Most businesses that have a website have a Privacy Policy to comply with applicable laws and thus avoid fines and even lawsuits. In fact, any website that collects Personally Identifiable Information (PII) such as names, emails, phone numbers or IP addresses will most likely need to comply with at least one privacy law. If you do not think that your website collects PII, you should be aware of the fact that your website does collect PII if it has any of the following features:
- Contact forms;
- Email newsletter sign up forms;
- eCommerce;
- Analytics programs (e.g. Google Analytics);
- Account creation forms;
- Advertising features (e.g. Facebook Pixel).
Privacy laws are enacted to protect the PII of residents of certain states or countries and thus have a broad reach, applying to businesses outside of those states or countries. In addition to offering privacy rights to individuals, each privacy law also requires businesses to have a Privacy Policy that contains the specific disclosures required by that law.
Table of Contents
Current United States Privacy Laws
Termageddon can help you comply with the following United States privacy laws
California Online Privacy and Protection Act of 2003 (CalOPPA)
Effective date: July 1, 2014
The California Online Privacy Protection Act (CalOPPA) is a privacy law that went into effect on July 1st, 2014 and protects the Personally Identifiable Information (PII) of residents of California. CalOPPA was the first state law in the United States that requires business websites to have a Privacy Policy. This law requires websites to have a number of specific disclosures in their Privacy Policy and to display it in a very specific way.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | Yes |
| Enforced by | California Attorney General |
| Right to correct data | No |
| Right to restrict processing | No |
| Right to portability | No |
| Right to access data | No |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | No |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read CalOPPA or Read our CalOPPA Compliance Guide
California Privacy Rights Act (CPRA)
Effective date: January 1, 2023
The CPRA: California Privacy Rights Act (previously the CCPA) is landmark privacy legislation in the United States. The law provides a variety of consumer rights to Californians, allowing individuals to expand their control over their personally identifiable information (“PII”). At a minimum, the CPRA is a step towards the European Union’s General Data Protection Regulation (“GDPR”), perhaps the most comprehensive privacy law to date.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | Yes |
| Applies to small businesses | No |
| Enforced by | California Attorney General and California Privacy Protection Agency |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read the CPRA or Read our CPRA Compliance Guide
Nevada Revised Statutes Chapter 603A
Effective date: January 1, 2017
When it comes to determining what laws require websites to have a Privacy Policy, most people are surprised to learn that Nevada has a privacy law that governs the collection of Personally Identifiable Information by websites. Nevada Revised Statutes Chapter 603A, like many other privacy laws, has a broad reach and can apply to businesses outside of Nevada, it has unique requirements for what a Privacy Policy must contain and imposes heavy penalties for not meeting those requirements.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | Yes |
| Enforced by | Nevada Attorney General |
| Right to correct data | No |
| Right to restrict processing | No |
| Right to portability | No |
| Right to access data | No |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read Nevada Revised Statutes Chapter 603A or Read our 603A Compliance Guide
Delaware Online Privacy and Protection Act (DOPPA)
Effective date: January 1, 2016
The “Delaware Online Privacy and Protection Act” is a comprehensive law focusing on online and personal privacy. It defines key terms like advertising services and book services, and outlines restrictions on online marketing to children, specifying prohibited products. The Act requires online operators to clearly post their privacy policies, detailing the collection, use, and sharing of personal information. It also regulates the disclosure of user information in book services, stipulating conditions for sharing with government entities. Enforcement of these regulations falls under the Consumer Protection Unit of the Department of Justice.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | Yes |
