State laws in the United States, including the California Consumer Privacy Act (CCPA), are privacy regulations that vary from state to state. These laws aim to protect the privacy rights of individuals within their respective states. It is important to understand and comply with the specific privacy laws applicable to your state.
When generating privacy policies with iubenda or any other service, ensure that the generated documents comply with the relevant state laws. These documents should include provisions that align with the legal standards defined by the specific state’s privacy laws. The added provisions should apply only to users to whom you are required to offer specific rights and protections under the applicable state law.
When enabling specific options related to state laws, the generator should indicate which services or activities may be considered a sale under the state’s definition. This helps ensure transparency and compliance with the respective state’s privacy regulations.
How to activate the US State law Text
To ensure compliance with applicable state privacy laws, follow these general steps to activate the relevant provisions in your privacy policy generator:
log in to your admin area
enter the editing of your privacy policy, which can be found via Dashboard, then click on your policy and go to Edit from the privacy policy section
under the heading “Enable disclosures for users residing in the United States” select Enable
By enabling these disclosures, you are indicating your intent to comply with the privacy standards defined by US State laws. This feature helps ensure that the generated privacy policy aligns with the specific requirements and rights afforded to users in the respective state.
How to activate/modify a Service’s declaration of sale within the generator
The solution will also indicate and highlight services that may be considered to be a sale under the definitions – as consumers must be able to identify and opt out of these services.
In the services panel, whenever you add a service that could be considered a sale, the following options will be made available. If the service has fields that require customization, you will see these checkboxes within the usual customization screen (which typically appears after adding that service).
Once enabled, your policy will display a section that informs readers that a sale is happening, that they have the right to opt out and will likely also give several options to do so. The current opt-out options given within the privacy policy are opt-out via links or via getting in touch.
If you deselect the pre-checked “consider as sale …” checkboxes or the generator determines that no sale is happening (based on the services you selected when creating your policy), your privacy policy will display a small statement to that effect.
Caution should be exercised when determining whether a specific activity constitutes a “sale” under the various state privacy laws. While default settings may be in place to help guide the classification, it is highly recommended to double-check and assess your specific situation. Consulting with a legal professional can provide valuable insights and ensure accurate interpretation and application of the relevant state laws.
Once activated and saved within the generator, your embedded privacy policy is automatically updated with the text – no need to re-integrate the code on your site!
California Consumer Privacy Act (CCPA)
Important note regarding the personal information of minors
If your processing activities constitute as sale (as mentioned above) under the CCPA, and this processing potentially includes the personal information of minors, you will need to make some additional disclosures by selecting from the following services within the generator.
No collection of personal information from minors to 16 – you do not knowledgeably collect personal information of consumers who are below the age of 16. The service to add to the privacy policy is called “CCPA: Collection of personal information about minors”
For minors between 13-16 – you do collect personal information of consumer between 13 and 16 and won’t sell their data unless those consumers have opted-in. The service to add to the privacy policy is called “CCPA: Collection of personal information about consumers aged 13 to 16”
Minors below 13 – you collect personal information of a consumer below 13 and won’t sell their data unless their parents or guardians have opted-in on behalf of those minors. The service to add to the privacy policy is called “CCPA: Collection of personal information about consumers below the age of 13”
Please note that 2) and 3) are not mutually exclusive, they can be used at the same time. Additionally, be sure to review your processes to ensure that you meet CCPA requirements regarding minors.
Additional CCPA Requirements
Toll-free number indication
If you run a business that doesn’t operate exclusively online and has a direct relationship with the user, then you must indicate “two or more designated methods” for submitting CCPA requests. One of these methods must be a toll-free telephone number. You can easily add this information via the “Owner field” within the generator. Update your privacy policy every 12 months The CCPA also requires the following:
You must display the date the privacy policy was last updated. – iubenda puts that date in the footer of the privacy policy;
Information in the Privacy Policy or Policies must be updated at least every 12 months. — If changes are made during this period to a privacy policy, iubenda automatically updates the date in the footer of the policy.However, if no changes were made within the last twelve months, you can (recommended) force-update the date of the privacy policy as an indication to the user that the information is up-to-date.
