A privacy policy is the public notice that tells consumers what personal data a business collects, why it collects it, who it shares it with, and what the consumer can do about it. Whether a business must post one — and what the policy must say — depends on a patchwork of state law. A large bloc of states now has comprehensive consumer-privacy acts that fix the policy's contents by statute; a smaller group regulates only narrow classes of companies or specific data types, such as biometric or consumer-health data; and the remaining tier imposes only breach-notification, data-security, and truth-in-advertising duties, so that whatever a business chooses to publish must simply be true. A common analytical spine runs through that patchwork, and this note explains it, with links to the per-state practice notes — for example California, Texas, and Illinois — and to the 50-state survey for the jurisdiction-specific detail.
Which businesses are required to post a privacy policy?
A business must post a privacy policy in every state whose comprehensive consumer-privacy act covers it — and roughly twenty states now have one, applying by thresholds keyed to data volume, revenue, or business size rather than by industry. Texas reaches any person that does business in the state or serves Texas residents, processes or sells personal data, and is not a federal small business. Colorado instead keys its act to how many residents' data a controller handles and whether it earns revenue from selling personal data.
A second group of states mandates a policy without a comprehensive act. Nevada requires every covered website operator to make an accessible notice available with five fixed elements, from the categories of covered information collected to the effective date . Sectoral statutes work the same way for specific data: Illinois requires any private entity holding biometric data to publish a written retention-and-destruction policy , and Washington requires a dedicated consumer-health-data privacy policy with its own statutory checklist .
Everywhere else, the duty is honesty rather than publication. No statute in the baseline states orders a general-purpose policy, but Section 5 of the FTC Act declares unfair or deceptive practices unlawful, which reaches a posted policy that misstates what the business actually does — and state unfair-and-deceptive-practices laws carry the same rule .
Do not treat falling below every comprehensive act's thresholds as meaning no policy duty at all. A sectoral statute can still mandate one — a single fingerprint time-clock triggers the Illinois written-policy requirement — and any policy you voluntarily post is enforceable against you as written under FTC Act Section 5 . Check the governing state's note and the 50-state survey before deciding you are out of scope.
Sources for this answer
Primary law
A.1 Tex. Bus. & Com. Code § 541.002The TDPSA applies to a person that does business in Texas or produces a product or service consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration — with no revenue or volume threshold.
This chapter applies only to a person that: (1) conducts business in this state or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 applies to a person described by this subdivision.
See Tex. Bus. & Com. Code § 541.002(a).
Primary law
A.2 Colo. Rev. Stat. § 6-1-1304PDFThe CPA applies to a controller that conducts business in Colorado or targets Colorado residents and meets a 100,000-consumer threshold, or a 25,000-consumer threshold while deriving revenue from selling personal data.
this part 13 applies to a controller that: (a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and (b) Satisfies one or both of the following thresholds: (I) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or (II) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
See Colo. Rev. Stat. § 6-1-1304(1).
Primary law
A.3 NRS 603A.340An operator must make available an accessible notice with five fixed elements: categories of covered information collected and categories of third parties it may be shared with, any review-and-change process, the material-change notification process, third-party cross-site collection, and the effective date.
Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice.
See NRS 603A.340(1).
Primary law · 2008-10-03
A.4 740 ILCS 14/15(a)A private entity in possession of biometric data must develop a written, publicly available policy establishing a retention schedule and destruction guidelines, with destruction when the collection purpose is satisfied or within 3 years of the individual's last interaction, whichever occurs first.
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.
See 740 ILCS 14/15(a).
Primary law
A.5 RCW 19.373.020(1)(a)Beginning March 31, 2024, a regulated entity and a small business must maintain a consumer health data privacy policy that clearly and conspicuously discloses five fixed elements, including a list of the categories of third parties and the specific affiliates receiving the data.
beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040
See Wash. Rev. Code § 19.373.020(1)(a).
