Skip to main content

On-demand webinar coming soon...

Blog

The ultimate guide to US privacy

As the US privacy landscape becomes more complex, understanding how to navigate it becomes more crucial than ever

Robb Hiscock
Content Marketing Specialist | CIPP/E, CIPM
December 9, 2022

photo of a close-up shot of stone classical columns on a United States federal government building.

The US privacy landscape has evolved since the first comprehensive state privacy law, the California Consumer Privacy Act (CCPA), was passed in 2018. Since then, Californians have voted the California Privacy Rights Act (CPRA) into law and five other states have passed their own comprehensive state privacy laws. 

This complex patchwork will cause headaches for affected organizations of all sizes and all levels of maturity. For companies at the beginning of the maturity curve, focusing on the most visible aspects of US privacy compliance, such as consumer rights requests and privacy notices, can help prevent consumer complaints. As your organization matures its privacy program, refining internal operational efficiencies can launch your privacy program beyond compliance and toward promoting consumer trust. At the far end of the maturity scale, organizations can look to develop further policies for the use of personal information that is both lawful and ethical.  

But, before you can tackle these three priorities, you must understand US state privacy and what challenges compliance might bring. 

An update on US privacy laws

Six state privacy laws will be, or will become, effective between January 1, 2023 and January 1, 2025. These laws will define the US privacy landscape in lieu of a federal privacy framework. The comprehensive state privacy laws in the US include:  

Aside from the six comprehensive privacy laws that make up the US privacy landscape, organizations must also be aware of privacy laws with a significantly narrower scope of application in Nevada and Maine that entered into effect in 2019 and 2020 respectively.  

While organizations focus on state-level privacy legislation, many of the incoming state laws include exemptions for personal information already covered by sectoral laws in the US. 

  • Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to protect consumers’ financial information 
  • Health Insurance Portability and Accountability Act (HIPAA): Requires covered entities to prevent sensitive patient health information from being disclosed 
  • Children’s Online Privacy Protection Act (COPPA): Establishes guidelines for protecting the privacy of children under 13 
  • The US Privacy Act of 1974: Allows individuals to request records about themselves held by government agencies 

These are just a handful of the different privacy laws that organizations must potentially contend with, not to mention countless other privacy-related statutes across the US. The case for a federal privacy law has never been clearer, and while the American Data Privacy and Protection Act (ADPPA) gathered significant momentum in the first half of 2022, there is still a long way to go before it can be considered a serious possibility. 

Still waiting on a federal privacy law? Don’t hold your breath on ADPPA

US legislators are as close as they have come in over a decade to passing a federal privacy law. The ADPPA represents the first bi-partisan effort to pass a national privacy framework since 2011 and at the time of writing the bill is currently being discussed on the house floor ahead of mid-term elections.  

However, despite the complexities of compliance with the patchwork of state privacy laws, don’t hold your breath for a federal privacy law to harmonize privacy legislation in the US. Several objections have already been raised at the ADPPA’s preemptions provisions, which are said to diminish the strength of consumers’ rights in states like California, which already has a high benchmark. And, at the earliest, the ADPPA wouldn’t enter into effect until the middle of 2023 even if it had a relatively smooth passage through the House and the Senate. 

Instead, organizations should be looking ahead to January 1, 2023 and ensuring they have the appropriate measures in place to comply with the incoming laws and their most visible areas of compliance. Consumers will have a heightened awareness of their rights. Organizations that can’t fulfill these rights will likely find themselves falling foul of enforcement provisions and potentially losing the trust of their customers.  

How to approach US privacy

In the absence of a federal privacy law, you can still take a unified and maturity-driven approach to the current patchwork of state privacy laws to alleviate the pressures of compliance with varying cross-state requirements. 

Take the ever-changing nature of the US privacy landscape into account, look ahead to the horizon, and don’t discount laws that haven’t yet entered into effect. Be proactive and future-proof your privacy compliance programs to save time and resources that would be wasted reacting to each change as it comes. 