What changes have been made to the policy text?
In addition to the above information, you can find a summary of the changes introduced to meet CCPA requirements here.
CCPA policy additions
plain-language clauses as recommended under US law;
a section that holds the bulk of CCPA-relevant disclosures:
outlining the purposes of processing,
outlining the sources of the data collection,
outlining the particular categories of personal information collected over the last 12 months,
which informs users of their rights under the CCPA and how those rights can be exercised,
which details how and when exercised rights will be honored,
informing consumers on how they can opt out;
information added to the privacy policy highlighting the services that constitute a sale under the CCPA;
information added to the privacy policy regarding what category of personal information a particular activity belongs to; and
any other CCPA terminology and definitions.
Once activated and saved within the generator, your embedded privacy policy is automatically updated with the CCPA text – no need to re-integrate the code on your site!
Want to learn more about the CCPA and its full requirements? Read the How to Comply section of our detailed CCPA guide.
Virginia Consumer Data Protection (VCDPA)
VCDPA policy additions
Categories of personal data processed by your organization.
Organization’s purpose for processing personal data.
How users may exercise their rights, including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.
Categories of personal data that your organization shares with third parties if any.
Categories of third parties, if any, with whom your organization shares personal data.
Additional information
Specific service clauses related to the VCDPA include:
Profiling of Virginia consumers;
Collection of personal data about Virginia consumers below the age of 13; and
We do not collect personal data about Virginia consumers below the age of 13.
To enable the new US-specific clauses, simply click “Enable disclosures for Users Residing in the United States” from within the Privacy and Cookie Policy Generator. This will allow you to meet the strictest of US standards.
Want to learn more about the VCDPA and its full requirements? See here →
Colorado Privacy act (CPA)
CCPA policy additions
CPA privacy notice includes the following:
Categories of personal data collected or processed.
Purposes for which the categories of personal data are processed.
How and where consumers can exercise their rights, including the contact information and how to appeal a controller’s action with regard to a consumer’s request.
Categories of personal data that are shared with third parties, if any;
Categories of third parties with whom the personal data are shared, if any.
Want to learn more about the CPA and its full requirements? See here →
Utah Consumer Privacy Act (UCPA)
UCPA policy additions
Categories of Personal Data Processed: Identify the types of personal data that your organization collects and processes, such as names, email addresses, and payment information.
Purposes for Processing Personal Data: Describe the reasons why your organization collects and processes personal data, such as to fulfill orders, provide customer support, or improve products or services.
Consumer Rights: Explain how consumers can exercise their rights, such as the right to access and delete their personal data. Note that the UCPA does not grant consumers the right to request the correction of inaccurate personal data.
Sharing of Personal Data: Disclose the categories of personal data that your organization shares with third parties, if any. For example, you may share payment information with a payment processor or mailing addresses with a shipping provider.
Third Parties: Identify the categories of third parties with whom your organization shares personal data, if any. This could include vendors, service providers, or marketing partners.
Additional information
Unlike other US state-level privacy legislations, it’s important to note that, under UCPA, opt-out links come into consideration only in relation to consumers’ right to opt out of the processing of sensitive data.
To ensure compliance with the UCPA, you should include a clear and accessible opt-out process in your privacy policy.
Want to learn more about the UCPA and its full requirements? See here →
Connecticut Data Privacy Act (CTDPA)
CTDPA policy additions
Categories of Personal Data: Your privacy policy must include a list of the categories of personal data that you process.
Purposes for Processing: Your privacy policy must clearly state the purposes for processing personal data. This includes any reason why you collect and use personal data, such as to fulfill a contract or provide a service.
