UNIVERSAL STATE PRIVACY NOTICE OVERLAYS
COMPREHENSIVE MULTI-STATE SUPPLEMENTAL PRIVACY NOTICE
Effective Date: [__/__/____]
Last Updated: [__/__/____]
Entity Name: [________________________________]
Entity Address: [________________________________]
TABLE OF CONTENTS
- Introduction and Purpose
- Applicability Matrix
- Consolidated Consumer Rights Summary
- California (CCPA/CPRA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Virginia (VCDPA)
- Texas (TDPSA)
- Florida (FDBR)
- Utah (UCPA)
- Oregon (OCPA)
- Other State Privacy Laws
- Consolidated Categories of Personal Data Collected
- Sources of Personal Data
- Purposes for Processing
- Categories Disclosed to Third Parties
- Sale and Sharing of Personal Data
- Sensitive Data Practices
- How to Submit Consumer Requests (All States)
- Verification and Authentication
- Authorized Agent Provisions
- Response Timelines by State
- Appeal Processes
- Opt-Out Preference Signals and Universal Opt-Out Mechanisms
- Children's and Minors' Data
- Do Not Sell or Share
- Data Retention
- Data Protection Assessments
- Breach Notification Summary
- Third-Party and Processor Oversight
- Security Measures
- Cross-Border Data Transfers
- Changes to This Notice
- Contact Information
- Sources and References
1. INTRODUCTION AND PURPOSE
This Universal State Privacy Notice Overlay ("Notice") supplements the general privacy notice of [________________________________] ("Company," "we," "us," or "our") and addresses the privacy rights and protections available to residents of states that have enacted comprehensive consumer data privacy laws. This Notice covers the major state privacy frameworks in effect or approaching enforcement as of the date above.
This Notice is designed for organizations that operate across multiple U.S. states and need to comply with a patchwork of state-level privacy obligations. Where the requirements of a particular state differ from the general provisions, the state-specific section controls for residents of that state.
2. APPLICABILITY MATRIX
The following table summarizes the applicability of each state privacy law to our organization. Check the applicable boxes:
| State Law | Effective Date | Applicable | Basis |
|---|---|---|---|
| California — CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.) | Jan. 1, 2020 (CCPA); Jan. 1, 2023 (CPRA) | ☐ Yes ☐ No | Revenue >$25M; 100K+ consumers; 50%+ revenue from selling/sharing PI |
| Colorado — CPA (C.R.S. § 6-1-1301 et seq.) | July 1, 2023 | ☐ Yes ☐ No | 100K+ consumers/year; or 25K+ consumers + revenue from sale of PI |
| Connecticut — CTDPA (Conn. Gen. Stat. § 42-515 et seq.) | July 1, 2023 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >25% revenue from sale of PI |
| Virginia — VCDPA (Va. Code § 59.1-575 et seq.) | Jan. 1, 2023 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >50% revenue from sale of PI |
| Texas — TDPSA (Tex. Bus. & Com. Code Ch. 541) | July 1, 2024 | ☐ Yes ☐ No | Business in TX + processes/sells PI + not SBA small business |
| Florida — FDBR (Fla. Stat. §§ 501.701–501.722) | July 1, 2024 | ☐ Yes ☐ No | Revenue >$1B + advertising/smart speaker/app store threshold |
| Utah — UCPA (Utah Code § 13-61-101 et seq.) | Dec. 31, 2023 | ☐ Yes ☐ No | Revenue >$25M; 100K+ consumers; or 25K+ consumers + 50%+ revenue from sale of PI |
| Oregon — OCPA (Or. Rev. Stat. § 646A.570 et seq.) | July 1, 2024 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >25% revenue from sale/control of PI |
| Montana — MCDPA (Mont. Code Ann. § 30-14-2801 et seq.) | Oct. 1, 2024 | ☐ Yes ☐ No | 50K+ consumers; or 25K+ consumers + revenue from sale of PI |
| Iowa (Iowa Code § 715D.1 et seq.) | Jan. 1, 2025 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >50% revenue from sale of PI |
| Indiana (Ind. Code § 24-15-1 et seq.) | Jan. 1, 2026 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >50% revenue from sale of PI |
| Tennessee — TIPA (Tenn. Code Ann. § 47-18-3201 et seq.) | July 1, 2025 | ☐ Yes ☐ No | Revenue >$25M; 25K+ consumers + >50% revenue from sale of PI |
