There are about twenty state privacy laws currently in effect or that will take effect by January 2026 that affect a website provider (a “Processor”). Fortunately, there are a lot of common requirements among the various laws that simplify compliance. This article provides an overview of the common requirements. For simplicity and brevity, this article is aggregating the requirements; there are some state-specific variations that also need to be considered for full compliance.
Processors are required to obtain consumers’ consent via a clear, affirmative act. It is recommended that consent and agreement to the terms of use be obtained prior to allowing the consumer to access the website content or to have personal information collected. Consent must be freely given, specific, informed, and unambiguous, and not obtained via deliberately confusing or obscured means. Explicit consents need to be obtained for processing sensitive information (e.g., sexual orientation, religious beliefs, genetic data, immigration status, etc.) and for processing childrens’ personal information. The consumer must also have the right to revoke consent in a manner as simple as that of granting consent. Processors should have records of the consent to defend themselves in the event that a consumer attempts to repudiate consent and claim that the Processor was processing personal information without authorization.
Most states set thresholds to be met for the state privacy law to be applicable. Typically these thresholds include collection of personal information for 100,000 state residents or some lesser number of residents combined with some percentage of revenue from sales of personal information. However, many Processors experience such a low volume of consumer inquiries about their personal information that the Processor responds without considering the thresholds for applicability.
Processors must provide a Privacy Policy that describes, among other things, the personal information that the Processor processes, the personal information it shares with third parties, the categories of the third parties, the purposes of the processing, and the retention period. Additionally, the Privacy Policy must identify secure and reliable methods for exercising certain consumer rights, including the right to confirm whether the consumer’s personal information is being processed, the right to correct inaccuracies, the right to delete personal information, the right to obtain a copy of the consumer’s personal information in a portable format, and the right to opt out of targeted advertising, sales of personal information, and profiling. The Processor shall support clear and conspicuous links for opting out of targeted advertising, sales, and profiling, and shall accept an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism. Personnel handling privacy requests must be trained, and Processors should maintain records documenting such training. No discrimination or retaliation is permitted against consumers that exercise their rights.
Typically, the Processor is required to respond in writing to a request to exercise a consumer right within 45 days from receipt (including any time spent verifying the identity of the requestor) and may request an extension of 45 additional days by informing the requestor within 45 days of receipt and providing a reason for the extension. The Privacy Policy shall also specify a method by which the consumer may appeal the Processor’s response, and the Processor shall have up to 60 days to respond to the appeal. The Processor shall also provide an electronic means by which the consumer may contact the state Attorney General or other designated authority to submit a complaint if the consumer considers the appeal response to be unsatisfactory.
The Processor must implement administrative, technical, and physical security practices to protect the confidentiality, integrity, and availability of the personal information it processes. The Processor shall conduct a Data Protection Assessment (DPA) that balances the risks and benefits of the processing against the potential impact on the consumer. Any such DPA must be disclosed to a state Attorney General upon request as part of an investigation. The Processor must also execute a written agreement with any subcontractors that perform processing of personal information. This agreement shall impose a duty of confidentiality, require the return or destruction of personal information disclosed by the Processor, impose audit rights under which the Processor or its designee may assess the subcontractor compliance policies and procedures, and require compliance with the Processor’s instructions and requests for information for investigations, consumer rights requests, and DPA’s.
There are certain new rules applying to children. Similar to the Children’s Online Privacy Protection Act (COPPA), children under 13 have additional protections. Recent state laws provide additional provisions for children age 13 until they turn 18. These provisions include a requirement for Processors that are considered “social media” sites to identify the age of their users and ensure that “minors” do not spend longer than one hour daily on a social media site without parental or guardian permission.
There is an effort underway to legislate a federal privacy policy, which could supersede the state-by-state approach currently in effect. It seems unlikely that such an effort will be successful because in the early 2020’s the United States Supreme Court ruled that there is no right of privacy under the United States Constitution. There are elements of privacy among various amendments such as protection from unreasonable search and seizure, but no broad right of privacy. In the past, federal law regarding privacy was generally incidental to regulating interstate commerce or the internal administrative practices of the government itself.
Please contact The Internet Law Group if you wish to discuss your Privacy Policy and Terms of Use to ensure it is up to date.