Base your initial efforts on the areas of compliance that make the most sense compared to your organization’s maturity level. For example, an organization that is at an earlier stage of its maturity journey might opt to focus on ensuring they are able to fulfill consumer rights requests accurately and in the prescribed timeframes over building complex, fully automated programs. 

Focusing on addressing these areas of compliance can help your business to achieve goals beyond compliance and begin to nurture consumer trust through thoughtful and measured actions.  

Priority 1: Address the most visible and highly enforceable components

While there is little in the way of enforcement actions being taken against violations of state privacy laws, what we do know is that those responsible for enforcing the law are focused on violations of consumer rights and preferences. In California for example, the Office of the Attorney General (AG) has issued many notices of violations to organizations for breaches of the CCPA and recently handed down its first public enforcement action in relation to consumer opt-out requests not being respected. 

Consumer rights

Generally, US state privacy laws offer a similar set of rights to consumers, though there are some nuances between each law that should be observed. For example, the CPRA expressly requires organizations to allow consumers to limit the use of their sensitive personal information and the UCPA requires organizations to provide consumers with the ability to opt out of processing personal information. Whereas other states require organizations to obtain specific opt-in consent before processing sensitive personal information. Furthermore, the CDPA, CPA, and CTDPA all offer consumers the right to appeal decisions made by organizations in relation to rights requests and neither the UCPA nor ICDPA include a right to correction.   

 

On-demand webinar coming soon...

 

When fulfilling privacy rights under US state privacy laws, it is essential to understand your obligations in each state. Each state law has different requirements that you must consider to help build and maintain consumer trust and avoid potential penalties for non-compliance. 

Fulfilling consumer requests all starts with having an appropriate intake method for consumers to make requests, and privacy notices should provide information relevant to each state where visitors may access the website. 

Identification verification is an essential part of fulfilling a privacy rights request. The CDPA states that data controllers are not required to fulfill the request if it cannot be authenticated by commercially reasonable efforts. Furthermore, the CPRA gives a broader definition of a “verifiable consumer request” and states that organizations are not obligated to provide personal information without verifiable identification. 

There are also different permitted timeframes for responding to requests that organizations must understand and stick to in order to avoid complaints being made by consumers. The CPRA requires businesses to provide confirmation of a request’s receipt within ten days of the request being made, whereas other laws do not require confirmation to be sent to the consumer. Additionally, all five state privacy laws give organizations 45 days to respond to consumer requests with the possibility of a 45-day extension where necessary and reasonable.

 

Table showing regulations and what is and is not considered consumer rights for each

 

The Right to Opt-Out

Organizations that are embedded in the advertising ecosystem will have to pay particular attention to opt-out requests. The CPRA, CDPA, CPA, and CTDPA all provide the right for consumers to opt-out of the sale of personal information, targeted advertising, and profiling. The UCPA also offers consumers the right to opt-out but does not include the right to opt-out of profiling. However, under the ICDPA the right to out-out of targeted advertising in mentioned but not explicitly defined in the law.

One commonality across all six laws is the need to host a conspicuous intake method for consumers to exercise their right to opt-out, although the specifics do differ between laws. California has a specific requirement for organizations to adopt a “Do Not Sell or Share My Personal Information” link on company web pages. 

The CDPA offers the vaguest requirements for where an intake method should be hosted, stating, “the controller shall clearly and conspicuously disclose such processing, as well as how a consumer may exercise the right to opt-out of such processing.”

The CPA requires businesses that process personal data for purposes of targeted advertising or the sale of personal data to provide a “clear and conspicuous method” for consumers to exercise their right to opt-out in privacy notices as well as in a “readily accessible location outside the privacy notice” such as a webpage.

The UCPA mentions that businesses must disclose in a clear and conspicuous manner:

  • any sale of consumer data or engagement in targeted advertising, and  
  • the manner in which a consumer may opt out of the sale of personal data or processing for targeted advertising. 

