# Privacy Policies: What U.S. State Privacy Laws Require a Business to Post, Say, and Honor[^about] The cross-state framework for consumer privacy policies — who must post one, what it must disclose, which consumer rights and consent duties attach, and who enforces it — with links to every state's practice note and the 50-state survey. A privacy policy is the public notice that tells consumers what personal data a business collects, why it collects it, who it shares it with, and what the consumer can do about it. Whether a business must post one — and what the policy must say — depends on a patchwork of state law. A large bloc of states now has **comprehensive consumer-privacy acts** that fix the policy's contents by statute; a smaller group regulates only narrow classes of companies or specific data types, such as biometric or consumer-health data; and the remaining tier imposes only breach-notification, data-security, and truth-in-advertising duties, so that whatever a business chooses to publish must simply be true. A common analytical spine runs through that patchwork, and this note explains it, with links to the per-state practice notes — for example [California](/legal/privacy/california), [Texas](/legal/privacy/texas), and [Illinois](/legal/privacy/illinois) — and to the [50-state survey](/legal/privacy/us-survey) for the jurisdiction-specific detail. ## Which businesses are required to post a privacy policy? {#who-must-post-a-privacy-policy} **Short answer.** A business must post a privacy policy in every state whose **comprehensive consumer-privacy act** covers it — and roughly twenty states now have one, applying by thresholds keyed to data volume, revenue, or business size rather than by industry. [Texas](/legal/privacy/texas) reaches any person that does business in the state or serves Texas residents, processes or sells personal data, and is not a federal **small business** [^tx-tdpsa-apply]. [Colorado](/legal/privacy/colorado) instead keys its act to how many residents' data a controller handles and whether it earns revenue from selling personal data [^co-cpa-apply]. "This chapter applies only to a person that: (1) conducts business in this state or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration"[^tx-tdpsa-apply] A second group of states mandates a policy without a comprehensive act. [Nevada](/legal/privacy/nevada) requires every covered website operator to make an accessible notice available with five fixed elements, from the categories of covered information collected to the effective date [^nv-operator-notice]. Sectoral statutes work the same way for specific data: [Illinois](/legal/privacy/illinois) requires any private entity holding biometric data to publish a written retention-and-destruction policy [^il-bipa-written-policy], and [Washington](/legal/privacy/washington) requires a dedicated consumer-health-data privacy policy with its own statutory checklist [^wa-mhmda-policy]. Everywhere else, the duty is honesty rather than publication. No statute in the baseline states orders a general-purpose policy, but Section 5 of the FTC Act declares unfair or deceptive practices unlawful, which reaches a posted policy that misstates what the business actually does — and state unfair-and-deceptive-practices laws carry the same rule [^ftc-act-5-deceptive]. > [!NOTE] > **Practice note.** > > Do not treat falling below every comprehensive act's thresholds as meaning no policy duty at all. A sectoral statute can still mandate one — a single fingerprint time-clock triggers the Illinois written-policy requirement [^il-bipa-written-policy] — and any policy you voluntarily post is enforceable against you as written under FTC Act Section 5 [^ftc-act-5-deceptive]. Check the governing state's note and the [50-state survey](/legal/privacy/us-survey) before deciding you are out of scope. ## What must a privacy policy say under state privacy laws? {#what-the-policy-must-say} **Short answer.** The comprehensive acts converge on one statutory checklist: the **categories of personal data** the business processes, the **purposes** of processing, how consumers exercise their rights and appeal a refusal, what is shared with third parties and with whom, and how to contact the business. [Texas](/legal/privacy/texas) opens its list with the categories of personal data processed — sensitive data called out separately — and the purposes for processing [^tx-tdpsa-notice-contents], and [Oregon](/legal/privacy/oregon) spells out the rest: how a consumer may exercise and appeal rights, all categories of personal data shared, and the categories of third parties receiving it, described specifically enough that the consumer can understand what type of entity each one is [^or-ocpa-notice-detail]. Two recurring add-ons deserve attention. First, advertising and data sales must be flagged: a controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that activity and explain how the consumer opts out, a rule [Iowa](/legal/privacy/iowa) states in a single sentence [^ia-icdpa-sale-disclosure]. Second, the policy is a living document: [California](/legal/privacy/california) requires the statutory disclosures to appear in the online privacy policy itself and to be updated at least once every 12 months [^ca-ccpa-policy-contents]. > [!CAUTION] > **Drafting note.