Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: An overview of state data privacy laws part four - data subject rights and privacy policy requirements

In this Insight article, Sheri Porath Rockwell and Ernesto R. Claeyssen, from Sidley Austin LLP, discuss data subject rights and privacy policy requirements under the patchwork of 13 US states' comprehensive data privacy laws that have been passed as of the date of this article; while part three of the operational Insight series on what companies need to do in order to comply with US privacy laws looks into the privacy compliance requirements triggered by the sale of personal information. Sheri and Ernesto confirm that data subject rights and privacy policy requirements under these laws are similar in many respects, but also highlight important differences between the laws.[1]

ivanastar / Signature collection /

A note regarding terms used in this article:  

  • 'consumers' are the individuals who are subject to the law in each state;
  • 'controllers' are the entities that control the collection of consumers' personal data (referred to as businesses under California law); and
  • 'personal data' encompasses personal information as defined under California law.

Data subject rights in US state data privacy laws 

Right to know: Under each of the state laws, consumers have the right to know whether a controller processes their personal data. Laws in California and Oregon give consumers more expansive rights to know. Under California law, consumers have the right to know the following information as it relates to collection, processing, or disclosures of personal data collected and maintained from or about the consumer during the 12-month period preceding receipt of the request and, upon further request, with reference to data collected on or after January 1, 2022:  

  • categories of personal data a business has collected about them;  
  • the categories of sources from which the personal data was collected;  
  • the business or commercial purpose for which personal data was collected, sold, or shared (as defined under California law);  
  • the categories of third parties to which the business disclosed personal data;  
  • the categories of personal data that the business sold or shared, and for each category identified, the categories of third parties to which it sold or shared that particular category of personal data; and  
  • the categories of personal data that the business disclosed for a business purpose, and for each category identified, the categories of third parties to which it disclosed that particular category of personal data.  

If a controller can demonstrate that providing this information beyond the 12-month period preceding the date of the request 'proves impossible' or requires 'disproportional effort' (which is a defined term under the law), it need not provide substantive responses beyond that 12-month lookback; however, it must include a detailed explanation as to why it cannot do so.  

The right to know under Oregon's law requires identification of specific third parties to whom a controller discloses either the specific requestor's personal data or the personal data of all consumers, unless such disclosures are trade secrets under Oregon law. Based upon the Oregon privacy law's definition of a 'third party,' this does not require the disclosure of the names of processors or affiliates of the controller or processors. Oregon law also gives consumers the right to know the categories of personal data a controller 'is processing or has processed,' although the statute is silent with respect to any applicable lookback period. 

Right to access/right of portability: All of the state laws, with the exception of Indiana, include the right to obtain a copy of personal data collected or processed by the controller and to have such data provided in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person or entity without hindrance. There are, however, important variations amongst the laws. For example, laws in Connecticut, Delaware, Iowa, Montana, Tennessee, Utah, and Virginia limit access/portability rights to personal data that is processed by 'automated means.' Laws in Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia provide access/portability rights only with respect to data that a consumer has provided to the controller, which would exclude, for example, personal data a controller may have purchased from third parties. Colorado law expressly provides that this right of access encompasses personal data that consists of final profiling decisions that have legal or similarly significant effects, inferences, derivative data, marketing profiles, and personal data created by controllers.  

Indiana law stands alone in that it allows controllers to decide whether they want to provide a copy or just a 'representative summary' of the consumer's personal data. Either way, the data in scope is only that which a consumer has provided to the controller and which the controller has then processed by automated means.  

Controllers are generally not required to respond to requests in a manner that would reveal trade secrets, and several laws limit controllers' obligations to maintain, associate, or reidentify information solely for the purpose of responding to data subject requests.  

Right to correct: Laws in all of the states, with the exception of Utah and Iowa, give consumers the right to request that a controller correct identified inaccuracies in their personal data, taking into account the nature and purpose of the processing of such personal data.  

Right to delete: All of the state laws give consumers the right to make requests for the deletion of their personal data, subject to exceptions for data uses such as compliance with laws, fulfilling customer orders, and fraud detection. The scope of this right varies by state. Laws in California, Iowa, and Utah provide deletion rights only for personal data that was collected directly from a consumer, while the deletion right in other laws applies to all personal data about or concerning a consumer that is collected by a controller, regardless of the source.  

Rights regarding the use of sensitive information: The majority of state laws require controllers to obtain consent before they can process sensitive personal data and also provide consumers with a way to later withdraw their consent. Exceptions are laws in California, Utah, Iowa, and Florida. California law provides opt-out rights to the extent such data is used for profiling, and Iowa, Utah, and Florida provide opt-out rights for the processing of sensitive personal data more generally. While the definition of sensitive personal data varies across these laws, the definitions across all of the laws include personal data that reveals racial or ethnic origin, religious beliefs, citizenship status, sexual orientation, genetic or biometric data (in most cases when processed for the purpose of uniquely identifying an individual), and variations on the collection of personal data from or about children under 13 years of age. Some of the more novel definitions of sensitive personal data include status as a victim of crime (Connecticut and Delaware laws) and status as transgender or non-binary (Delaware and Oregon laws).  

Right to opt out of sale: All of the laws give consumers the right to opt out of the sale of their personal data. However, the definition of 'sale' varies by state. The majority of laws define a sale broadly to mean the exchange of personal data for 'monetary or other valuable consideration;' however, laws in Indiana, Iowa, Tennessee, Utah, and Virginia limit the definition to the exchange of personal data only for monetary consideration. All of the laws, with the exception of California's law, carve out from the definition of 'sale' disclosures to affiliates, subsidiaries that are controlled, or parent companies that control a controller. Of the laws that exempt disclosures to affiliates, most define an affiliate as an entity that shares common branding with the controller entity without regard to the controller's control over or by the affiliate entity. The exceptions are Oregon (which does not include co-branded entities in the definition of an 'affiliate') and Virginia (which does not define 'an affiliate').  

Right to opt out of sharing/targeted advertising: California law gives consumers the right to opt out of the sharing of personal data for the purpose of cross-context behavioral advertising, while the other laws provide for a broad right to opt out of all targeted advertising. Cross-context behavioral advertising is defined to mean the targeting of advertising based on a consumer's personal data obtained from their activity across websites, applications, as well as businesses or services, other than the website, application, business, or service with which the consumer intentionally interacts. Targeted advertising is generally defined more narrowly to mean advertising based on a consumer's data obtained from their activity 'over time and across one or more unaffiliated websites and online applications that is used to predict a consumer's preferences or interests.' Florida law is the only one that extends the definition of targeted advertising to affiliated websites or online applications.  

Right to opt out of profiling: All of the laws, with the exception of Iowa and Utah, include the right to opt out of 'profiling.' The California law defines the term broadly as any form of automated processing that evaluates aspects related to natural persons to analyze or predict aspects of a person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Regulations have not yet been issued that define the precise scope of California's profiling opt-out right. Laws in several other states provide an opt-out right only with respect to profiling that is used in furtherance of decisions that produce 'legal or similarly significant effects.' This is generally defined to mean decisions made by the controller that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to either 'basic necessities' or 'essential goods or services.' 

Exercising consumer rights and time periods to respond: Under all of these laws, consumers may exercise their data subject rights by submitting requests directly to a controller and parents may submit requests on behalf of their children. The laws in Colorado, Connecticut, Delaware, and Oregon allow agents authorized by consumers to exercise opt-out rights on a consumer's behalf, subject to verification requirements. California law allows authorized and verified agents to exercise all data subject rights on behalf of consumers.  

Laws in California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas require controllers to observe universal opt-out signals sent by a platform or technology that communicates consumers' choice to opt out of a sale or targeted advertising across several sites, rather than requiring consumers to make site-by-site opt-out choices.  

