At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 2.1.1. Categories of Personal Information and Sources of Personal Information
- 2.1.2. Business or Commercial Purposes for Collection
- 2.1.3. Information About Selling or Sharing
- 2.1.4. Information About Disclosure for Business Purposes
- 2.1.5. Sensitive Personal Information
- 2.1.6. Consumer Rights
- 2.1.7. Other Requirements
- 2.3.1. Data Processing, Purposes, and Sharing
- 2.3.2. Consumer Rights
- 4. Summary
- California Online Privacy Protection Act (CalOPPA)
- California Consumer Privacy Act/Privacy Rights Act (CCPA/CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Connecticut Data Privacy Act (CTDPA) (takes effect July 1, 2023)
- Colorado Privacy Act (CPA) (takes effect July 1, 2023)
- Utah Consumer Privacy Act (UCPA) (takes effect December 31, 2023)
All of these laws apply differently. If you're unsure whether a law applies to you, click the relevant link above to read our full article about it.
- Health Insurance Portability and Accountability Act (HIPAA)
- Children's Online Privacy Protection Act (COPPA)
- Gramm-Leach-Bliley Act (GLBA)
This article won't address these laws. If you want more information, click one of the links above.
Now let's look at what each state law requires.
The CPRA amends the California Consumer Privacy Act (CCPA), which took effect in 2018. When people refer to the CCPA, they normally mean the CCPA as amended by the CPRA. We'll stick with "CCPA (CPRA)" to make the distinction clear.
Categories of Personal Information and Sources of Personal Information
The CCPA (CPRA) also requires that you list the categories of sources from which you collect personal information.
Some personal information might come from the consumer directly. You might also receive personal information from third parties. "Categories" of sources might include, for example, "marketing providers."
Here's how MarchingOrder does this:
Business or Commercial Purposes for Collection
The CCPA (CPRA) requires you to identify the business or commercial purpose for which you collect personal data. The draft CPRA Regulations add that you must explain this in "a manner that provides consumers a meaningful understanding of why the information is collected."
Here's how Snap explains its purposes for collecting category "C" information:
Information About Selling or Sharing
The CCPA (CPRA) requires that you notify consumers of the categories of personal information that you have sold or shared with third parties over the preceding 12-month period. If you haven't sold or shared any information with third parties in this period, you must disclose this.
Note that the terms "share," "sell," and "third party" all have specific definitions.
For more information, check out our articles CCPA: What Constitutes a "Sale" of Personal Information? and CCPA: What Constitutes "Sharing for Business Purposes."
Alongside each category of personal information you have sold or shared with a third party, you must identify the category of the third party to which the personal information was shared or sold.
You must also provide the business or commercial purpose for selling or sharing the personal information.
Here's how U.S. News does this:
This table shows which categories of personal information U.S. News has collected, alongside information about how the company has shared that information. However, the presentation could be more precise. It's arguably unclear which category corresponds with which purpose.
You must also disclose whether you have "actual knowledge" of selling or sharing personal information about a consumer under 16 in the preceding 12-month period.
Here's how CBRE does this:
Information About Disclosure for Business Purposes
See our CCPA: What Constitutes "Sharing for Business Purposes?" article for more information about what this means.