The CTDPA requires controllers to provide a “clear and conspicuous link” on the controller’s website to enable a consumer or that consumer’s agent to opt out of targeted advertising or sale of the consumer’s personal data.

On-demand webinar coming soon...

 

3 steps to operationalize opt-outs

  1. Identify third-party trackers involved in targeting ads. Organizations can manually inspect their websites to identify what third parties are processing web visitor’s information. This analysis can also be performed with a web scanning tool that can identify and categorize third parties. Once identified, these third parties should be categorized by a specific purpose of processing so that individuals can request opt-out of a particular process.
  2. Deliver a compliant, consumer-friendly experience. Organizations should determine the user experience for individuals opting-out. To honor GPC signals you will need to detect those browser-based and communicate that the GPC has been detected and respected. This informs the user how to request a full opt-out of sale, or in the case they have identified themselves, exercise another right such as access or deletion – which often occurs through a submission form or an account preference center. 
  3. Enforce the opt-out by blocking the tracking from continuing. This can be done through a variety of methods that vary in terms of impact. You can choose to implement one of the following: 
    • Follow an industry standard such as the IAB 
    • Leverage vendor-specific APIs that support ‘privacy mode’  
    • Block trackers directly through a tag manager

Both the CPRA and the CPA mandate that organizations honor opt-out signals received from universal controls such as the Global Privacy Control (GPC) or privacy-focused browsers. 

 

Graphic showing DNS flow

 

What is the Global Privacy Control?

The GPC is a user-enabled method for communicating opt-out preference signals. Consumers can utilize the GPC to send a single universal signal to all webpages and applications that they interact with, rather than having to make multiple requests individually on each site. 

The GPC is a tech standard that was developed by privacy advocates, publishers, and browsers. Honoring signals from the GPC and similar technologies is now mandated in certain states. The California AG issued an FAQ in July 2021 that specifically calls on businesses to respect opt-out of sale requests made via the GPC. 

The CPA also allows consumers to communicate their opt-out preferences through a “user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general.”

Moving from a request-based approach to a preference-based approach

For greater transparency and control, organizations are beginning to make the shift from a request-based approach to consumer rights to a preference-based approach. This creates a cohesive experience for the individual that allows them to practice their rights universally without any difficulty. 

Instead of requiring individuals to make a request through a form, route them toward a trust center within pre-existing accounts. If the individual would like to opt-out of sharing their personal information, they can do so easily within a centralized trust center that provides transparency about how and why data is collected and enables the individual to practice their rights.

Employee rights

Where consumer rights are ubiquitous among US privacy laws, employee rights are not quite as common. In fact, across the five state privacy laws coming in 2023, just the CPRA grants employees certain control over their personal data in an employment context. 

Previously the CCPA placed an exemption on employee data, which was due to expire on January 1, 2021. However, the CPRA has extended this exemption to January 1, 2023. The CPRA also amended what rights are now offered to employees. Previously employees were limited to the right to know and private right of action in the event of a breach of unencrypted data. Upon the expiration of the employee data exemption, the CPRA will grant employees the following rights:

  • Right to know  
  • Right to correction  
  • Right to deletion  
  • Right to opt-out of sale or share  
  • Right to limit use and disclosure of sensitive personal information  
  • Right to not be retaliated against for exercising rights 

Fulfilling employee rights requests will pose a unique challenge to organizations. These requests will require a different intake method and different identity verification process, and will relate to personal data found in multiple different formats and sources. Furthermore, employee requests are often more sensitive in nature than consumer requests. These can arise in the event a candidate is looking for information on why they were rejected, a former employee is looking for information on why they were let go, or an active employee seeking information on why they were passed for a promotion. These are often legal discoveries for an employment dispute submitted in the form of privacy rights requests. 

Employee data is typically found in sources such as HR databases, recruitment tools, and payroll software. This includes structured and unstructured data that relates to personal information, such as bank account information, salary information,​ marital status,​ and medical records. Often employee data is commingled with other employees’ information, in which case you may need to redact other individuals’ sensitive information or proprietary business information before responding to the request. 