** > > Some content is scripted word for word, not paraphrased. Texas, for example, requires a controller that sells sensitive personal data to include a fixed statutory notice to that effect in its privacy notice [^tx-tdpsa-sale-notice]. When the governing act prescribes exact language, copy the script verbatim into the policy rather than drafting an equivalent. ## Which consumer rights must a privacy policy disclose? {#consumer-rights-disclosures} **Short answer.** The policy must describe the statutory rights the act gives consumers, and the catalog is remarkably consistent: to confirm processing and **access** the data, to **correct** inaccuracies, to **delete** personal data, to obtain a **portable copy**, and to **opt out** of targeted advertising, the sale of personal data, and profiling used for decisions with legal or similarly significant effects. [Florida](/legal/privacy/florida)'s act enumerates that full list — and adds opt-outs for sensitive-data collection and for voice- and facial-recognition features [^fl-fdbr-rights]. The disclosure is incomplete without the mechanics. The acts put controllers on a response clock — in Florida's formulation, a response without undue delay and no later than 45 days, extendable once by 15 days with notice and a reason given inside the initial window [^fl-fdbr-response-clock]. And a refusal is not the end of the road: the controller must run a conspicuously available **appeal process** and answer the appeal in writing, with reasons, within a fixed period — 60 days in Florida [^fl-fdbr-appeal]. State-to-state additions and omissions to the rights catalog are exactly what the per-state notes and the [50-state survey](/legal/privacy/us-survey) record, so confirm the governing state's list before drafting the rights section. ## When does a privacy policy need consent rather than just notice? {#consent-and-opt-out-duties} **Short answer.** Notice stops being enough when **sensitive data** is involved: most comprehensive states require **opt-in consent** before a business may process it. [Texas](/legal/privacy/texas) bars processing a consumer's sensitive data without consent — and requires a known child's data to be handled under COPPA [^tx-tdpsa-sensitive-consent] — and [Virginia](/legal/privacy/virginia)'s act uses nearly identical language [^va-vcdpa-sensitive-consent]. A smaller group flips the default: [Iowa](/legal/privacy/iowa) requires only clear notice and an opportunity to opt out before sensitive data is processed [^ia-icdpa-sensitive-optout]. Sectoral statutes impose their own consent gates for specific categories regardless of any comprehensive act. [Illinois](/legal/privacy/illinois) forbids collecting a biometric identifier until the business gives written notice of the collection, its specific purpose, and its length of term, and receives a written release [^il-bipa-consent]. [Washington](/legal/privacy/washington) bars collecting consumer health data except with consent for a specified purpose or as necessary to provide a product or service the consumer requested [^wa-mhmda-consent]. The opt-out side has its own escalation: a growing minority of comprehensive states requires controllers to honor a browser-level **universal opt-out signal** as a valid opt-out from targeted advertising and data sales. [Colorado](/legal/privacy/colorado) requires controllers to honor a user-selected universal opt-out mechanism meeting the Attorney General's technical specifications [^co-cpa-uoom]; in other comprehensive states recognizing such signals remains optional, a split the per-state notes record. > [!CAUTION] > **Drafting note.** > > A paragraph buried in the privacy policy is not consent. In the opt-in states, build an affirmative consent flow that captures agreement before any sensitive data is processed [^tx-tdpsa-sensitive-consent], and where universal opt-out signals are mandatory, configure the site to honor them — the duty attaches to what the business does, not to what the policy says [^co-cpa-uoom]. ## Who enforces privacy-policy requirements — and can consumers sue over violations? {#enforcement-and-lawsuits} **Short answer.** Under most comprehensive acts, only the state attorney general (or a dedicated regulator) enforces, and consumers cannot sue: [Texas](/legal/privacy/texas) gives its attorney general exclusive enforcement authority and says expressly that the act provides no basis for a **private right of action** [^tx-tdpsa-ag-exclusive][^tx-tdpsa-no-pra]. Many acts pair that exclusivity with a **cure period** — a chance to fix a violation before an enforcement action — though the window is often temporary; [Connecticut](/legal/privacy/connecticut)'s mandatory notice-and-cure ran only from July 1, 2023 through December 31, 2024 [^ct-ctdpa-cure]. The exceptions are where the litigation exposure lives. [Illinois](/legal/privacy/illinois) lets any person aggrieved by a biometric-privacy violation sue, and its Supreme Court held in *Rosenbach v. Six Flags Entertainment Corp.