| Delaware (Del. Code tit. 6, Ch. 12D) | Jan. 1, 2025 | ☐ Yes ☐ No | 35K+ consumers (excl. payment PI only); or 10K+ consumers + >20% revenue from sale of PI |
| New Jersey (N.J. Stat. § 56:8-166 et seq.) | Jan. 15, 2025 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + revenue from sale of PI |
| New Hampshire (N.H. Rev. Stat. § 507-H:1 et seq.) | Jan. 1, 2025 | ☐ Yes ☐ No | 35K+ consumers; or 10K+ consumers + >25% revenue from sale of PI |
| Kentucky (Ky. Rev. Stat. § 367.400 et seq.) | Jan. 1, 2026 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >50% revenue from sale of PI |
| Nebraska (Neb. Rev. Stat. § 87-1101 et seq.) | Jan. 1, 2025 | ☐ Yes ☐ No | No revenue or consumer count threshold (applies broadly) |
| Maryland (Md. Code Com. Law § 14-4601 et seq.) | Oct. 1, 2025 | ☐ Yes ☐ No | 35K+ consumers; or 10K+ consumers + >20% revenue from sale of PI |
| Minnesota (Minn. Stat. § 325O.01 et seq.) | July 31, 2025 | ☐ Yes ☐ No | 100K+ consumers; or 25K+ consumers + >25% revenue from sale of PI |
3. CONSOLIDATED CONSUMER RIGHTS SUMMARY
The following table summarizes key consumer rights across the major state privacy laws:
| Right | CA | CO | CT | VA | TX | FL | UT | OR |
|---|---|---|---|---|---|---|---|---|
| Right to Know / Confirm | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to Access | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to Delete | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to Correct | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Right to Data Portability | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt Out: Targeted Advertising | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt Out: Sale of PI | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Opt Out: Profiling | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Limit Sensitive PI Use | Yes | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
| Non-Discrimination | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to Appeal | N/A | Yes | Yes | Yes | Yes | Yes | No | Yes |
| Opt-Out Preference Signal | Yes | Yes | Yes | No* | Yes | No | No | Yes |
| Private Right of Action | Limited** | No | No | No | No | No | No | No |
Virginia does not mandate recognition of opt-out preference signals.
*California provides a limited private right of action for data breaches under Cal. Civ. Code § 1798.150.
4. CALIFORNIA (CCPA/CPRA)
Statutory Authority: Cal. Civ. Code § 1798.100 et seq.
Applicability: Applies to for-profit businesses doing business in California that meet revenue ($25M+), consumer count (100K+), or revenue-from-sale (50%+) thresholds.
Key Consumer Rights:
- Right to know categories and specific pieces of PI collected (§§ 1798.100, 1798.110)
- Right to delete PI (§ 1798.105)
- Right to correct inaccurate PI (§ 1798.106)
- Right to know what PI is sold or shared and to whom (§ 1798.115)
- Right to opt out of sale or sharing (§ 1798.120)
- Right to limit use and disclosure of sensitive PI (§ 1798.121)
- Right of non-discrimination (§ 1798.125)
California-Specific Obligations:
- "Do Not Sell or Share My Personal Information" link (§ 1798.135)
- "Limit the Use of My Sensitive Personal Information" link (§ 1798.135)
- Honor Global Privacy Control (GPC) as opt-out preference signal (11 CCR § 7025)
- Disclosure of retention periods for each category of PI (§ 1798.100(a)(3))
- Service provider/contractor/third party distinctions with specific contractual requirements (§ 1798.100(d))
- Financial incentive program disclosures (§ 1798.125(b))
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: California Privacy Protection Agency (CPPA); Attorney General; limited private right of action for data breaches (§ 1798.150)
5. COLORADO (CPA)
Statutory Authority: C.R.S. § 6-1-1301 et seq.
Applicability: Applies to controllers that conduct business in Colorado or produce products/services targeted to Colorado residents and process PI of 100K+ consumers/year, or process PI of 25K+ consumers and derive revenue from sale of PI.