| Enforced by | Delaware Attorney General |
| Right to correct data | No |
| Right to restrict processing | No |
| Right to portability | No |
| Right to access data | No |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | No |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Virginia Consumer Data Protection Act (VCDPA)
Effective date: January 1, 2023
On March 3, 2021, VA S 1392, the Virginia Consumer Data Protection Act (VCDPA) was signed into law. In our compliance guide, we discuss all that you need to know about the Virginia Consumer Data Protection Act, including who it applies to, how it defines “personal data,” the rights that it provides to consumers, and its enforcement mechanisms so that you can be ahead of the curve on preparing for this law.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Virginia Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the VCDPA or Read Our VCDPA Compliance Guide
Colorado Privacy Act
Effective date: July 1, 2023
The Colorado Privacy Act (SB190) is a privacy law that was signed into law on July 8, 2021 to protect the privacy of residents of Colorado. The law achieves this goal by providing privacy rights to residents of Colorado, requiring certain websites to have a Privacy Policy and imposes heavy fines for failure to comply.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Colorado Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the Colorado Privacy Act or Read our Colorado Privacy Act Compliance Guide
Utah Consumer Privacy Act
Effective date: December 31, 2023
On March 25, 2022 Utah became the sixth state to enact a comprehensive privacy law, the Utah Consumer Privacy Act. This law provides new consumer privacy rights to residents of Utah and imposes various privacy obligations upon certain businesses, such as the requirement to have a comprehensive Privacy Policy.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Utah Attorney General |
| Right to correct data | No |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read the Utah Consumer Privacy Act or Read our Utah Consumer Privacy Act Compliance Guide
Connecticut SB6
Effective date: July 1, 2023
On May 11, 2022, Connecticut joined the ranks of California, Utah, Colorado, Virginia, Nevada, and Delaware by passing its own privacy law, Connecticut SB6. This new law went into effect on July 1, 2023 and provides residents of Connecticut with new privacy rights, as well as requires certain websites to have a Privacy Policy that makes the disclosures required by this law.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Connecticut Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read Connecticut SB6 or Read our Connecticut SB6 Compliance guide
Upcoming Privacy Laws in the United States
Since new privacy laws are passed all of the time, you cannot just have a Privacy Policy that complies with today’s privacy laws, you must also have a strategy for keeping it up to date with new laws. Termageddon will update client policies for the following privacy laws prior to their effective date:
Iowa SF262
Effective date: January 1, 2025
On March 28, 2023, the Governor of Iowa signed Iowa SF262, having the state join other states such as California, Colorado, Utah, Virginia, and Connecticut with a comprehensive state privacy law. This new law will go into effect on January 1, 2025 and will provide residents of Iowa with new privacy rights, and require businesses to have a Privacy Policy that makes the disclosures required by this law.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Iowa Attorney General |
| Right to correct data | No |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read Iowa SF262 or Read our Iowa SF262 Compliance Guide
Indiana SB5
Effective date: July 1, 2026
On May 1, 2023, the Governor of Indiana signed Indiana SB5, which is a comprehensive state privacy law that requires certain businesses to have a Privacy Policy that has specific disclosures, provides privacy rights to residents of Indiana and requires businesses to meet specific requirements to protect privacy. This new law will go into effect on July 1, 2026 and businesses that need to comply with this law should start their preparations now to ensure that they are compliant by the effective date.