* that no actual injury beyond the statutory violation is required [^il-rosenbach]. [Washington](/legal/privacy/washington) declares every violation of its consumer-health-data act an unfair or deceptive act for purposes of its Consumer Protection Act [^wa-mhmda-cpa-bridge], and an injured consumer can sue under that act for an injunction, actual damages, costs, and fees, with discretionary trebling [^wa-cpa-private-suit]. [California](/legal/privacy/california) draws a narrower line: consumers may sue only over a data breach — unauthorized access to nonencrypted, nonredacted personal information caused by the failure to maintain reasonable security [^ca-ccpa-breach-action]. "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act"[^il-rosenbach] In the baseline states, enforcement runs through general consumer-protection and breach-notification law rather than a privacy act, and a posted policy that misstates actual practices remains reachable as a deceptive practice [^q5-ftc5-deceptive]. [Georgia](/legal/privacy/georgia), for example, lets a person injured by an unfair or deceptive practice bring an individual action, though not a class action [^ga-fbpa-private-suit]. > [!NOTE] > **Practice note.** > > A no-private-right-of-action clause in the governing comprehensive act is not immunity from consumer suits. Sectoral statutes carry their own private actions — biometric claims need no actual injury in Illinois [^il-rosenbach] — and a security failure can open the breach-only consumer action in California [^ca-ccpa-breach-action]. Map every category of data you hold against the sectoral statutes before relying on attorney-general-only enforcement. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. edits this topic article for Federal + 50-state + DC coverage. It synthesizes legal sources and is not legal advice. This article is for informational purposes only and does not create an attorney-client relationship. [^tx-tdpsa-apply]: **Tex. Bus. & Com. Code § 541.002** — "This chapter applies only to a person that: (1) conducts business in this state or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 applies to a person described by this subdivision." *Tex. Bus. & Com. Code § 541.002(a).* [^co-cpa-apply]: **Colo. Rev. Stat. § 6-1-1304** — "this part 13 applies to a controller that: (a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and (b) Satisfies one or both of the following thresholds: (I) Controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or (II) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more." *Colo. Rev. Stat. § 6-1-1304(1).* [^nv-operator-notice]: **NRS 603A.340** — "Except as otherwise provided in subsection 2, an operator shall make available, in a manner reasonably calculated to be accessible by consumers whose covered information the operator collects through its Internet website or online service, a notice that: (a) Identifies the categories of covered information that the operator collects through its Internet website or online service about consumers who use or visit the Internet website or online service and the categories of third parties with whom the operator may share such covered information; (b) Provides a description of the process, if any such process exists, for an individual consumer who uses or visits the Internet website or online service to review and request changes to any of his or her covered information that is collected through the Internet website or online service; (c) Describes the process by which the operator notifies consumers who use or visit the Internet website or online service of material changes to the notice required to be made available by this subsection; (d) Discloses whether a third party may collect covered information about an individual consumer’s online activities over time and across different Internet websites or online services when the consumer uses the Internet website or online service of the operator; and (e) States the effective date of the notice." *NRS 603A.340(1).* [^il-bipa-written-policy]: **740 ILCS 14/15(a)** — "A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." *740 ILCS 14/15(a).* [^wa-mhmda-policy]: **RCW 19.373.020(1)(a)** — "beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040" *Wash. Rev. Code § 19.373.020(1)(a).* [^ftc-act-5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^tx-tdpsa-notice-contents]: **Tex. Bus. & Com. Code § 541.102** — "A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) the purpose for processing personal data;" *Tex. Bus. & Com. Code § 541.102(a).