Context is also key when handling employee rights requests. It’s more likely for an employee to submit a request seeking data specific to a particular event, incident, or decision. In this case, the employer must return files, emails, chats, and other information with personal information about that requestor from other individuals’ inboxes or tools within the organization. 

The challenge of discovering unstructured data and data redaction is that both exercises are time-consuming when done manually and can often lead to inaccurate results. And with the volume of employee requests likely to spike upon the exemption lifting, organizations must consider automation to streamline the process. 

Privacy notice and disclosures

Privacy notices are an organization’s way of effectively and transparently communicating their privacy practices and information about how consumers’ personal information is collected, used, and shared. Each of the six privacy laws require organizations to present a privacy notice to consumers at the time of collection, and these notices must contain certain information. Typically, the information required in a privacy notice includes details about your organization, how personal information is used, individuals’ privacy rights, and how those rights can be exercised. 

While there have been few enforcement actions taken under US privacy laws to date, as more laws enter into force in 2023, highly visible areas of compliance – such as providing a privacy notice – are likely to come under scrutiny. This is a pattern that can be seen in Europe, where fines for information provision obligations are among the most common enforcement actions issued. 

Priority 2: Automation and operational efficiency

Organizations that are further along the maturity curve and that have addressed the most visible areas of compliance can begin to consider automation and building operational efficiency to run a US privacy program at scale. Making the step from manual processing to automation can seem like a big undertaking; however, streamlining areas such as DSAR, risk assessment, and incident response processes can save time and resources and more importantly, help ensure you are handling consumers’ personal information accurately and appropriately. 

Data discovery and mapping

 

On-demand webinar coming soon...

 

A foundational step in any privacy program is a data discovery and mapping exercise. With differing definitions of Sensitive Personal Information, opt-out requirements, and disclosure requirements from state to state, the necessity to perform this exercise becomes more apparent for US organizations to have a clear and comprehensive understanding of their data.

While data mapping is not a requirement found under US state privacy laws, having a comprehensive data map can assist your organization when fulfilling consumer and employee rights, meeting data minimization requirements, managing third-party risk, and responding to security incidents. 

Privacy Impact Assessments (PIAs)

Anyone who is familiar with the General Data Protection Regulation (GDPR) will be all too aware of the need to conduct Data Protection Impact Assessments (DPIAs), known more commonly across the Atlantic as Privacy Impact Assessments (PIAs). PIAs help organizations understand the level of risk that certain processing activities will pose to consumers. Understanding when and how to conduct a PIA in compliance with US privacy laws can become challenging, and with the privacy landscape set to continue developing, the challenge will only become greater.

 

On-demand webinar coming soon...

 

When is a PIA required?

Currently, the CPRA has a broad threshold for conducting a Privacy Impact Assessment, stating “Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA.”  The California Privacy Protection Agency (CPPA) is expected to issue further regulations on this topic; however, until these regulations are issued, organizations must interpret whether their processing activities pose a significant risk without guidance. The CPPA met in February 2022 to discuss the CPRA rulemaking process and final CPRA regulations are expected to be released in the second half of 2022. 

The CDPA, CPA, and CTDPA are more prescriptive in their approach to PIAs, outlining several specific activities that require a PIA, including: 

  • Processing of personal data for targeted advertising​  
  • The sale of personal data​  
  • Processing of personal data for profiling under certain circumstances​  
  • Processing of sensitive data​  
  • Processing activities involving personal data that present a heightened risk of harm to consumers​ 

And, under the CDPA and CTDPA, PIAs completed in compliance with other privacy laws can satisfy assessment requirements under both laws, so long as the original PIA has a similar scope and effect.

Under the UCPA and ICDPA, there is no requirement for a PIA to be conducted, however it is a best practice to organizations that are operating across multiple jurisdictions.

What should be included in a PIA? 