Primary law
A.6 FTC Act § 5Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
See 15 U.S.C. § 45(a)(1).
What must a privacy policy say under state privacy laws?
The comprehensive acts converge on one statutory checklist: the categories of personal data the business processes, the purposes of processing, how consumers exercise their rights and appeal a refusal, what is shared with third parties and with whom, and how to contact the business. Texas opens its list with the categories of personal data processed — sensitive data called out separately — and the purposes for processing , and Oregon spells out the rest: how a consumer may exercise and appeal rights, all categories of personal data shared, and the categories of third parties receiving it, described specifically enough that the consumer can understand what type of entity each one is.
Two recurring add-ons deserve attention. First, advertising and data sales must be flagged: a controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that activity and explain how the consumer opts out, a rule Iowa states in a single sentence . Second, the policy is a living document: California requires the statutory disclosures to appear in the online privacy policy itself and to be updated at least once every 12 months .
Some content is scripted word for word, not paraphrased. Texas, for example, requires a controller that sells sensitive personal data to include a fixed statutory notice to that effect in its privacy notice . When the governing act prescribes exact language, copy the script verbatim into the policy rather than drafting an equivalent.
Sources for this answer
Primary law
B.1 Tex. Bus. & Com. Code § 541.102A controller must provide a reasonably accessible and clear privacy notice that begins with the categories of personal data processed, including any sensitive data, and the purpose for processing.
A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) the purpose for processing personal data;
See Tex. Bus. & Com. Code § 541.102(a).
Primary law · 2023-07-01
B.2 Or. Rev. Stat. § 646A.578The privacy notice must also explain how consumers exercise and appeal their rights, list all categories of personal data shared with third parties, and describe the categories of recipient third parties at a level of detail that lets the consumer understand what type of entity each one is.
(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;
See Or. Rev. Stat. § 646A.578(4).
Primary law · 2025-01-01
B.3 Iowa Code § 715D.4PDFA controller that sells personal data or engages in targeted advertising must clearly and conspicuously disclose that activity and how a consumer may opt out.
If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.
See Iowa Code § 715D.4(6).
Primary law
B.4 Cal. Civ. Code § 1798.130A business must disclose the CCPA-required information in its online privacy policy — or on its website if it maintains no policy — and update that information at least once every 12 months.
Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:
See Cal. Civ. Code § 1798.130(a)(5).
Primary law
B.5 Tex. Bus. & Com. Code § 541.102(b)A controller that sells sensitive personal data must include a fixed statutory notice to that effect in its privacy notice.
If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice: "NOTICE: We may sell your sensitive personal data."
See Tex. Bus. & Com. Code § 541.102(b).
Which consumer rights must a privacy policy disclose?
The policy must describe the statutory rights the act gives consumers, and the catalog is remarkably consistent: to confirm processing and access the data, to correct inaccuracies, to delete personal data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling used for decisions with legal or similarly significant effects. Florida's act enumerates that full list — and adds opt-outs for sensitive-data collection and for voice- and facial-recognition features.
The disclosure is incomplete without the mechanics. The acts put controllers on a response clock — in Florida's formulation, a response without undue delay and no later than 45 days, extendable once by 15 days with notice and a reason given inside the initial window . And a refusal is not the end of the road: the controller must run a conspicuously available appeal process and answer the appeal in writing, with reasons, within a fixed period — 60 days in Florida . State-to-state additions and omissions to the rights catalog are exactly what the per-state notes and the 50-state survey record, so confirm the governing state's list before drafting the rights section.
Sources for this answer
Primary law
C.1 Fla. Stat. § 501.705(2)A controller must honor authenticated requests for confirmation and access, correction, deletion, and portability, plus opt-outs from targeted advertising, sale, significant-effect profiling, sensitive-data collection or processing, and collection via voice- or facial-recognition features.
(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
See Fla. Stat. § 501.705(2).
