Checklist for US Data Privacy Law Compliance [With Infographic]

The digital world is currently witnessing a transformation toward the new era of digital privacy. Several countries including the United States have already set their privacy laws in motion. In addition to federal laws like the Children’s Online Privacy Protection Act of 1998, 17 states have their privacy laws out of which laws of California, Virginia, Colorado, Connecticut and Utah are in effect. If you are a business heading towards privacy law compliance, here is a comprehensive US privacy law compliance checklist to help you navigate the complexities.

Regardless of whether being an MNC or a small business, US privacy laws compliance is significant. Complying with privacy laws not only evades penalties but also builds customer trust. Know the following relevant laws if you’re a US-based business or if your business targets US residents.

Children’s Online Protection and Privacy Act, 1998 (COPPA)

Overview

COPPA is a US federal law regulating the handling of personal information of children below 13 years of age. It was enacted in 1998 and thereafter amended which came into effect on July 1, 2013. The act requires operators of websites/online services that target children to provide a privacy notice and thereafter take reasonable effort to collect verifiable parental consent before processing a child’s personal information.

Verifiable parental consent means the authorization given by parents/legal guardians to handle the personal information of children after receiving a notice of the organization’s policies and practices. 

Applicability

Unlike many state privacy laws that are applicable based on a threshold, COPPA applies generally to all businesses that are targeted toward children under 13 years of age.

• Any operator of a website/online service that targets children.
• Any operator of a website/online service that is aware that it collects/maintains personal information of children.

An operator is someone who runs a website or an online service and gathers information about the users of that service or someone on whose behalf the information is collected. It can also be someone who uses the website for commercial purposes such as sales for profit. 

If your website’s elements appeal to children, your website will be considered as targeted towards them. For example, the use of animations, child celebrities or child models, style of audio and inclusion of advertisements directed to children, etc.

Even if your business is directed towards a general audience but includes children, make sure to not collect information before confirmation of age, and if the individual is below 13 years, provide a privacy notice and obtain verifiable consent.

Consumer rights

Parents are guaranteed several rights under COPPA, including:

• Right to know
• Right to delete
• Right to review
• Right to limit

Enforcement

The Federal Trade Commission is the enforcing authority of COPPA. The penalty for each violation can lead to up to $51,744. 

California Consumer Privacy Protection Act (CCPA)

CCPA is the state privacy law of California. It came into effect on Jan 1, 2020. Later, the CPRA amended the CCPA and thereby broadened its scope but law enforcement agencies prefer to continue to refer to it as CCPA. 

Applicability

CCPA applies to for-profit businesses in California meeting one of the following criteria:

• Gross annual revenue exceeding $25 Million.
• Buying/selling/sharing personal information of at least 100,000 Californian residents, households, or devices.
• Generating 50% or more of revenue from the sale of personal information of Californian residents.

Consumer rights

• Right to know
• Right to access
• Right to delete
• Right of non-retaliation
• Right to opt-out of sale/sharing
• Right to opt-in for minors
• Right to action
• Right to correction
• Right to limit use and disclosure of sensitive information
• Right to data portability

Enforcement

The Consumer Privacy Protection Authority is the enforcement authority of CCPA. The penalty for each violation can be up to $7500.

Virginia Consumer Data Protection Act (VCDPA)

Overview

The Virginia privacy law, VCDPA came into effect on January 1, 2023. The act is similar to other privacy laws except for the non-recognition of global opt-out mechanisms and the difference in its scope and extent.

Applicability

VCDPA applies to for-profit businesses in Virginia or elsewhere but targets residents of Virginia and:

• Control or process the personal data of at least 100,000 consumers in a year; or
• Control or process the personal data of at least 25,000 consumers and generate 50% of its gross revenue from the sale of such personal data.

Consumer rights

• Right to know or confirm
• Right to delete
• Right to correct
• Right to data portability
• Right to opt-out
• Right to non-discrimination

Enforcement

The Attorney General of Virginia is the enforcement authority of VCDPA. The penalty for each violation can be up to $7500.

Colorado Privacy Act (CPA)

Overview

CPA is the privacy law of Colorado that acknowledges the right to privacy of their residents. The Act came into effect on July 1, 2023.