Understanding how to perform a PIA and what to include is also an important element for creating operational efficiency. A general theme can be seen across all state privacy laws that require a PIA; businesses performing a PIA should balance the benefits that the activity presents to the business against the risk it will pose to the consumer.  

On a more granular level, when performing a PIA under US state privacy laws, organizations should also consider:

  • The context of processing  
  • The relationship between the controller and the consumer whose personal data will be processed  
  • The reasonable expectations of consumers  
  • The use of de-identified data 

Upon completion of a PIA, organizations should document and retain the assessment for transparency and accountability with regulators if they come knocking. PIAs should also be reviewed regularly, and the risks highlighted by the assessments should be recognized and mitigated.

Incident management

Traditionally, breach notification requirements have sat outside of the comprehensive state privacy laws that have emerged over the past four years. In fact, each of the 50 states has its own breach notification requirements, which makes understanding your responsibilities for reporting a security incident particularly complex. This includes an understanding of the timeline for notifications, who should be notified, and how. Even the ADPPA’s preemption of state law doesn’t help to solve this problem, as breach notification laws are exempt from preemption under Section 404 (b)(2).

Whichever individual state requirements might apply in specific scenarios, there are several steps that organizations should take in response to a security incident: 

  1. Be prepared, establish an intake process, and understand the next steps when you are alerted to an incident 
  2. Investigate what happened and if personal or sensitive personal information is involved  
  3. Assess the incident to understand the extent and severity of the incident 
  4. Define a remediation strategy, limit damage, and collect and preserve evidence 
  5. Notify regulators, individuals, and third parties where applicable 

Another vital part of an incident management strategy is being prepared for a rise in privacy rights requests in the fallout of any incident. Regulators in Europe have commented on this issue, stating “As a result of a breach, an organization may experience a higher volume of data protection requests or complaints, particularly in relation to access requests and erasure.” 

Third-party risk management

Third-party risk management (TPRM) is a crucial component of any compliance program that helps to identify and reduce operational risk. TPRM is equally vital in the context of US privacy, where incoming laws all contain provisions for contractual obligations between businesses and service providers when sharing personal information. Developing a TPRM program can help organizations to build an understanding of the third parties they use, how they use them, and what safeguards their third parties have in place in order to identify and mitigate potential risks. 

Priority 3: Building trust

As your privacy program matures and your privacy operations are running at full efficiency, privacy teams can focus their attention beyond compliance. Compliance should be seen as a baseline for privacy operations and organizations should consider developing aspects of their program beyond what they have to do toward what they should be doing. 

This view beyond compliance helps to drive more effective, ethical, and trusted use of data. Maintaining good privacy operations is at the heart of building consumer and stakeholder trust.

Managing sensitive personal information (SPI)

SPI typically relates to some of the most confidential and personal elements of an individual’s life. As a result, US privacy laws place stricter rules for the collection and usage of SPI, meaning that organizations that process SPI must take careful steps to ensure they are handling it within the boundaries of the law. 

 

On-demand webinar coming soon...

 

Understanding exactly what information is classed as SPI under each state privacy law can be complex. SPI can include biometric information, political opinions, information related to sex life or sexual orientation, and philosophical beliefs. There are some characteristics such as race, ethnic origin, religious beliefs, and genetic data that are consistently classified as SPI under the CPRA, CDPA, CPA, UCPA, and CTDPA. When organizations don’t know what SPI they have, they are unable to apply appropriate protections and policies to it, leaving the information potentially vulnerable to external threats and in violation of US state privacy laws. 

 

Table showing regulations and what is and is not considered sensitive personal information for each

 

There are also specific requirements placed on organizations for how they can use SPI.  Under the CCPA as amended by the CPRA, the ICDPA,  and the UCPA,  controllers must provide customers with notice and an option to opt-out prior to processing sensitive data. In the case of the CCPA as ammended, organizations are also required to provide a clear and conspicuous link on internet homepages, titled “Limit the Use of My Sensitive Personal Information,” to allow consumers to exercise this right. 