The rules here are the same as above. With reference to the previous 12 months, you must disclose:
- The categories of personal information you have disclosed for business purposes
- For each category of personal information, the categories of third parties to whom you disclosed the personal information, and
- Your business or commercial purposes for disclosing the personal information
Here's how Videoamp explains the categories of third parties to which it has disclosed personal information for a business purpose:
Sensitive Personal Information
Here's how Clarivate does this:
The "right to know" what personal information you collect about a consumer, including
- The categories of personal information
- The categories of sources of the personal information
- Your business or commercial purpose for collecting, selling, or sharing personal information
- The categories of third parties to whom you disclose personal information
- The specific pieces of personal information you have collected about the consumer
- The "right to delete" personal information, subject to certain exceptions
- The "right to correct" inaccurate personal information
- If you sell or share personal information, the "right to opt-out"
- If you use or disclose sensitive personal information (unless covered by an exemption), the "right to limit" the use or disclosure of sensitive personal information
- The "right to non-discrimination" and "right to non-retaliation"
You must also provide information about how consumers can exercise their rights, including:
- The methods you provide for submitting a request
- Instructions for submitting a request, including any links to an online request form or portal for making such a request
- If you sell or share personal information, a copy of your "Notice of Right to Opt-out of Selling or Sharing" (or a link to it)
- If you use or disclose sensitive personal information for non-exempt purpose, the contents of your "Notice of Right to Limit" (or a link to it)
- A description of how you verify a consumer's identity, including any information the consumer must provide
- An explanation of how you treat opt-out preference signals and how the consumer can use an opt-out preference signal
- If you process opt-out preference signals in a frictionless manner, information on how consumers can implement opt-out preference signals to ensure you process them frictionlessly
- Instructions on how an authorized agent can make a request under the CCPA on a consumer's behalf
- If you have "actual knowledge" that you sell the personal information of consumers under 16, a description of the "right to opt in," both for consumers under 13 and consumers under 16
- Contact information if consumers want to learn more about your privacy practices
Here's how Tunnl provides much of the information above:
Larger businesses that buy, sell or share personal information about more than 4 million consumers must report some additional metrics. You can read about these requirements here.
CalOPPA applies more broadly than the CPRA, but is much simpler to comply with. The law covers any website or app that collects personal information about people in California. This covers websites and apps using cookies for analytics or marketing.
Let's break that down.
CalOPPA requires you to list:
- The categories of personal information your website collects
- The categories of third parties with whom you may share personal information
Note that CalOPPA defines "personal information" more narrowly than the CCPA (CPRA). Here's an article about the differences between the two laws if you want to learn more.
Here's how NeuBase discloses its sharing of personal information:
Here's how Let Kids Learn does this:
You must also disclose:
- Whether you honor "Do Not Track" (DNT) signals
- Whether you engage in cross-context behavioral advertising
Here's how G2, Inc. does this:
California isn't the only state with these types of requirements. Next we'll look at additional U.S. states and the laws they enforce.
C. Controllers shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:
1. The categories of personal data processed by the controller;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights pursuant to section 59.1-573, including how a consumer may appeal a controller's decision with regard to the consumer's request;
4. The categories of personal data that the controller shares with third parties, if any; and
5. The categories of third parties, if any, with whom the controller shares personal data.
Here's the equivalent part of Connecticut's CTDPA:
And finally, here's the relevant section of Utah's CPA:
The requirements in these four states are very similar. Each requires you to list:
- The categories of personal data you process ("process" means collect, share, or use practically in any way),
- Your purposes for processing each category of personal data
- Information about consumer rights,
- The categories of personal data you share with third parties (if any), and
- The categories of third parties with whom you share personal data (if any)
Let's look at some examples of how businesses are meeting these requirements.
Data Processing, Purposes, and Sharing
Each of these four state laws requires you to explain what personal data you process, your purposes for processing it, and how you share it.
Here's how Kroll lists the categories of personal data it processes:
Note that unlike the CCPA (CPRA), none of these other state laws provides a predetermined list of categories of data.
You must provide your purposes for processing each category of personal data.
Here's how Vox Media explains its purposes for processing pixel tags:
You might choose to present this information together.
Here's how Kaplan explains the third parties with whom it may share personal data, alongside information about the categories of personal data it processes and its purposes for processing:
Each of these four state laws requires that you disclose consumers' rights and explain how to exercise those rights. Note that there are some differences between the rights offered under each of these four state laws.
Here's how Forbes lists the consumer rights under Virginia's VCDPA:
Here's how Brown & Brown Insurance explains how consumers can exercise their rights. Note that the company also explains some of the rules and expectations regarding the process:
Each law except Utah's requires you to explain how consumers can appeal against a decision regarding their rights.
Here's how Chicory does this:
- On your website homepage
- On the "download or landing page" of your mobile app (if you have one)
- In your mobile app's "settings" menu
Here's how Guardian Industries does this:
If you're separating states into separate Privacy Policies, you could use separate links. But you don't have to.
Here's how Scientific American does this:
Here's how Amazon does this: