US state privacy laws are imposing new requirements on businesses with significant new legal and technical implications.
These US state privacy laws provide customers more control over their personal information by granting additional rights and requiring businesses to be transparent about their privacy practices. There are, however, significant differences in scope, consumers’ rights, and enforcement. See our US privacy cheatsheet for more information.
Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting.
With iubenda, you can meet these new legal requirements.
US state privacy laws require you, among others, to provide your users with an up-to-date Privacy Policy, including specific information, such as US users’ privacy rights and a description of your personal information processing practices.
With our Privacy and Cookie Policy Generator, you can now enable, with a single US toggle, a compliance solution for all US state privacy laws that we currently support and ALL upcoming US state legislations that we will support in the future.
🔎 For an overview of the US state privacy laws that we currently support and the main related requirements you can check our guide
👉 Generate your US Privacy Policy or update your existing policy by clicking “Enable disclosures for users residing in the United States” to activate the new US-specific sections and clauses.
You can find the switch here:
This allows you to consider your specific case and react to where your users/clients are based and choose accordingly.
Once you have enabled it, you will see the link to the US-specific section of your privacy policy have been added to your Privacy Policy.
When you enable “Enable disclosures for users residing in the United States” in the legislation-specific standards, various US-related options will appear on all services you add to your Privacy and Cookie Policy:
If you select the option “Mark as a third-party service” you will see the following sub-options:
Under US state privacy laws, third parties are defined as a person or legal entity who is not any of the following:
(1) The business with whom the consumer intentionally interacts and collects personal information from the consumer as part of the consumer’s current interaction with the business under this title.
(2) A service provider to the business.
(3) A contractor.
If the service is not a third party as per the above definition, the sub-options for sale/sharing and target advertising shouldn’t find application.
We introduced an automated services mapping feature that displays the checkboxes as pre-selected according to the definitions of sale, sharing and targeted advertising set by applicable laws.
For custom services {those added from “Create custom service”} all checkboxes will be presented as unchecked, and you could make the proper selections.
When marking the processing by a service as falling within the categories listed above, the related wording will be automatically added or removed in the privacy policy section dedicate to the relevant US state we cover.
Any predefined setup can be freely overwritten and you should customize it according to your specific case.
💡 Since the definition of targeted advertising, sale and sharing may vary from state to state, as well as the exceptions to such legal concepts, we strongly suggest you to check these concepts in depth, for example with the help of our US privacy cheatsheet – Comparison table.
When you enable “Enable disclosures for users residing in the United States” in the legislation-specific standards, for some services, where applicable, you will see a new field at the service level called “Sensitive Personal Data”.
For each of these services, you can select one or multiple sensitive personal data types, as shown below:
The definition of sensitive data may vary according to the applicable US state law. When you select specific sensitive data here, it will be displayed in the privacy policy as sensitive data processed by you (only in the section of the policy with disclosures pertaining to the relevant US state).
💡 Consult our comparison table on the definition of sensitive data across the US state laws we cover.
Our Privacy and Cookie Policy Generator offers additional clauses related to specific processing activities, as required by some US state privacy laws. This includes, among others, clauses related to the processing of children’s personal information and to the processing of personal data of consumers for the purpose of profiling activities:
These additional clauses can be of great help, but they contain broad and generic descriptions since we do not know exactly how you process your users’ personal information. Therefore, we highly recommend that you check if they apply to your case and, if needed, describe your processing activities in more detail by adding custom clauses.
💡 For more information on privacy policies click here.
If you process consumers’ personal information for certain purposes, including but not limited to, targeted advertising, sale or sharing, some of the US state privacy laws require you to:
Our Privacy Controls and Cookie Solution helps you comply with these requirements.
Once you have completed the activation of the new US-specific clauses within the Privacy and Cookie Policy Generator, make sure the “US State Laws” within the Privacy Controls and Cookie Solution are enabled: the solution will auto-configure to help you meet the new US requirements allowing your users to exercise their right to opt out.
👉 Simply select where you and your users are based while configuring the Privacy Controls and Cookie Solution, and the solution will do the rest!
Haven’t generated a Privacy Policy with us, or simply want to customize things yourself?
Within the Privacy Controls and Cookie Solution Generator simply enable the US State Laws option and the support to manage users’ opt-out preferences (if applicable).
To do this, make sure you toggle on US State Laws and click on the Edit button.
Next, click on Manual configuration and select the options that apply to your case:
The U.S. Privacy Signal (USP) served as the CCPA Compliance Mechanism, acting as an API facilitating the communication of U.S. privacy signals. This API enabled websites and apps to communicate with third parties and vendors, contributing to the compliance process. However, this signal, last revised in 2020, has been officially deprecated as of January 31, 2024. In its place, the Global Privacy Platform (GPP) actively provides a more comprehensive solution, actively addressing advertising-related privacy considerations across the United States, actively offering broader coverage.
🚀 iubenda has been ahead of the curve, adopting the GPP signal in alignment with the standards for US state laws since December 2022 but also providing support for the new GPP v1.1 from September 23, 2023. If you have not updated your configuration since this change, it is crucial to address this immediately.
__uspapi
with the new __gpp
, as outlined in the CMP API Specification.This update can enhance your alignment with broader advertising and privacy considerations in the U.S.
Learn more about the Global Privacy Platform
Short answer: no, you don’t need one.
Under the US state privacy laws, a privacy “banner” does not represent a specific requirement, as legislators have generally followed an opt-out approach (certain exceptions apply, see our dedicated guide on the processing of sensitive data, for example). This means that, in most cases, you may perform processing activities, without obtaining users’ prior consent, up until the moment in which users decide to actively deny their consent to such processing.
That’s why you don’t need a privacy “banner”.
The Privacy Controls must be easily accessible, in order to allow your users to freely exercise their privacy preferences at any time. Furthermore, some US state laws, such as the CCPA, as amended by the CPRA, set a mandatory predefined format (the white and blue icon shown below) and label (“Your privacy choices”) for the link to the Privacy Controls.
Our Privacy widget helps you to comply with all these requirements in the easiest way possible: a small, unobtrusive widget, with a predefined format and label, will be displayed on every page of your website after your user has set their preferences.
To do this, under the Style & Text section, click Edit on the Privacy widget box, then simply choose the option to add it Manually.
If you choose to add the link manually, remember to place it on your website/app in an easily accessible spot, for example, the footer or the application settings.
The CCPA, as updated by the CPRA, requires you to make the Notice at Collection readily available where consumers will encounter it at or before the point of collection of any personal information, including sensitive personal information (if applicable). For example, by posting a conspicuous link to the notice on the introductory page of your website or in the settings menu of your app and on all web pages where personal information is collected.
The purpose of the Notice at Collection is to provide consumers with a timely notice about the categories of personal information collected in the preceding 12 months, including sensitive personal information, to be collected from them, the purposes for which such information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over your use of their personal information.
To learn more about what should be included in the Notice at Collection, read our guide.
🔎 Thanks to an advanced feature of our Privacy Policy generator you can easily comply with the 12–month look-back period requirement.
If you delete all the services that were using a specific personal information category, the Notice at Collection will automatically update to clarify that you collected that category in the past 12 months but you are no longer collecting it. Once the 12-month period lapses the category will be permanently removed from the Notice at Collection.
You can also manually permanently remove a category by deleting the service from the “Recently deleted” services tile in the Privacy Policy Generator.
Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this CCPA/CPRA requirement.
To do so:
Under certain US state laws, in order to process consumers’ sensitive personal information, you need to obtain their prior consent.
That’s why you should provide a choice mechanism on your website/app that allows users to freely give (or withdraw) their consent to the processing of their sensitive personal information.
Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this requirement. To know how and learn more about the definition of sensitive personal information according to the different US state privacy laws, read our dedicated guide.
If the user expresses the choice to opt-out of the sale of their data, this choice must be honored. There are three ways to make sure of this.
In this case, our integration with the IAB Global Privacy Platform (GPP) and CCPA/CPRA Compliance Framework will take care of notifying the vendors that an opt-out from sale has occurred.
This is, for instance, the case with Google, which allows you to send a specific signal whenever an opt-out has occurred. The instructions are provided in this article and apply to Google Ads and Google Analytics.
Other vendors may provide similar instructions.
In this case, you’ll have to apply the class _iub_cs_activate
to the script
tag of each of these services, change the type attribute from text/javascript
to text/plain
and add the applicable data-iub-purposes="..."
attribute comma separated IDs: e.g. data-iub-purposes="s,sh,adv,sd8"
This is the list of purposes handled by the Privacy Controls and Cookie Solution:
s
→ selling of personal infosh
→ sharing of personal infoadv
→ targeted advertisingsd8
→ sensitive Data, Precise Geolocation Data<script class="_iub_cs_activate" type="text/plain" data-iub-purposes="..." src="...">
...
</script>
This can be done manually or via a tag manager like Google Tag Manager.
We dramatically increased the complexity of our solution to meet current US state laws’ requirements, including what comes next.