Key Consumer Rights (C.R.S. § 6-1-1306):
- Right to confirm and access (§ 6-1-1306(1)(a))
- Right to correct inaccurate data (§ 6-1-1306(1)(c))
- Right to delete (§ 6-1-1306(1)(b))
- Right to data portability (§ 6-1-1306(1)(d))
- Right to opt out of targeted advertising, sale, and profiling (§ 6-1-1306(1)(e))
Colorado-Specific Obligations:
- Recognize universal opt-out mechanisms per AG rules (effective July 1, 2024) (§ 6-1-1313(2))
- Conduct data protection assessments for high-risk processing (§ 6-1-1309)
- No cure period as of January 1, 2025 — AG and DAs may immediately enforce penalties
- Obtain consent for processing sensitive data (§ 6-1-1308)
- Processor contracts must meet CPA requirements (§ 6-1-1305)
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Colorado Attorney General; District Attorneys. Civil penalties up to $20,000 per violation under Colorado Consumer Protection Act (C.R.S. § 6-1-112).
6. CONNECTICUT (CTDPA)
Statutory Authority: Conn. Gen. Stat. § 42-515 et seq. (Public Act No. 22-15, as amended by SB 1295)
Applicability: Applies to persons that conduct business in Connecticut or produce products/services targeted to Connecticut residents and process PI of 100K+ consumers, or process PI of 25K+ consumers and derive more than 25% of gross revenue from the sale of PI.
Key Consumer Rights (Conn. Gen. Stat. § 42-520):
- Right to confirm and access
- Right to correct inaccurate data
- Right to delete
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to request a specific list of third parties to whom PI was disclosed (as amended by SB 1295, effective July 1, 2026)
Connecticut-Specific Obligations:
- Honor opt-out preference signals (effective Jan. 1, 2025) (§ 42-520(e))
- Conduct data protection assessments for sensitive and high-risk processing (§ 42-524)
- Consent for sensitive data processing (§ 42-519(a))
- 2025 Amendments (SB 1295, effective July 1, 2026): Lowered thresholds for sensitive data and sale of PI; categorical prohibition on processing minors' PI for targeted advertising or sale; GLBA data-level exemption replaces entity-level exemption
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Connecticut Attorney General. Civil penalties up to $5,000 per willful violation under CUTPA.
7. VIRGINIA (VCDPA)
Statutory Authority: Va. Code § 59.1-575 et seq.
Applicability: Applies to persons that conduct business in Virginia or produce products/services targeted to Virginia residents and process PI of 100K+ consumers, or process PI of 25K+ consumers and derive over 50% of gross revenue from the sale of PI.
Key Consumer Rights (Va. Code § 59.1-577):
- Right to confirm processing and access PI
- Right to correct inaccuracies
- Right to delete PI
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
Virginia-Specific Obligations:
- Consent for processing sensitive data (§ 59.1-578)
- No mandate to honor opt-out preference signals (but businesses may voluntarily do so)
- Data protection assessments for targeted advertising, sale of PI, profiling with foreseeable risk, sensitive data processing, and any processing that presents a heightened risk of harm (§ 59.1-580)
- Processor contracts must meet VCDPA requirements (§ 59.1-579)
- Non-discrimination provision (§ 59.1-577(E))
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Virginia Attorney General (exclusive). Civil penalties up to $7,500 per violation (Va. Code § 59.1-584).
8. TEXAS (TDPSA)
Statutory Authority: Tex. Bus. & Com. Code Ch. 541 (§§ 541.001–541.205)
Applicability: Applies broadly to persons conducting business in Texas or producing products/services for Texas residents that process or sell PI, and are not classified as small businesses under SBA standards. No revenue threshold.
Key Consumer Rights (§ 541.051):
- Right to confirm and access
- Right to correct
- Right to delete
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
Texas-Specific Obligations:
- Recognize universal opt-out mechanisms effective January 1, 2025 (§ 541.055(e))
- Consent for sensitive data, including data from known children (§ 541.103)
- Data protection assessments for high-risk processing (§ 541.107)
- Available to Attorney General upon request (§ 541.107(d))
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Texas Attorney General (exclusive). Civil penalties up to $7,500 per violation (§ 541.205).
9. FLORIDA (FDBR)
Statutory Authority: Fla. Stat. §§ 501.701–501.722
Applicability: Narrowly tailored — applies to entities with annual global revenues exceeding $1 billion AND that meet at least one activity threshold (50%+ revenue from online advertising, smart speaker operation, or operation of an app store with 250K+ apps).
