights section. [^fl-fdbr-rights] [#disclose-rights-catalog] - [ ] **How to submit a rights request** (Recommended) — The policy should describe how a consumer exercises each disclosed right and give the request channel. The notice lists pair the rights catalog with the mechanics for using it, so a rights section that names the rights but not the route to use them is incomplete. [^or-ocpa-notice-detail-2] [#provide-rights-request-method] - [ ] **Response timeline stated** (Recommended) — The policy should state the response timeline — a response without undue delay and no later than the statutory window, extendable once with in-window notice and a reason. Many states set an initial 45-day window; the cited Florida act allows a single 15-day extension, while several other states allow a longer (often 45-day) extension, so confirm the governing state's clock. [^fl-fdbr-response-clock] [#state-response-timeline] - [ ] **Appeal process for refusals** (Recommended) — The policy should describe a conspicuously available process to appeal a refused request, answered in writing with reasons within the statutory window. A refusal is not the end of the road, and an appeal route that is missing or buried is itself a compliance gap. [^fl-fdbr-appeal] [#provide-appeal-process] ## Sale, targeted advertising, and opt-out signals {#sale-targeted-advertising-and-opt-out-signals} - [ ] **Sale and ad-targeting opt-out** (Recommended) — When a state privacy regime covers the business and it sells personal data or processes it for targeted advertising, the policy should clearly and conspicuously disclose that activity and how the consumer opts out. This gate is not comprehensive-act-only: a covered website operator or commercial site can owe the disclosure under a limited-scope regime too. [^ia-icdpa-sale-disclosure] [#disclose-sale-and-targeted-ad-opt-out] - [ ] **Profiling opt-out** (Recommended) — When the business profiles consumers to make decisions that carry legal or similarly significant effects, the policy should disclose the right to opt out of that profiling. [^fl-fdbr-rights-2] [#disclose-profiling-opt-out] - [ ] **Universal opt-out signal honored** (Recommended) — When the governing comprehensive act requires a universal opt-out mechanism, the policy should state that it treats a user-selected signal — such as Global Privacy Control — as a valid opt-out from targeted advertising and the sale of personal data. A growing minority of states makes honoring the signal mandatory, and the duty attaches to what the site actually does, not just to what the policy says. [^co-cpa-uoom] [#honor-universal-opt-out-signal] ## Sensitive-data consent {#sensitive-data-consent} - [ ] **Opt-in consent for sensitive data** (Required) — When a state privacy regime covers the business and it processes sensitive data, it must satisfy the governing state's sensitive-data rule before processing. Opt-in affirmative consent is the rule in most states and the strict baseline a multistate policy should adopt; a few states, such as Iowa, instead require clear notice and an opt-out [^ia-icdpa-sensitive-optout]. Where consent governs, it is captured by an affirmative flow, not implied by a paragraph in the policy. [^tx-tdpsa-sensitive-consent] [#obtain-consent-for-sensitive-data] - [ ] **Known child data routed through COPPA** (Required) — When the business has known child users — a child under 13, as COPPA defines the term — it must handle that child's data in accordance with COPPA, as the comprehensive acts incorporate. This is a federal duty, tied to online collection by covered operators, independent of any state coverage flag, and it is narrower than the separate minor-user duties some states impose for teens. [^tx-tdpsa-sensitive-consent] [#route-known-child-data-through-coppa] ## Maintenance and accuracy {#maintenance-and-accuracy} - [ ] **Policy reviewed and refreshed** (Recommended) — The policy should be reviewed and updated, and should carry a current effective or last-updated date, because laws such as the CCPA require a business to update its disclosures at least once every 12 months. A stale policy that no longer matches practice is both a contents gap and an accuracy exposure. [^ca-ccpa-policy-contents] [#keep-policy-current] - [ ] **Material-change notice described** (Recommended) — The policy should describe how the business notifies consumers of material changes to it. This is a fixed element of the website-operator notice. [^nv-operator-notice-2] [#describe-material-change-process] - [ ] **Policy matches actual practice** (Required) — The policy must accurately describe the business's actual data practices, and the business must follow the practices it describes. A policy that misstates actual practice is an unfair or deceptive act under FTC Act Section 5, and state consumer-protection (UDAP) statutes commonly reach the same conduct — in several states through a private right of action. This is the floor that makes every controls-promising disclosure above enforceable. [^ftc-act-5-deceptive] [#ensure-policy-accuracy] ## Data-type and status modules (conditional) {#data-type-and-status-modules-conditional} - [ ] **Sensitive-data sale notice** (Required) — When the Texas Data Privacy and Security Act covers the business and it sells sensitive personal data, the policy must include the fixed statutory notice Texas prescribes word for word. Because the governing act prescribes exact language, copy the notice verbatim rather than paraphrasing it; other states scope their sensitive-data-sale disclosures differently. [^tx-tdpsa-sale-notice] [#provide-sensitive-data-sale-notice] - [ ] **Biometric retention schedule** (Required) — When the business possesses biometric identifiers, it must maintain a written, publicly available policy with a retention schedule and destruction guidelines — destroying biometric data when the collection purpose is satisfied or within three years of the last interaction, whichever comes first. [^il-bipa-written-policy] [#maintain-biometric-retention-policy] - [ ] **Biometric written release** (Required) — Before collecting a biometric identifier, the business must give written notice of the collection, its specific purpose, and its retention term, and obtain a written release. This is a pre-collection flow, not a policy paragraph. [^il-bipa-consent] [#obtain-biometric-written-release] - [ ] **Consumer-health-data policy** (Required) — When the business collects consumer health data, it must maintain a dedicated consumer-health-data privacy