U.S. state privacy laws + GDPR exposure
State privacy laws — notice at collection
Publish a compliant privacy notice
Disclose what you collect, why, who you share it with, and consumer rights. Use the privacy-policy template to draft, then counsel reviews.
State privacy laws — consumer rights
Stand up a data-request (DSAR) process
Build a way for people to access, correct, and delete their data, with identity verification and a tracked response window.
CCPA/CPRA + state laws — opt-out of sale/share
Honor "Do Not Sell or Share" + opt-out signals
Provide a clear opt-out and respect Global Privacy Control signals. Selling/sharing data is the most-enforced obligation.
State laws — sensitive data + consent
Get consent / limits for sensitive data
Sensitive categories (health, precise geolocation, biometrics, children) usually require opt-in consent and use limits. Children's data adds COPPA.
GDPR — lawful basis + transfers
Establish a GDPR lawful basis
EU/UK individuals trigger GDPR: document your lawful basis, data-transfer mechanism, and possibly an EU representative.
State laws — risk assessment / DPA
Run a data protection assessment
High-risk processing (targeted ads, sensitive data, large volume) requires a documented risk assessment before you start.
All 50 states — breach notification
Have a breach-response plan ready
Every state has breach-notice deadlines. Pre-write your who-does-what, the notice template, and your timelines now, not during an incident.
This is a readiness & documentation workflow, not legal advice. Applicability rules are simplified for orientation; thresholds change. Templates are starting points for counsel.