Consumer Rights: Your privacy policy must explain how consumers can exercise their rights under the law. This includes how a consumer can access, correct, delete, or restrict the processing of their personal data. You must also include information on how a consumer can appeal a decision related to their request.
Third-Party Sharing: If you share personal data with third parties, your privacy policy must specify the categories of personal data that you share.
Third-Party Categories: Your privacy policy must also specify the categories of third parties with which you share personal data.
Contact Information: Your privacy policy must provide an active electronic mail address or other online mechanism that consumers can use to contact you with questions or concerns about their personal data.
Sale or Targeted Advertising: If you process personal data for the purposes of sale or targeted advertising, your privacy policy must clearly and conspicuously disclose this fact. You must also provide information on how consumers can exercise their right to opt out of such processing.
Additional information
Effective January 1, 2025, you must also allow consumers to opt out of the processing of their personal data for targeted advertising or sale through an opt-out preference signal sent via a platform, technology, or mechanism, with the consumer’s consent.
Want to learn more about the CTDPA and its full requirements? See here →
Texas Data Privacy and Security Act (TDPSA)
Texas Data Privacy and Security Act (TDPSA) Policy Additions
Categories of Personal Data:Â List the types of personal data your organization processes, including names, email addresses, payment info, and sensitive data (e.g., biometric data, precise geolocation).
Purpose for Processing Personal Data:Â State why personal data is collected, such as fulfilling orders, providing services, or marketing.
Consumer Rights:Â Describe how consumers can exercise their rights to:
Access, correct, delete, or obtain a copy of their data.
Opt out of targeted advertising, sale of personal data, or certain profiling.
How Users May Exercise Their Rights:Â Provide a method for submitting requests, such as an online form or contact email, and explain the process for appeals.
Data Sharing:Â Disclose the categories of personal data shared with third parties and identify these third-party categories (e.g., vendors, service providers).
Additional Information
The TDPSA applies broadly to businesses in Texas, with exemptions for small businesses as defined by the U.S. Small Business Administration. Include an opt-out process for data sales and targeted advertising.
Want to learn more about the TDPSA and its full requirements? See here →
Categories of Personal Data:Â List the personal data your business collects, including sensitive data (e.g., biometric data, precise location).
Purpose for Processing:Â State why personal data is collected, including for targeted advertising or profiling.
Consumer Rights:Â Explain how Oregon consumers can:
Access, transfer, correct, or delete their data.
Opt out of data sales, targeted advertising, and profiling.
Use the Global Privacy Control (from July 1, 2026) to opt out of data sales or targeted ads.
How Users May Exercise Their Rights:Â Provide a method (e.g., online form, email) for submitting requests and outline how to withdraw consent.
Data Sharing:Â Disclose categories of personal data shared with third parties and identify these third-party categories.
Additional Information
Obtain explicit consent before processing sensitive data. Starting July 1, 2026, recognize “Global Privacy Control” signals for opt-outs.
Want to learn more about the OCPA and its full requirements? See here →
Montana Consumer Data Privacy Act (MTCDPA)
Montana Consumer Data Privacy Act (MTCDPA) Policy Additions
Categories of Personal Data: List the types of personal data processed, including sensitive data (e.g., biometric data, health conditions, children’s data).
Purpose for Processing:Â State why personal data is collected, such as fulfilling services, targeted advertising, or profiling.
Consumer Rights:Â Describe how Montana consumers can:
Access, correct, delete, and obtain a copy of their data.
Opt out of data sales, targeted advertising, and profiling.
Submit requests without needing an account.
How Users May Exercise Their Rights:Â Provide a method (e.g., online form, contact email) for submitting requests. Explain the appeal process if requests are denied.
Data Sharing:Â Disclose categories of personal data shared with third parties and identify these third-party categories.
Additional Information
Obtain explicit consent before processing sensitive data or selling data of young consumers (13–16 years). Starting January 1, 2025, honor universal opt-out signals for data sales or targeted advertising.
Want to learn more about the MTCDPA and its full requirements? See here →