Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

Mapping Privacy Requirements

Hashed & Salted | A Privacy and Data Security Update

This guide addresses the privacy requirements of:
•         General Data Protection Regulation (GDPR)
•         California Consumer Privacy Act (including all amendments) (CCPA)
•         California Privacy Rights Act (CPRA)
•         Virginia’s Consumer Data Protection Act (CDPA)
•         Colorado’s Colorado Privacy Act (CPA)
•         Utah’s Consumer Privacy Act (UCPA)
•         Connecticut’s Data Privacy Act (CTDPA)
•         Iowa’s Consumer Data Protection Act (IO-CDPA)
•         Indiana’s Consumer Data Protection Act (IN-CDPA)
•         Tennessee’s Information Protection Act (TIPA)
•         Montana’s Consumer Data Privacy Act (MCDPA)

State privacy laws are increasingly mapping to the GDPR, requiring privacy assessments and imposing principles of data minimization, purpose limitation, and storage limitation. However, U.S. laws do not require a “lawful” basis for processing personal information. Instead, each law gives consumers a number of GDPR-like rights (most often, access, deletion and correction) and allows consumers to opt-out of certain processing activities focused on targeting advertising, profiling and personal data sharing. Only Virginia, Colorado and Connecticut require an opt-in for the processing of sensitive personal information. While building a privacy program across a patchwork of laws can be a challenge, there are some key similarities between the laws that can be used to create a uniform approach.

Companies Should Focus On

Companies should focus on 1) understanding the internal data collection practices, governance, and storage structure (what do you collect, where does it sit, how do you use it, and who do you share it with); 2) understanding vendor and business partner obligations; 3) planning to provide data subject rights; 4) documenting your program, including any risk assessment; and 5) documenting your cybersecurity program.

Mapping Privacy Requirements Guide

  • Effective Dates
  • Scope
  • Opt-in/Opt-out
  • Other Consumer Rights
  • Business Obligations
  • Processor Obligations 
  • Liability/Enforcement 
  • Definitions