The CDPA, CPA, and CTDPA require data controllers to obtain affirmative consent from the consumer before processing SPI. The CDPA, however, also requires data controllers who process SPI to conduct a privacy risk assessment before processing.

Organizations that process SPI should conduct data discovery exercises and map this data in a centralized inventory to have a clear view of what SPI they hold. Accurately classifying this information can help you ensure that the correct information security safeguards and data governance policies are applied, document opt-in consent for the CDPA, CPA, and CTDPA, and limit SPI processing requests for the UCPA and CCPA as ammended.

Automating data retention

Data retention policies place a responsibility on the organization to manage the information they hold about data subjects and set limits on the length of time this information can be held for. While the CCPA and the CPRA do not provide direct obligations for businesses in relation to data retention, there are statutory and recommended retention periods for certain records within the state. For example, the California Fair Employment and Housing Act (FEHA) sets out statutory minimum periods that employers should keep employment records, such as successful and unsuccessful candidate information, employee medical records, and information relating to the right to work. Additionally, Division 3 of the California Civil Code highlights recommended retention periods for sales and marketing information such as customer records, marketing records including data used for direct marketing, and data subject access request (DSAR) records.

 

Slide mapping out what is contained in retention schedules

 

In comparison, there are fewer retention periods specified by law in Virginia and Colorado. § 59.1-579(b)(2) of the CDPA outlines a general provision for data controllers, stating that controller-processor contracts provide that the processor must, among other things, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. The CPA also uses similar language in its text but doesn’t elaborate on specific retention schedules for personal information.

 

On-demand webinar coming soon...

 

One of the central challenges for managing data retention policies is that required and recommended retention periods don’t only vary by state, but they also vary drastically according to the type of data record. Therefore, documenting the retention periods that need to be applied to each type of data record in your data map is critical. Once you’ve set the appropriate retention periods, these can subsequently be managed by automating the destruction, archiving, or redaction of that data and communicating the expiration of these policies downstream to the relevant stakeholders and third parties. 

 

Icons representing ways to operationalize data retention and minimization

Organizations have a challenge ahead of them to understand the requirements of the incoming US privacy patchwork and implement a compliant privacy program. Join the OneTrust US Privacy Masterclass program or catch up on demand to deep-dive into the US privacy landscape, consumer and employee rights, privacy risk assessments, and the steps you can take now to not only meet compliance by 2023.


You may also like

Webinar

Privacy Management

Preparing for the future of privacy in healthcare: Going beyond HIPAA compliance

Join us for a discussion on preparing your organization for healthcare privacy compliance that goes beyond HIPAA.

July 11, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: Minnesota and Vermont join the US privacy landscape

In this webinar, OneTrust DataGuidance and expert contributors unpack the MCPA and VDPA, examining the requirements, exceptions, and practical implications of the legislations on the data controllers and processors.

June 17, 2024

Learn more

Webinar

Privacy Management

From legislation to operation: How to prepare for the new wave of US Privacy laws

Prepare your organization for the new wave of US privacy laws.

June 06, 2024

Learn more

Checklist

Third-Party Risk

TPRM privacy compliance: Questions to ask when working with third parties

Download this checklist to learn what questions to ask when designing a third-party risk management program that enables privacy compliance.

May 31, 2024

Learn more

Infographic

Comparing US state privacy law requirements

Download our infographic and compare the many US state privacy law requirements that have been enacted or will soon come into effect.

May 14, 2024

Learn more

Webinar

Privacy Management

Federal US privacy bill on the horizon? Exploring the draft APRA & new state privacy legislation

Join OneTrust DataGuidance and expert contributors for an overview of the Kentucky Consumer Privacy Act (KCPA), Maryland's Senate Bill 0541, and the draft American Privacy Rights Act and explore how a federal bill could shape the US privacy landscape.

April 23, 2024

Learn more

Infographic

Privacy Management

US state privacy laws timeline

View our timeline to understand the progression of current US state privacy laws and key dates.