Applicability

CPA applies to businesses in Colorado or businesses elsewhere that intentionally target the residents of Colorado and:

• Control or process personal data of at least 100,000 consumers in a year; or
• Control or process personal data of at least 25,000 consumers and derive revenue or discounts on the price of products and services from the sale of such data.

Consumer rights

• Right to opt-out
• Right to access
• Right to correction
• Right to delete
• Right to data portability

Enforcement

The Attorney General of Colorado is the enforcement authority of the Colorado Privacy Act. The penalty for each violation can be up to $20,000.

Connecticut Data Privacy Act (CDPA)

Overview

CTDPA is the data privacy legislation of Connecticut. This law came into effect on July 1, 2023.

Applicability

The Connecticut Data Privacy Act applies to businesses in Connecticut or businesses elsewhere that target residents of Connecticut and in the previous year:

• Controlled or processed the personal data of at least 100,000 consumers; or
• Controlled or processed the personal data of at least 25,000 consumers and generated 25% of their gross revenue from the sale of such personal data.

Consumer rights

• Right to access
• Right to delete
• Right to opt-out
• Right to correct
• Right to portability

Enforcement

The Attorney General of Connecticut is the enforcing authority of CTDPA. The penalty for each violation can be up to $5000. 

Utah Consumer Privacy Act (UCPA)

Overview

UCPA is the data privacy law of Utah and it became effective on December 31, 2023.

Applicability

UCPA applies to businesses in Utah or businesses elsewhere that target the residents of Utah with annual revenue of at least $25 Million; and

• Control or process the personal information of 100,000 or more residents of Utah in a year; or
• Control or process the personal information of 25,000 or more residents of Utah and generate 50% of their gross revenue from the sale of such personal data.

Consumer rights

• Right to access
• Right to delete
• Right to opt-out
• Right to non-discrimination
• Right to data portability

Enforcement

The Attorney General of Utah is the enforcement authority of the Utah Consumer Privacy Act. The penalty for each violation may be up to $7500.

Data privacy compliance is now directly tied to a business’s bottom line. Initially, it might appear to be burdensome, especially if your business caters to residents in different states of the US. Despite some differences, most US privacy laws expect similar data protection policies from businesses. However, it is significant to understand which laws apply to you and what practices are the best to comply with it. 

You can use this 12-step checklist to navigate through the complexities of privacy law compliance and ensure that your business is on the right track.

Determine the applicability

The first and foremost step is to determine whether the act applies to you. Even though there are not many privacy laws at the federal level, there are many at the state level. Although all the US privacy laws are similar to each other, the thresholds and extent may vary. So it is significant that you are aware of which laws apply to your business. Keep track of the new privacy laws that come into effect and be prompt in complying with them.

Data mapping or Data model

It’s important to organize user data just like businesses organize their operations. Data maps help keep track of whose data is collected, how it is collected, where it is stored, who has access to it and the classification of such data etc. This will allow businesses to get a hold of the information they maintain and comply with privacy laws more easily. Therefore, businesses must keep a detailed data inventory regarding the flow of data within the establishment.

Data minimization and purpose limitation

Limit the data you collect to whatever is necessary for the purpose for which it is collected. Once the purpose is fulfilled, delete the personal information within a reasonable time. Do not use the personal information of your consumers for additional purposes without specific, free and informed consent. Do not process sensitive personal data or sell personal data without the consent of the users.

Response plan

Businesses should have a detailed procedure regarding consumer requests and how they will be fulfilled. Ensure that you provide accessible and less complicated means to make requests and enforce consumer rights. Enable at least two accessible methods to submit consumer requests and respond to such requests promptly. 

The best practice to adopt will be a 10-45 formula. That is, respond within 10 days and deliver within 45 days. Additionally, it is better to not require consumers to create a new account solely to submit requests. 

Notice at collection

A privacy notice is like a doorway toward transparency. CCPA requires businesses to provide an unambiguous notice at collection to users before collecting their personal information. It should be made available conspicuously. This will help your users understand what you collect from them and how they can exercise their rights, etc.

 A privacy notice must contain information regarding:

• The categories of data collected
• The purpose for which it is collected
• Who has access to it
• Whether it will be shared or sold to third parties. 
• Categories of third parties
• Categories of personal information shared with third parties
• The length of the data retention period.
• Opt-out mechanisms
• Opt-in mechanisms
• Consumer rights and how they can be exercised.
• At least 2 methods to submit consumer requests like a toll-free number, online form, or email address.
• Process for an appeal if applicable. Laws like CPA, CTDPA, VCDPA, etc obligate businesses to enable an appeal process for the consumers.
• Contact information of the business and data controllers associated with processing.
• Link to privacy policy

 It should be given conspicuously in an accessible and easily understandable format.    