Key Consumer Rights (§ 501.705):
- Right to confirm and access
- Right to correct
- Right to delete
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
Florida-Specific Obligations:
- Consent for sensitive data including data from known children (§ 501.714)
- Data protection assessments (§ 501.712)
- Specific protections for children and minors on social media platforms
- FIPA breach notification (Fla. Stat. § 501.171) applies broadly to all commercial entities
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Florida Attorney General — Department of Legal Affairs (§ 501.719).
10. UTAH (UCPA)
Statutory Authority: Utah Code § 13-61-101 et seq.
Applicability: Applies to controllers conducting business in Utah or producing products/services targeted to Utah consumers with annual revenue of $25M+ and processing PI of 100K+ consumers, or PI of 25K+ consumers and deriving 50%+ of revenue from sale of PI.
Key Consumer Rights:
- Right to confirm and access
- Right to delete
- Right to data portability
- Right to opt out of targeted advertising and sale of PI
- No right to correct; no right to opt out of profiling
Utah-Specific Obligations:
- Opt-in consent for processing sensitive data
- No requirement to recognize opt-out preference signals
- No right to appeal
- No data protection assessment requirement
Response Timeline: 45 days (no extension provision)
Enforcement: Utah Attorney General. Civil penalties up to $7,500 per violation.
11. OREGON (OCPA)
Statutory Authority: Or. Rev. Stat. § 646A.570 et seq.
Applicability: Controllers conducting business in Oregon or providing products/services to Oregon residents that process PI of 100K+ consumers, or PI of 25K+ consumers and derive 25%+ of revenue from sale/control of PI.
Key Consumer Rights:
- Right to confirm and access
- Right to correct
- Right to delete
- Right to data portability
- Right to opt out of targeted advertising, sale, and profiling
- Right to obtain list of specific third parties to whom PI was disclosed
Oregon-Specific Obligations:
- Recognize opt-out preference signals (effective Jan. 1, 2026)
- Applies to nonprofit organizations (unlike most other state laws)
- No right to cure
- Consent for sensitive data including data revealing status as transgender or nonbinary
Response Timeline: 45 days (extendable by 45 days, total 90 days)
Enforcement: Oregon Attorney General. Civil penalties under UTPA.
12. OTHER STATE PRIVACY LAWS
12.1 Montana (MCDPA) — Effective October 1, 2024
Lower consumer threshold (50K+). Standard rights package. Consent for sensitive data. 60-day cure period until April 1, 2026.
12.2 Iowa — Effective January 1, 2025
Standard rights (no right to correct or opt out of profiling). 90-day cure period (no sunset). Opt-in for sensitive data.
12.3 Delaware — Effective January 1, 2025
Lower thresholds (35K+). Standard rights including right to correct. Recognize opt-out preference signals. No right to cure.
12.4 New Jersey — Effective January 15, 2025
Standard rights. Recognize opt-out preference signals. 30-day cure period (expires July 15, 2026).
12.5 New Hampshire — Effective January 1, 2025
Lower thresholds (35K+). Standard rights. 60-day cure period.
12.6 Nebraska — Effective January 1, 2025
No consumer count or revenue thresholds. Standard rights. Recognize opt-out preference signals. 30-day cure period.
12.7 Indiana — Effective January 1, 2026
Standard rights. Consent for sensitive data. 30-day cure period.
12.8 Tennessee (TIPA) — Effective July 1, 2025
Revenue threshold ($25M). Standard rights. 60-day cure period. Affirmative defense for maintaining privacy program conforming to NIST framework.
12.9 Kentucky — Effective January 1, 2026
Standard rights and thresholds. 30-day cure period.
12.10 Maryland — Effective October 1, 2025
Lower thresholds (35K+). Strongest data minimization requirements. Prohibits sale of sensitive data. Limits targeted advertising using sensitive data. Recognize opt-out preference signals.
12.11 Minnesota — Effective July 31, 2025
Standard rights including right to obtain list of third parties. Recognize opt-out preference signals. Profiling protections. No right to cure.