policy disclosing the statutory elements, including the list of third-party categories and specific affiliates receiving the data. [^wa-mhmda-policy] [#maintain-consumer-health-data-policy] - [ ] **Consent gate for health data** (Prohibited) — The business must not collect consumer health data except with consent for a specified purpose, or to the extent necessary to provide a product or service the consumer requested. This is a consent-before-collection gate. [^wa-mhmda-consent] [#gate-consumer-health-data-on-consent] - [ ] **Website-operator notice** (Recommended) — When the business is a covered website operator, the policy should make available the five-element accessible notice: categories of covered information and of third-party recipients, the review-and-change process if any, the material-change notification process, third-party cross-site collection, and the effective date. [^nv-operator-notice-3] [#provide-website-operator-notice] - [ ] **Minor-user disclosures** (Recommended) — When the business directs services to, or has actual knowledge of, minor users, the policy should provide the applicable states' minors'-disclosure duties. These components activate on staggered effective dates, so confirm the precise per-state contents and timing in the governing states' notes before drafting this section. [#provide-minor-user-disclosures] - [ ] **Data-broker opt-out disclosure** (Recommended) — When the business is a data broker — it knowingly sells or licenses to third parties the brokered personal information of consumers with whom it has no direct relationship [^vt-db-definition] — the policy should disclose its opt-out practices: the method to request an opt-out, which activities or sales it covers, and whether a third party may exercise it, consistent with the broker's registration filing. [^vt-db-optout] [#disclose-data-broker-opt-out] - [ ] **Data-broker registration** (Required) — A data broker must register annually with the governing state — in Vermont, with the Secretary of State by January 31, paying the fee and providing the prescribed disclosures. This is a conduct duty that lives outside the policy's four corners; California, Texas, and Oregon impose parallel broker registration, detailed in the per-state notes. [^vt-db-registration-2] [#register-as-data-broker] [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-17. License: CC BY 4.0. Steven Obiajulu, J.D. edits this review checklist for Jurisdiction-neutral (US) coverage. It synthesizes legal sources and is not legal advice. This article is for informational purposes only and does not create an attorney-client relationship. [^nj-notice-contact]: **N.J.S.A. 56:8-166.6** — "(7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller." *N.J.S.A. 56:8-166.6(a)(7).* [^nv-operator-notice]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* [^tx-tdpsa-notice-contents-2]: **Tex. Bus. & Com. Code § 541.102** — "A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) the purpose for processing personal data;" *Tex. Bus. & Com. Code § 541.102(a).* [^or-ocpa-notice-detail]: **Or. Rev. Stat. § 646A.578** — "(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;" *Or. Rev. Stat. § 646A.578(4).* [^fl-fdbr-rights]: **Fla. Stat. § 501.705(2)** — "(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature." *Fla. Stat. § 501.705(2).* [^or-ocpa-notice-detail-2]: **Or. Rev. Stat. § 646A.578** — "(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;" *Or. Rev. Stat. § 646A.578(4).* [^fl-fdbr-response-clock]: **Fla. Stat. § 501.706(2)** — "(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension." *Fla. Stat. § 501.706(2).* [^fl-fdbr-appeal]: **Fla. Stat. § 501.707** — "(1) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under s. 501.706(3). (2) The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision." *Fla. Stat. § 501.707.* [^ia-icdpa-sale-disclosure]: **Iowa Code § 715D.4** — "If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity." *Iowa Code § 715D.4(6).* [^fl-fdbr-rights-2]: **Fla. Stat. § 501.705(2)** — "(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature." *Fla. Stat. § 501.705(2).* [^co-cpa-uoom]: **Colo. Rev. Stat. § 6-1-1306** — "a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313." *Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).* [^ia-icdpa-sensitive-optout]: **Iowa Code § 715D.4** — "A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq." *Iowa Code § 715D.4(2).* [^tx-tdpsa-sensitive-consent]: **Tex. Bus. & Com. Code § 541.101** — "process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.)." *Tex. Bus. & Com. Code § 541.101(b)(4).* [^ca-ccpa-policy-contents]: **Cal. Civ. Code § 1798.130** — "Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:" *Cal. Civ. Code § 1798.130(a)(5).* [^nv-operator-notice-2]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* [^ftc-act-5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^tx-tdpsa-sale-notice]: **Tex. Bus. & Com. Code § 541.102(b)** — "If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice: ‘NOTICE: We may sell your sensitive personal data.’" *Tex. Bus. & Com. Code § 541.102(b).* [^il-bipa-written-policy]: **740 ILCS 14/15(a)** — "A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." *740 ILCS 14/15(a).* [^il-bipa-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* [^wa-mhmda-policy]: **RCW 19.373.020(1)(a)** — "beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040" *Wash. Rev. Code § 19.373.020(1)(a).* [^wa-mhmda-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* [^nv-operator-notice-3]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* [^vt-db-definition]: **9 V.S.A. § 2430** — "‘Data broker’ means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." *9 V.S.A. § 2430(4)(A).* [^vt-db-optout]: **9 V.S.A. § 2446** — "if the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data: (i) the method for requesting an opt-out; (ii) if the opt-out applies to only certain activities or sales, which ones; and (iii) whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer’s behalf;" *9 V.S.A. § 2446(a)(3)(B).* [^vt-db-registration-2]: **9 V.S.A. § 2446** — "Annually, on or before January 31 following a year in which a person meets the definition of data broker as provided in section 2430 of this title, a data broker shall: (1) register with the Secretary of State; (2) pay a registration fee of $100.00; and (3) provide the following information: (A) the name and primary physical, e-mail, and Internet addresses of the data broker;" *9 V.S.A. § 2446(a).*