Read Indiana SB5 or Read our Indiana SB5 Compliance Guide
Tennessee Information Protection Act (TIPA)
Effective date: July 1, 2025
On May 15, 2023, the Tennessee HB1181 was enrolled into law, enacting the Tennessee Information Protection Act (TIPA). TIPA was passed to protect the privacy of residents of Tennessee by providing them with privacy rights and imposing certain requirements, such as having a Privacy Policy upon businesses. This new law will go into effect on July 1, 2025 so businesses who need to comply should start their compliance efforts now.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Tennessee Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read the TIPA or Read our TIPA Compliance Guide
Montana Consumer Data Privacy Act (MCDPA)
Effective date: October 1, 2024
On May 23, 2023 the Montana Consumer Data Privacy Act (MCDPA) was enacted, providing the residents of Montana with privacy rights and protections. This law will go into effect on October 1, 2024, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Montana Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the MCDPA or Read our MCDPA Compliance Guide
Texas Data Privacy and Security Act (TDPSA)
Effective date: July 1, 2024
On June 18, 2023, the Governor of Texas signed the Texas Data Privacy and Security Act (TDPSA) into law, providing residents of Texas with privacy rights and imposing privacy requirements on businesses. This law will go into effect on July 1, 2024 so businesses that need to comply with this law should begin their compliance efforts now to avoid heavy fines.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Texas Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the TDPSA or Read our TDPSA Compliance Guide
Oregon Consumer Privacy Act (OCPA)
Effective date: July 1, 2024
On July 18, 2023, the Governor of Oregon signed Oregon SB619 into law, which is a comprehensive state privacy law that provides privacy rights to residents of Oregon and imposes requirements for the collection, use and sharing of personal information on businesses. This law will go into effect on July 1, 2024 and adds Oregon to the state privacy law patchwork of the United States.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Oregon Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the OCPA or Read our OCPA Compliance Guide
Delaware Personal Data Privacy Act (DPDPA)
Effective date: January 1, 2025
On September 11, 2023, the Governor of Delaware signed DE H 154, passing the Delaware Personal Data Privacy Act (DPDPA), providing residents of Delaware with privacy rights and requiring businesses that need to comply with the law to meet certain obligations. This privacy law will go into effect on January 1, 2025 so businesses should start work to adapt their privacy programs to this new law as soon as possible.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Delaware Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the DPDPA or Read our DPDPA Compliance Guide
NJ SB 332
Effective date: January 16, 2025
On January 16, 2024, the Governor of New Jersey signed NJ SB 332, making New Jersey the 14th state to pass a privacy law that provides individuals with comprehensive privacy protections. This law will take effect in 365 days from enactment (on January 16, 2025) and will provide privacy rights to residents of New Jersey, as well as require certain businesses to have a comprehensive Privacy Policy and to follow the requirements.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | New Jersey SB332 |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the NJ SB 332 or Read our NJ SB 332 Compliance Guide
New Hampshire SB 255
Effective date: January 1, 2025
On March 7, 2024 the Governor of New Hampshire signed NH SB 255, and will protect the privacy of residents of New Hampshire by providing them with new rights and by including a requirement for certain businesses to provide a comprehensive Privacy Policy to consumers.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | New Hampshire Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the NH SB 255 or Read our NH SB 255 Compliance Guide
Kentucky HB15
Effective date: January 1, 2026
The Governor of Kentucky signed Kentucky HB15, and will protect the privacy of residents of Kentucky by providing them with new rights and by including a requirement for certain businesses to provide a comprehensive Privacy Policy to consumers.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | New Hampshire Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
Nebraska Data Privacy Act (LB 1074)
Effective date: January 1, 2025
the Governor of Nebraska signed NE LB1074, enacting the Nebraska Data Privacy Act. This comprehensive privacy law will go into effect on January 1, 2025 and will provide privacy rights to residents of the State as well as impose compliance requirements on businesses that need to comply with this privacy law, such as the requirement to have a comprehensive Privacy Policy.