Controllers are generally given 45 days after receipt of requests in which to provide a substantive response; Iowa is the outlier, as it allows for a 90-day response time. California law imposes a shorter response time of 15 business days by which controllers must respond to opt-out requests and requests to limit the use of sensitive data. Laws in states other than California and Utah include a right to appeal a controller's denial of a request, with considerable variation by state with respect to the period of time in which consumers must appeal and the time controllers have in which to process appeal requests.  

Privacy policy requirements in US state data privacy laws 

All of the state data privacy laws require controllers to conspicuously post a privacy policy, require that policies be easy to read and accessible to consumers, and specify what must be included in such policies. While there are several privacy policy requirements that are common across all of the laws, several have bespoke disclosure requirements and varying definitions of key terms (e.g., sale of personal data).  

All of the laws require controllers to include at least the following information in the privacy policy:  

  • categories of personal data collected;  
  • purposes for collecting or processing such personal data;  
  • categories of personal data disclosed, shared, or sold to third parties;  
  • categories of third parties with which personal data was disclosed, shared, or sold; and  
  • information regarding how to exercise data subject rights, including how to exercise opt-out rights and information regarding rights to appeal controllers' responses to such requests, if applicable.  

Many laws include additional privacy policy disclosure requirements. A comprehensive description of each state's unique requirements is beyond the scope of this article; however, we will summarize some of the more significant privacy policy requirements. For example, California law uniquely requires entities to disclose the categories of sources from which entities collect personal data, requires disclosures be made regarding collection practices 12 months prior to the date of the policy, and requires information be disclosed about data retention practices. California law also requires disclosures regarding financial incentives or loyalty programs, and companies of a certain size must disclose or link to metrics about responses to data subject requests received in the year prior to the date of the policy. California is likely to have additional disclosure requirements once additional regulations implementing the state's privacy law, including those regarding automated decision-making practices, come into effect.  

Most states that provide rights to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects do not require disclosures about the fact or details of such profiling other than to advise consumers of their right to opt out of such profiling; laws in Colorado and Oregon are the exceptions. Colorado law has extensive disclosure requirements for such profiling, including descriptions of the logic involved, degree of human involvement, and steps taken to detect bias in such profiling, while Oregon law requires a description of processing of personal data for such profiling.  

With respect to sensitive personal data, several state laws require that privacy policies identify the categories of such data that are collected or processed. Colorado law includes extensive disclosure requirements for some types of sensitive data inferences, including an explanation of the logic used in the profiling process, how profiling is used in the decision-making process and the role of human involvement, whether the system has been evaluated for accuracy, fairness, or bias and the outcome of such evaluation, and benefits and potential consequences of the decision based on the profiling. California law requires disclosure of whether sensitive data is processed to profile individuals or use it in ways that are subject to that state's right to limit the use of such data.  

While not specific to privacy policies, the comprehensive state data privacy laws in Florida and Texas require controllers that sell either sensitive personal data or biometric data to post a notice in the same manner as a privacy policy (e.g., the footer of a web page) that reads: 'NOTICE: This website may sell your [biometric or sensitive] personal data.'  

In the absence of a broad federal data privacy law with preemption provisions, practitioners will need to understand the important differences amongst each of the US state data privacy laws when it comes to data subject rights and privacy policy requirements. This Insight article highlights some of the more significant similarities and differences, but does not comprehensively describe bespoke requirements under each state's law, nor does it address the types of personal data that may be exempt from data subject rights or privacy policy disclosure requirements under some of these laws (e.g., B2B data and personal data subject to sector-specific laws such as HIPAA).   

Sheri Porath Rockwell Counsel 
[email protected] 
Ernesto R. Claeyssen Associate 
[email protected] 
Sidley Austin LLP, California 

[1] This information is being provided for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Further, the authors of this article are not licensed to practice law in each of the jurisdictions mentioned.