13. CONSOLIDATED CATEGORIES OF PERSONAL DATA COLLECTED
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, postal address, phone number, IP address, device IDs, account name | ☐ Yes ☐ No |
| Financial Information | Bank accounts, credit/debit card numbers, payment history | ☐ Yes ☐ No |
| Commercial Information | Purchase records, consumer preferences, transaction histories | ☐ Yes ☐ No |
| Internet/Network Activity | Browsing history, search history, app interactions, advertising interactions | ☐ Yes ☐ No |
| Geolocation Data | Precise geolocation (GPS), approximate location | ☐ Yes ☐ No |
| Biometric Data | Fingerprints, facial geometry, voiceprints, iris/retina scans | ☐ Yes ☐ No |
| Health Information | Diagnoses, treatment records, health insurance data | ☐ Yes ☐ No |
| Audio/Visual/Sensory Data | Photos, videos, audio recordings, call recordings | ☐ Yes ☐ No |
| Professional/Employment Data | Job history, performance records, compensation | ☐ Yes ☐ No |
| Education Records | Academic records, enrollment, transcripts | ☐ Yes ☐ No |
| Inferences | Profiles reflecting preferences, behavior, attitudes, abilities | ☐ Yes ☐ No |
| Sensitive Data | See Section 18 | ☐ Yes ☐ No |
| Other: | [________________________________] | ☐ Yes ☐ No |
14. SOURCES OF PERSONAL DATA
☐ Directly from consumers (forms, registrations, purchases, communications)
☐ Indirectly from consumers (website/app activity, cookies, tracking)
☐ Third-party sources (partners, data brokers, social media, public databases)
☐ Service providers and processors
☐ Publicly available sources
☐ Other: [________________________________]
15. PURPOSES FOR PROCESSING
☐ Providing and improving products and services
☐ Processing transactions and fulfilling orders
☐ Customer service and communications
☐ Account management and authentication
☐ Marketing and advertising (including targeted advertising, subject to opt-out)
☐ Analytics and research
☐ Fraud detection and security
☐ Legal and regulatory compliance
☐ Enforcing terms and agreements
☐ Internal business operations
☐ Other: [________________________________]
16. CATEGORIES DISCLOSED TO THIRD PARTIES
| Category | Recipients | Purpose |
|---|---|---|
| [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] |
17. SALE AND SHARING OF PERSONAL DATA
☐ We do not sell or share personal data.
☐ We sell and/or share the following categories:
| Category | Third-Party Recipients | Purpose | States Where Sale/Sharing Occurs |
|---|---|---|---|
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
| [________________________________] | [________________________________] | [________________________________] | [________________________________] |
18. SENSITIVE DATA PRACTICES
Across state privacy laws, sensitive data generally includes:
☐ Racial or ethnic origin
☐ Religious or philosophical beliefs
☐ Mental or physical health diagnosis
☐ Sexual orientation
☐ Citizenship or immigration status
☐ Genetic data
☐ Biometric data for identification
☐ Data from known children (under 13)
☐ Precise geolocation data
☐ Union membership (CA, OR)
☐ Contents of mail/email/text messages (CA)
☐ Account credentials with security codes (CA)
☐ Status as transgender or nonbinary (OR)
Our Practices:
☐ We do not process sensitive data
☐ We obtain opt-in consent before processing sensitive data, in compliance with all applicable state laws
☐ For California: We provide a "Limit the Use of My Sensitive Personal Information" link
| Sensitive Data Category | Purpose | Consent Mechanism |
|---|---|---|
| [________________________________] | [________________________________] | [________________________________] |
19. HOW TO SUBMIT CONSUMER REQUESTS (ALL STATES)
To exercise any of the privacy rights described in this Notice, regardless of your state of residence, you may submit a request by:
☐ Online Portal: [________________________________]
☐ Email: [________________________________]
☐ Toll-Free Telephone Number: [________________________________]
☐ Postal Mail:
[________________________________]
Attn: Privacy Office
☐ Other: [________________________________]
We provide at least two methods for submitting requests, including at minimum a method reflecting how you normally interact with us.