April 23, 2024

Learn more

Webinar

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: New Jersey and New Hampshire join the US privacy landscape

oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.

February 01, 2024

Learn more

Webinar

Privacy Automation

Embedding Privacy by Design through PIA Automation

Join us for a webinar on Embedding Privacy by Design through PIA Automation.

January 11, 2024

Learn more

Webinar

Privacy Management

Automating fulfillment of subject rights requests in the US

Learn how Privacy Rights Automation helps to fully automate privacy rights requests. 

December 06, 2023

Learn more

Webinar

Privacy Management

December's deadline: Ensuring compliance with Utah's privacy regulation

Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.

November 14, 2023

Learn more

Webinar

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Learn more

Regulation Book

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Learn more

Blog

Privacy Management

The road to 50 states: Delaware and Oregon join the US privacy landscape

Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.

August 10, 2023

Learn more

Resource Kit

Privacy Management

EU-US Data Privacy Framework resource kit

Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.

July 20, 2023

Learn more

Resource Kit

Privacy & Data Governance

US privacy resource kit

Download our US privacy resource kit designed to access a range of materials to help you understand how the US privacy landscape is evolving.

July 13, 2023

Learn more

Webinar

Privacy Management

Now in effect: Colorado and Connecticut privacy laws

In this free webinar, our privacy experts delve into the new Colorado and Connecticut privacy laws and how they differ from other US state regulations.

July 12, 2023

Learn more

Webinar

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more

Infographic

Consent & Preferences

Navigating Google's new CMP requirements

Adapt to Google's June 2023 CMP requirements with this infographic and confidently engage your audience while staying compliant.

June 20, 2023

Learn more

Webinar

Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences for marketers

Download this eBook and learn how marketers can apply consent and preference principles to build a relationship with their audience built on trust.

June 02, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more

Webinar

Privacy Management

Understanding Washington's My Health My Data Act

The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.

May 18, 2023

Learn more

Webinar

Privacy & Data Governance

Operationalizing the Iowa Consumer Data Protection Act

Join the Privacy experts at OneTrust for an update on the new law and learn key requirements of Iowa’s new privacy law and more.

May 16, 2023

Learn more

White Paper

AI Governance

Navigating responsible AI: A privacy professional's guide

Download our white paper and learn how privacy teams help organizations establish and implement polices that ensure AI applications are responsible and ethical. 

May 03, 2023

Learn more

Blog

Privacy & Data Governance

Comparing US privacy law exemptions infographic

Learn how to navigate the new US privacy law exemptions and see how they compare.

May 01, 2023

Learn more

Webinar

Privacy & Data Governance

Automate subject rights requests for compliance with US state privacy laws

Join this interactive webinar to learn how OneTrust Privacy Rights Automation helps you to fully automate privacy rights requests for your organization.

April 19, 2023

Learn more

Webinar

Privacy & Data Governance

Iowa joins US privacy landscape with a new law

OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.

April 10, 2023

Learn more

Webinar

Privacy & Data Governance

USA biometric laws: Key considerations and emerging trends

Biometric laws are emerging, and companies must ensure compliance to avoid hefty fines. Join the OneTrust DataGuidance panel of experts to learn more.

April 06, 2023 1 min read

Learn more

Infographic

Privacy Management

US privacy in 2023: Top 3 compliance priorities

Businesses at different stages of privacy maturity will need to approach US privacy compliance in different ways. Download the infographic to learn more.

March 08, 2023

Learn more

Webinar

Privacy & Data Governance

Assess privacy risk for compliance with US state privacy laws

Join this US Privacy Demo Series webinar to see a live demo of the OneTrust privacy risk or data protection assessments (PIA's) automation solution.

March 01, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Employee rights fulfilment

Learn the steps you can take to boost employee trust in compliance with US Privacy Laws in our US Privacy Masterclass on Employee Rights Fulfilment.

