Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the noticeable exception of the California Consumer Privacy Act (CCPA) and its

Modern state privacy statutes require that organizations provide individuals with the ability to opt out of targeted advertising. While the substance of the opt-out right is similar between and among states, state statutes differ in how they mandate the conveyance of the opt-out right. While all state statutes require that an explanation of the right

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are

Please join David Zetoony, U.S. Co-Chair of the Data, Privacy & Cybersecurity Group, and Associate Karin Ross for the CLE webinar “An Overview of New State Privacy Laws: CCPA/CPRA, CPA, CTDPA, UCPA, and VCDPA” on Tuesday, May 24 at 10:00 a.m. PT.

The webinar will provide an overview of the modern state data

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys.  Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his

The term “sale” is defined slightly differently between and among modern U.S. data privacy statutes with some statutes defining the term as including exchanges of personal information in return for valuable consideration, and others defining the terms as including only exchanges of personal information in return for monetary consideration. As the following chart indicates, state

Modern data privacy statutes create special rules for activities that involve “selling.” Among other things, most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information sold. As the following chart indicates, the term “sale” is defined slightly different between and among state statutes, with some

Consent plays a role in almost all modern privacy statutes. In some privacy statutes, like the GDPR, it can function as one of many lawful purposes to process data. In other privacy statutes, like the VCDPA and the CPA, it is mandated for certain types of data processing (e.g., sensitive category data processing).  How consent