20. VERIFICATION AND AUTHENTICATION
We verify your identity before fulfilling requests using commercially reasonable methods:
☐ Account authentication (if you have an account)
☐ Matching 2-3 data points for category-level requests
☐ Matching 3+ data points plus signed declaration under penalty of perjury for specific-pieces requests (California)
☐ Additional verification as needed
21. AUTHORIZED AGENT PROVISIONS
You may designate an authorized agent in all applicable states. Requirements:
☐ Written authorization signed by you (or valid power of attorney)
☐ We may verify your identity directly
☐ For California: Power of attorney under Cal. Probate Code §§ 4000-4465 is accepted
22. RESPONSE TIMELINES BY STATE
| State | Initial Response | Extension | Total Maximum |
|---|---|---|---|
| California | 45 days | +45 days | 90 days |
| Colorado | 45 days | +45 days | 90 days |
| Connecticut | 45 days | +45 days | 90 days |
| Virginia | 45 days | +45 days | 90 days |
| Texas | 45 days | +45 days | 90 days |
| Florida | 45 days | +45 days | 90 days |
| Utah | 45 days | None | 45 days |
| Oregon | 45 days | +45 days | 90 days |
| Montana | 45 days | +15 days | 60 days |
| All Others | 45 days | +45 days | 90 days (varies) |
We confirm receipt of requests within ten (10) business days (California) and respond within the applicable timeframe.
23. APPEAL PROCESSES
If we decline your request, you have the right to appeal (in states providing an appeal right):
Step 1: Submit a written appeal to our Privacy Office at: [________________________________]
Step 2: We will respond to your appeal within sixty (60) days.
Step 3: If your appeal is denied, you may contact the Attorney General in your state:
| State | Attorney General Contact |
|---|---|
| California | CPPA: https://cppa.ca.gov; AG: https://oag.ca.gov |
| Colorado | https://coag.gov |
| Connecticut | https://portal.ct.gov/ag |
| Virginia | https://www.oag.state.va.us |
| Texas | https://www.texasattorneygeneral.gov |
| Florida | https://www.myfloridalegal.com |
| Oregon | https://www.doj.state.or.us |
| All Others | Contact your state Attorney General's office |
24. OPT-OUT PREFERENCE SIGNALS AND UNIVERSAL OPT-OUT MECHANISMS
We recognize and honor opt-out preference signals, including the Global Privacy Control (GPC), as valid opt-out requests in the following states:
☐ California (required by Cal. Civ. Code § 1798.135(b) and 11 CCR § 7025)
☐ Colorado (required by CPA AG rules, effective July 1, 2024)
☐ Connecticut (required effective Jan. 1, 2025)
☐ Texas (required effective Jan. 1, 2025, per § 541.055(e))
☐ Oregon (required effective Jan. 1, 2026)
☐ Montana (required effective Jan. 1, 2025)
☐ Delaware (required)
☐ New Jersey (required)
☐ Nebraska (required)
☐ Maryland (required)
☐ Minnesota (required)
☐ New Hampshire (not required but honored)
When we detect an opt-out preference signal, we process it as a valid request to opt out of the sale of personal data and targeted advertising.
For more information: https://globalprivacycontrol.org
25. CHILDREN'S AND MINORS' DATA
We comply with COPPA (15 U.S.C. § 6501 et seq.) and all applicable state provisions regarding children's data:
☐ We do not knowingly collect PI from children under 13 without verifiable parental consent
☐ California: Opt-in required for sale/sharing of PI of consumers under 16 (ages 13-15 self-authorize; under 13 requires parental consent) (Cal. Civ. Code § 1798.120(c)-(d))
☐ Connecticut (SB 1295, effective July 1, 2026): Categorical prohibition on processing minors' PI for targeted advertising or sale
☐ All states: Personal data from known children constitutes sensitive data requiring consent
☐ Florida: Specific protections for minors on social media platforms
26. DO NOT SELL OR SHARE
☐ California: "Do Not Sell or Share My Personal Information" link: [________________________________]
☐ California: "Limit the Use of My Sensitive Personal Information" link: [________________________________]
☐ All States: Opt-out request submission: [________________________________]
27. DATA RETENTION
| Category | Retention Period | Basis |
|---|---|---|
| Identifiers | [________________________________] | [________________________________] |
| Financial Information | [________________________________] | [________________________________] |
| Commercial Information | [________________________________] | [________________________________] |
| Internet/Network Activity | [________________________________] | [________________________________] |
| Geolocation Data | [________________________________] | [________________________________] |
| Sensitive Data | [________________________________] | [________________________________] |
| Other: [______________] | [________________________________] | [________________________________] |
28. DATA PROTECTION ASSESSMENTS
We conduct data protection assessments where required by applicable state laws, including for:
☐ Targeted advertising
☐ Sale of personal data
☐ Profiling with foreseeable risk of harm
☐ Processing of sensitive data
☐ Any processing presenting a heightened risk to consumers
Required in: California (risk assessments under CPPA rulemaking), Colorado (C.R.S. § 6-1-1309), Connecticut (Conn. Gen. Stat. § 42-524), Virginia (Va. Code § 59.1-580), Texas (Tex. Bus. & Com. Code § 541.107), Florida (Fla. Stat. § 501.712), Oregon, Montana, Delaware, New Jersey, Maryland, Minnesota, and others.