February 07, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Consumer rights & opt-outs

Join us in our US Privacy Masterclass as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

February 07, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - risk and DPIAs

Join us in our US Privacy Masterclass on Risk and DPIAs to understand the operational components for risk assessments/data protection assessments.

February 06, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - retention & minimization

Our US Privacy Masterclass on Retention & Minimization will help you understand data policy requirements across US Privacy Laws.

February 06, 2023

Learn more

Webinar

Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more

Checklist

Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to US opt-out requirements

Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.

January 23, 2023

Learn more

Webinar

Privacy Management

Expanded US consumer rights: What’s new and what should you do?

Join our experts to understand the operational impact of these newly-expanded US consumer rights and how to automate consumer rights request fulfillment.

August 25, 2022

Learn more

Webinar

Privacy Management

Privacy risk assessments in the US: Why, when, and what?

In this webinar, OneTrust experts discuss requirements for conducting PIAs: why they exist, when you should do them, and what they should include.

August 24, 2022

Learn more

Webinar

Privacy & Data Governance

A US federal privacy bill is on the horizon: get to know the ADPPA webinar

In this session, legal experts Michelle Schaap and Andy Lee are joined by OneTrust DataGuidance to provide an overview of what the ADPPA entails.

August 17, 2022

Learn more

Webinar

Privacy Management

Establishing and enforcing retention policies

Attend our webinar, "Establishing and enforcing retention policies," part of the US Privacy Laws Masterclass Series.

July 27, 2022

Learn more

eBook

Privacy & Data Governance

How to comply with the CCPA opt-out requirement

Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.

July 22, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more

Webinar

Privacy Management

Utah and Connecticut: Latest additions to the US Privacy landscape

Watch our webinars on the latest privacy laws from Utah and Connecticut and what you need to know to prepare in 2023.

June 17, 2022

Learn more

Webinar

Privacy & Data Governance

US privacy laws & regulations: answering your biggest questions

Join us for a Q&A on the several US state laws going in effect in 2023.

June 16, 2022

Learn more

eBook

Privacy & Data Governance

Comparing US state privacy laws

Download this eBook and explore the key areas of US state privacy laws and how they compare. 

June 15, 2022

Learn more

Resource Kit

Privacy Management

Your US privacy masterclass resource kit

These resources provide key information on US privacy law through blogs, webinars, and eBooks.

April 26, 2022

Learn more

Checklist

Privacy & Data Governance

6 step checklist for compliance with US privacy laws

Download our six step checklist for US privacy laws and ensure that your company remains compliant in 2023.

March 29, 2022

Learn more

Webinar

Privacy & Data Governance

Utah joins the US Privacy landscape with new comprehensive law

Join us for an overview of Utah's Consumer Privacy Act (UCPA) and its impact on your organization.

March 25, 2022

Learn more

Webinar

Privacy Management

Overview: Understanding the trio of US privacy laws

Attend our webinar, to better understand privacy laws in the US.

March 23, 2022

Learn more

Webinar

Privacy Management

New to US privacy: Privacy impact assessments

Watch our webinar as we discuss privacy impact assessments and how they relate to US privacy laws.

March 23, 2022

Learn more

Webinar

Privacy Management

Navigating opt-out of sale vs. share

Watch our US Privacy Law masterclass to  learn about opt-out of sales and share requirements and best practices for approaching compliance.

March 23, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 3

Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.

February 02, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 2

Join us for an overview of US privacy laws and strategies for dealing with compliance.

January 11, 2022

Learn more

Webinar

Privacy Management

[Part 1] US Privacy Series: Establishing a foundation for compliance

In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance. 

December 21, 2021

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

eBook

Privacy & Data Governance

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more

Webinar

US Privacy Masterclass: Countdown to 2023 compliance

Join this US Privacy Masterclass series as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

Learn more

Webinar

Privacy Management

US Privacy Masterclass 2022

Watch the OneTrust US Privacy Masterclass series and gain insight on the major US privacy law and best practices.

Learn more