Primary law
C.2 Fla. Stat. § 501.706(2)A controller must respond to a consumer request within 45 days and may extend the period once by an additional 15 days, with in-window notice of the extension and its reason.
(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.
See Fla. Stat. § 501.706(2).
Primary law
C.3 Fla. Stat. § 501.707A controller must establish a conspicuously available appeal process for refused requests and answer the appeal in writing, with reasons, within 60 days.
(1) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under s. 501.706(3). (2) The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.
See Fla. Stat. § 501.707.
When does a privacy policy need consent rather than just notice?
Notice stops being enough when sensitive data is involved: most comprehensive states require opt-in consent before a business may process it. Texas bars processing a consumer's sensitive data without consent — and requires a known child's data to be handled under COPPA — and Virginia's act uses nearly identical language. A smaller group flips the default: Iowa requires only clear notice and an opportunity to opt out before sensitive data is processed.
Sectoral statutes impose their own consent gates for specific categories regardless of any comprehensive act. Illinois forbids collecting a biometric identifier until the business gives written notice of the collection, its specific purpose, and its length of term, and receives a written release . Washington bars collecting consumer health data except with consent for a specified purpose or as necessary to provide a product or service the consumer requested .
The opt-out side has its own escalation: a growing minority of comprehensive states requires controllers to honor a browser-level universal opt-out signal as a valid opt-out from targeted advertising and data sales. Colorado requires controllers to honor a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications ; in other comprehensive states recognizing such signals remains optional, a split the per-state notes record.
A paragraph buried in the privacy policy is not consent. In the opt-in states, build an affirmative consent flow that captures agreement before any sensitive data is processed , and where universal opt-out signals are mandatory, configure the site to honor them — the duty attaches to what the business does, not to what the policy says .
Sources for this answer
Primary law
D.1 Tex. Bus. & Com. Code § 541.101A controller may not process a consumer's sensitive data without consent, and must handle a known child's data in accordance with COPPA.
process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.).
See Tex. Bus. & Com. Code § 541.101(b)(4).
Primary law
D.2 Va. Code § 59.1-578A controller may not process a consumer's sensitive data without consent, and must handle a known child's data in accordance with COPPA.
process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act
See Va. Code § 59.1-578(A)(5).
Primary law · 2025-01-01
D.3 Iowa Code § 715D.4PDFA controller may process sensitive data only after presenting the consumer with clear notice and an opportunity to opt out, and must handle a known child's data in accordance with COPPA — Iowa uses notice-and-opt-out, not opt-in consent.
A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq.
See Iowa Code § 715D.4(2).
Primary law · 2008-10-03
D.4 740 ILCS 14/15(b)Before obtaining biometric data, a private entity must first give written notice that the data is being collected or stored, give written notice of the specific purpose and length of term of the collection, and receive a written release from the subject.
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
See 740 ILCS 14/15(b).
Primary law
D.5 RCW 19.373.030(1)(a)A business may not collect consumer health data except with consent for a specified purpose or to the extent necessary to provide a product or service the consumer requested.
beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.
See Wash. Rev. Code § 19.373.030(1)(a).
Primary law
D.6 Colo. Rev. Stat. § 6-1-1306PDFSince July 1, 2024, a controller that processes personal data for targeted advertising or sells it must allow consumers to opt out through a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications.
a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.
See Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).
Who enforces privacy-policy requirements — and can consumers sue over violations?
Under most comprehensive acts, only the state attorney general (or a dedicated regulator) enforces, and consumers cannot sue: Texas gives its attorney general exclusive enforcement authority and says expressly that the act provides no basis for a private right of action. Many acts pair that exclusivity with a cure period — a chance to fix a violation before an enforcement action — though the window is often temporary; Connecticut's mandatory notice-and-cure ran only from July 1, 2023 through December 31, 2024.