Privacy policy

A privacy policy acts like a mirror of your information practices and gains the trust of your consumers. It describes the general data privacy tenets of your business. Almost all privacy laws across the US, mandate the publishing of a privacy policy. 

You can publish the privacy policy on the website conspicuously. Stipulate the following details in your online privacy policy:

• Consumer rights and methods to submit consumer requests
• A list of categories of personal information collected in the previous year.
• The categories of sources used to procure the personal information.
• Purpose of collection and processing of personal information in a business or commercial context.
• Categories of third parties engaged in the processing.
• Categories of third parties to whom information is sold and specific purpose for selling
• Specify whether or not any personal information was sold in the previous year and the categories of personal information sold if any.
• Specify whether any personal information was revealed for business purposes or not and the categories of personal information revealed if any.
• Categories of third parties to whom the personal information was disclosed
• Specify whether the personal information of children below 16 years is sold/shared.
• Whether or not the business uses/discloses sensitive information of consumers, uses it for targeted advertising, sale, or profiling.
• Links to opt-in and opt-out
• Date of publication of privacy policy.

The privacy policy should be in a printable format and should be updated at least once a year.

Security measures

Implement safeguards to protect the confidentiality, security, and integrity of the personal information stored by your organization. Also, ensure that the information is shared only with those service providers and third parties capable of complying with the safety and privacy requirements under the act. Secure the information stored from unauthorized access. Use encryption protocols and access controls wherever necessary.

Consent and opt-out mechanisms

Provide opt-out mechanisms like “Do not sell my personal information” and “Limit the use of my sensitive personal information” links to enable the consumers to opt out from 

• the sale of their personal information
• targeted advertising
• profiling 

Accompany the opt-out link with a description of the rights of the consumers and how they can be enforced. 

Avoid the use of dark patterns and do not make the opt-out process complicated. You should also implement a solid system to obtain clear, specific and easily revocable consent from consumers.

 Obtain verifiable consent before processing the personal data of children below 13 years. Some US privacy laws like CCPA also require businesses to obtain consent to sell/share personal information of children between the ages of 13-16.

Global opt-out mechanism: US privacy laws like the CCPA, CTDPA and CPA require businesses to recognize universal opt-out mechanisms. It is better to incorporate mechanisms to recognize global opt-outs if your business targets consumers from the US.

Consent management platform

Implement geologically flexible and privacy-oriented consent management platforms.

For instance, if you are a business that holds and manages a website that collects personal information using cookies, and is accessed by consumers from different states in the US, your compliance process might become complex. You will have to implement a geologically flexible consent management mechanism, a transparent and accurate privacy policy, etc. To make the process hassle-free and convenient use consent management platforms like CookieYes. This will help you provide the geo-target cookie banners and also create privacy policies for your organization.

 

Train your employees

Ensure that your employees are aware and well trained in understanding their part in protecting the personal data of consumers.

Non-discrimination/Non-retaliation

Do not penalize or discriminate against consumers for exercising their consumer rights. This means that businesses cannot increase the price or decrease the quality of the products or even deny the products solely based on the exercise of rights. 

However, you are not obliged to deliver services/products that require the processing of personal information that the consumer opted out of. Also, most US privacy laws allow businesses to offer goods and services at a lower price or for free as a part of their participation in premium, discount, reward or loyalty programs, club cards, etc.

Contractual relationship

Compliance with privacy laws by your business is just one part of the equation. The other critical component is ensuring that your data processors and any third parties you engage with are also in compliance with the laws. Therefore it is important to have a contractual relationship with them and ensure their compliance with all the applicable privacy laws. 

The contract must include clauses specifying unambiguous instructions on processing personal data like categories, purpose and duration of processing, rights, and duties of both parties, maintenance of confidentiality, etc.

Risk assessments

Conduct and document risk assessments on the processing of personal data for profiling, targeted advertising and sale, processing of sensitive personal data or any data that may cause harm to consumers if not handled properly. The documentation of such assessments should be kept confidential.