29. BREACH NOTIFICATION SUMMARY
| State | Statute | Notification Timeline | AG Notification Threshold |
|---|---|---|---|
| California | Cal. Civ. Code § 1798.82 | Expeditious, without unreasonable delay | 500+ residents |
| Colorado | C.R.S. § 6-1-716 | 30 days | 500+ residents |
| Connecticut | Conn. Gen. Stat. § 36a-701b | 60 days | All breaches |
| Virginia | Va. Code § 18.2-186.6 | Without unreasonable delay | 1,000+ residents or AG |
| Texas | Tex. Bus. & Com. Code § 521.053 | As quickly as possible | 250+ residents (within 60 days) |
| Florida | Fla. Stat. § 501.171 | 30 days | 500+ residents |
| New York | N.Y. Gen. Bus. Law § 899-aa | 30 days (2024 amendment) | All breaches |
30. THIRD-PARTY AND PROCESSOR OVERSIGHT
☐ Due diligence before engagement
☐ Written contracts meeting requirements of all applicable state laws
☐ Confidentiality and security obligations
☐ Prohibition on processing beyond documented instructions
☐ Data return/deletion upon termination
☐ Audit and assessment rights
☐ Sub-processor controls and flow-down obligations
☐ Breach notification requirements
31. SECURITY MEASURES
☐ Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
☐ Multi-factor authentication
☐ Intrusion detection and prevention
☐ Vulnerability scanning and penetration testing
☐ Access controls (least-privilege, role-based)
☐ Security event logging and monitoring
☐ Patch management
☐ Data loss prevention
☐ Incident response plan
☐ Employee training
☐ Business continuity and disaster recovery
☐ Physical security controls
32. CROSS-BORDER DATA TRANSFERS
☐ Standard contractual clauses
☐ Binding corporate rules
☐ Data Privacy Framework certification
☐ Adequate data protection assessment
☐ Other: [________________________________]
33. CHANGES TO THIS NOTICE
☐ Updated Notice posted on our website with new "Last Updated" date
☐ Email notification for material changes
☐ Prominent website notice
☐ Other: [________________________________]
34. CONTACT INFORMATION
Company Name: [________________________________]
Attn: Privacy Office
Mailing Address: [________________________________]
Email: [________________________________]
Toll-Free Telephone: [________________________________]
Website / Privacy Portal: [________________________________]
35. SOURCES AND REFERENCES
- California (CCPA/CPRA): Cal. Civ. Code § 1798.100 et seq. — https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
- Colorado (CPA): C.R.S. § 6-1-1301 et seq. — https://coag.gov/resources/colorado-privacy-act/
- Connecticut (CTDPA): Conn. Gen. Stat. § 42-515 et seq. — https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act
- Virginia (VCDPA): Va. Code § 59.1-575 et seq. — https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
- Texas (TDPSA): Tex. Bus. & Com. Code Ch. 541 — https://statutes.capitol.texas.gov/Docs/BC/htm/BC.541.htm
- Florida (FDBR): Fla. Stat. §§ 501.701–501.722 — https://www.flsenate.gov/Session/Bill/2023/262/BillText/er/HTML
- Utah (UCPA): Utah Code § 13-61-101 et seq.
- Oregon (OCPA): Or. Rev. Stat. § 646A.570 et seq.
- IAPP State Privacy Law Tracker: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
- Global Privacy Control: https://globalprivacycontrol.org
ACKNOWLEDGMENT AND ACCEPTANCE
By accessing or using our services, you acknowledge that you have read and understand this Universal State Privacy Notice Overlay. This Notice is effective as of the date set forth above and shall remain in effect until updated.
| Company Representative Signature: | [________________________________] |
| Printed Name: | [________________________________] |
| Title: | [________________________________] |
| Date: | [__/__/____] |
This template is provided by ezel.ai for informational purposes only and does not constitute legal advice. Consult qualified legal counsel in each applicable jurisdiction before deploying this notice.
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: March 2026