The exceptions are where the litigation exposure lives. Illinois lets any person aggrieved by a biometric-privacy violation sue, and its Supreme Court held in Rosenbach v. Six Flags Entertainment Corp. that no actual injury beyond the statutory violation is required . Washington declares every violation of its consumer-health-data act an unfair or deceptive act for purposes of its Consumer Protection Act , and an injured consumer can sue under that act for an injunction, actual damages, costs, and fees, with discretionary trebling . California draws a narrower line: consumers may sue only over a data breach — unauthorized access to nonencrypted, nonredacted personal information caused by the failure to maintain reasonable security .
In the baseline states, enforcement runs through general consumer-protection and breach-notification law rather than a privacy act, and a posted policy that misstates actual practices remains reachable as a deceptive practice . Georgia, for example, lets a person injured by an unfair or deceptive practice bring an individual action, though not a class action .
A no-private-right-of-action clause in the governing comprehensive act is not immunity from consumer suits. Sectoral statutes carry their own private actions — biometric claims need no actual injury in Illinois — and a security failure can open the breach-only consumer action in California . Map every category of data you hold against the sectoral statutes before relying on attorney-general-only enforcement.
Sources for this answer
Primary law
E.1 Tex. Bus. & Com. Code § 541.151The Texas attorney general has exclusive authority to enforce the TDPSA.
The attorney general has exclusive authority to enforce this chapter.
See Tex. Bus. & Com. Code § 541.151.
Primary law
E.2 Tex. Bus. & Com. Code § 541.156The TDPSA may not be construed as providing a basis for a private right of action for a violation of the chapter or any other law.
This chapter may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law.
See Tex. Bus. & Com. Code § 541.156.
Primary law
E.3 Conn. Gen. Stat. § 42-525The CTDPA's mandatory notice-and-cure period ran only from July 1, 2023 through December 31, 2024.
During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible.
See Conn. Gen. Stat. § 42-525(b).
Case law · 2019-01-25
E.4 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186The Illinois Supreme Court held that a person is aggrieved under BIPA — and may seek liquidated damages and injunctive relief — without alleging any actual injury beyond the violation of his or her statutory rights.
Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.
See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.
Primary law
E.5 RCW 19.373.090A violation of the MHMDA is per se an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of the Consumer Protection Act, and the covered practices are declared matters vitally affecting the public interest.
The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW.
See Wash. Rev. Code § 19.373.090.
Primary law
E.6 RCW 19.86.090Any person injured in business or property by a CPA violation may sue for injunctive relief, actual damages, costs, and attorney fees, and the court may treble damages up to $25,000 for unfair-practice violations.
Any person who is injured in his or her business or property by a violation of RCW 19.86.020 , 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , or any person so injured because he or she refuses to accede to a proposal for an arrangement which, if consummated, would be in violation of RCW 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , may bring a civil action in superior court to enjoin further violations, to recover the actual damages sustained by him or her, or both, together with the costs of the suit, including a reasonable attorney's fee. In addition, the court may, in its discretion, increase the award of damages up to an amount not to exceed three times the actual damages sustained: PROVIDED, That such increased damage award for violation of RCW 19.86.020 may not exceed twenty-five thousand dollars
See Wash. Rev. Code § 19.86.090.
Primary law
E.7 Cal. Civ. Code § 1798.150A consumer may bring a civil action when nonencrypted, nonredacted personal information is subject to unauthorized access as a result of the business's failure to maintain reasonable security.
Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action
See Cal. Civ. Code § 1798.150(a)(1).
Primary law
E.8 FTC Act § 5Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.
Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
See 15 U.S.C. § 45(a)(1).
Primary law
E.9 O.C.G.A. § 10-1-399The FBPA authorizes an injured person to bring an individual, but not representative, action for equitable injunctive relief and general and exemplary damages.
any person who suffers injury or damages as a result of a violation of Chapter 5B of this title, as a result of consumer acts or practices in violation of this part, as a result of office supply transactions in violation of this part or whose business or property has been injured or damaged as a result of such violations may bring an action individually, but not in a representative capacity
See O.C.G.A. § 10-1-399(a).