* [^or-ocpa-notice-detail]: **Or. Rev. Stat. § 646A.578** — "(c) Describes how a consumer may exercise the consumer’s rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller’s denial of a consumer’s request under ORS 646A.576; (d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties; (e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;" *Or. Rev. Stat. § 646A.578(4).* [^ia-icdpa-sale-disclosure]: **Iowa Code § 715D.4** — "If a controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity." *Iowa Code § 715D.4(6).* [^ca-ccpa-policy-contents]: **Cal. Civ. Code § 1798.130** — "Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:" *Cal. Civ. Code § 1798.130(a)(5).* [^tx-tdpsa-sale-notice]: **Tex. Bus. & Com. Code § 541.102(b)** — "If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice: ‘NOTICE: We may sell your sensitive personal data.’" *Tex. Bus. & Com. Code § 541.102(b).* [^fl-fdbr-rights]: **Fla. Stat. § 501.705(2)** — "(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights: (a) To confirm whether a controller is processing the consumer’s personal data and to access the personal data. (b) To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. (c) To delete any or all personal data provided by or obtained about the consumer. (d) To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. (e) To opt out of the processing of the personal data for purposes of: 1. Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. (f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data. (g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature." *Fla. Stat. § 501.705(2).* [^fl-fdbr-response-clock]: **Fla. Stat. § 501.706(2)** — "(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension." *Fla. Stat. § 501.706(2).* [^fl-fdbr-appeal]: **Fla. Stat. § 501.707** — "(1) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision under s. 501.706(3). (2) The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section within 60 days after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision." *Fla. Stat. § 501.707.* [^tx-tdpsa-sensitive-consent]: **Tex. Bus. & Com. Code § 541.101** — "process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.)." *Tex. Bus. & Com. Code § 541.101(b)(4).* [^va-vcdpa-sensitive-consent]: **Va. Code § 59.1-578** — "process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act" *Va. Code § 59.1-578(A)(5).* [^ia-icdpa-sensitive-optout]: **Iowa Code § 715D.4** — "A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act, 15 U.S.C. §6501 et seq." *Iowa Code § 715D.4(2).* [^il-bipa-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* [^wa-mhmda-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* [^co-cpa-uoom]: **Colo. Rev. Stat. § 6-1-1306** — "a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313." *Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).* [^tx-tdpsa-ag-exclusive]: **Tex. Bus. & Com. Code § 541.151** — "The attorney general has exclusive authority to enforce this chapter." *Tex. Bus. & Com. Code § 541.151.* [^tx-tdpsa-no-pra]: **Tex. Bus. & Com. Code § 541.156** — "This chapter may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law." *Tex. Bus. & Com. Code § 541.156.* [^ct-ctdpa-cure]: **Conn. Gen. Stat. § 42-525** — "During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible." *Conn. Gen. Stat. § 42-525(b).* [^il-rosenbach]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.* [^wa-mhmda-cpa-bridge]: **RCW 19.373.090** — "The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW." *Wash. Rev. Code § 19.373.090.* [^wa-cpa-private-suit]: **RCW 19.86.090** — "Any person who is injured in his or her business or property by a violation of RCW 19.86.020 , 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , or any person so injured because he or she refuses to accede to a proposal for an arrangement which, if consummated, would be in violation of RCW 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , may bring a civil action in superior court to enjoin further violations, to recover the actual damages sustained by him or her, or both, together with the costs of the suit, including a reasonable attorney's fee. In addition, the court may, in its discretion, increase the award of damages up to an amount not to exceed three times the actual damages sustained: PROVIDED, That such increased damage award for violation of RCW 19.86.020 may not exceed twenty-five thousand dollars" *Wash. Rev. Code § 19.86.090.* [^ca-ccpa-breach-action]: **Cal. Civ. Code § 1798.150** — "Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action" *Cal. Civ. Code § 1798.150(a)(1).* [^q5-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^ga-fbpa-private-suit]: **O.C.G.A. § 10-1-399** — "any person who suffers injury or damages as a result of a violation of Chapter 5B of this title, as a result of consumer acts or practices in violation of this part, as a result of office supply transactions in violation of this part or whose business or property has been injured or damaged as a result of such violations may bring an action individually, but not in a representative capacity" *O.C.G.A. § 10-1-399(a).*