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | No |
| Enforced by | Nebraska Attorney General |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | Yes |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | Yes |
European Union/European Economic Area Privacy Laws
General Data Protection Regulation (GDPR)
Effective date: May 25, 2018
The General Data Protection Regulation (GDPR) is a privacy law that went into effect on May 25, 2018, with the goal of protecting the personal information of residents of the European Union. As arguably the most comprehensive and most frequently enforced privacy law in the world, GDPR provides extensive privacy rights to consumers, requires certain websites to have a Privacy Policy that makes specific disclosures and has a broad application, applying to websites all over the world.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | Yes |
| Applies to small businesses | Yes |
| Enforced by | Data Protection Authorities |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | No |
| Right to withdraw consent | Yes |
| Right to opt-out | Yes |
| Opt-in consent required | Yes |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the GDPR or Read our GDPR Compliance Guide
United Kingdom
United Kingdom Data Protection Act (UK DPA)
Effective date: May 25, 2018
The United Kingdom Data Protection Act (UK DPA) is a key piece of legislation that governs the protection of personal data within the UK. It sets out the framework for data protection law, ensuring that personal information is used fairly, lawfully, and transparently. The Act establishes the rights of individuals regarding their personal data, including access, correction, and the right to be forgotten. It also outlines the obligations of businesses and organizations in handling personal data, such as obtaining valid consent for its use and implementing adequate security measures.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | Yes |
| Applies to small businesses | Yes |
| Enforced by | Data Protection Authorities |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | Yes |
| Prohibits discrimination | No |
| Right to withdraw consent | Yes |
| Right to opt-out | Yes |
| Opt-in consent required | Yes |
| Restrictions on profiling and/or automated decision-making | Yes |
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA)
Effective date: January 1, 2001
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that was enacted to protect the privacy rights of Canadians. PIPEDA achieves this goal by providing Canadians with rights with regard to their personal information, requiring certain websites to have a Privacy Policy and imposing heavy fines for failure to comply.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | Yes |
| Applies to small businesses | Yes |
| Enforced by | Information Commissioner of Canada |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | Yes |
| Right to opt-out | Yes |
| Opt-in consent required | Yes |
| Restrictions on profiling and/or automated decision-making | No |
Read the PIPEDA or Read our PIPEDA Compliance Guide
Quebec Law 25
Effective date: September 1, 2023
After much debate regarding whether Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA), offers sufficient privacy protections for consumers, Quebec passed a new privacy law, Quebec Law 25 (previously Quebec Bill 64). While Quebec already had a privacy law, the Act Respecting the Protection of Personal Information in the Private Sector, Canada’s legislature considered that law to be substantially similar to PIPEDA.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | Yes |
| Applies to small businesses | Yes |
| Enforced by | Information Commissioner of Quebec |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | Yes |
| Restrictions on profiling and/or automated decision-making | Yes |
Read the Quebec Law 25 or Read our Quebec Law 25Compliance Guide
Australia
Australia Privacy Act of 1988
Effective date: January 1, 1989
The Australia Privacy Act 1988 is a privacy law that was enacted to protect the personal information and privacy rights of Australians online. This law requires certain websites to have a Privacy Policy that makes specific disclosures and provides Australians with privacy rights that website operators must respect.
Details:
| Requires a Privacy Policy? | Yes |
| Requires cookie consent banner | No |
| Applies to small businesses | Yes |
| Enforced by | Australian Information Commissioner |
| Right to correct data | Yes |
| Right to restrict processing | Yes |
| Right to portability | Yes |
| Right to access data | Yes |
| Right to delete data | No |
| Prohibits discrimination | No |
| Right to withdraw consent | No |
| Right to opt-out | Yes |
| Opt-in consent required | No |
| Restrictions on profiling and/or automated decision-making | No |
Read the Australia Privacy Act of 1988 or Read our Australia Privacy Act of 1988 Compliance Guide
Ensure your compliance with privacy laws
Tracking of privacy bills and updating policies It is important to note that a key feature of the Termageddon service is the tracking of proposed privacy bills. Every year, we track dozens of privacy bills across the areas we cover, notify customers once a privacy bill has been passed into law and update policies accordingly.
If you do not currently have a comprehensive Privacy Policy or do not have a strategy to keep it up to date with changing legislation, make sure to check out the Termageddon Privacy Policy generator.
If you are unsure as to what privacy laws apply to you, don’t worry – Termageddon’s Privacy Policy generator includes a Privacy Law Identifier which will ask you a series of simple questions to help determine which laws apply to you. If you already know which laws apply to you and/or just want to make sure that you are covered when using Termageddon, below is the list of privacy laws that Termageddon covers:
