Data Privacy Law
Knowledge Base

Quick Answer

What does the SECURE Data Act require businesses to do?

The SECURE Data Act requires covered businesses to provide consumers with rights to access, correct, delete, and port their personal data. It mandates opt-in consent for sensitive data categories, requires data minimization practices, and obligates companies to conduct data protection assessments for high-risk processing activities. Businesses must also designate a privacy officer and maintain written data protection programs.

Quick Answer

Will the SECURE Data Act replace state privacy laws like CCPA?

Yes. The SECURE Data Act contains a broad preemption clause that would nullify any state law "relating to" its provisions. This means California's CCPA and CPRA, Virginia's VCDPA, Colorado's CPA, and all other state privacy frameworks would be superseded upon enactment. Businesses currently complying with multiple state laws would transition to a single federal compliance standard, though some state laws addressing specific sectors (like Illinois BIPA for biometrics) may survive depending on final legislative language.

Quick Answer

What businesses are covered by the SECURE Data Act?

The SECURE Data Act covers businesses that either (1) process personal data of 200,000 or more U.S. consumers annually, or (2) process data of 100,000 or more consumers and derive 25% or more of their revenue from selling personal data. A small business exemption applies to companies with less than $25 million in annual revenue. Notably, the Act covers "controllers" (entities that determine the purpose and means of processing) and "processors" (entities that process data on behalf of controllers) differently, with controllers bearing the primary compliance burden.

Quick Answer

What types of data are considered sensitive under the SECURE Data Act?

The SECURE Data Act defines sensitive data to include: health and medical information, biometric data (fingerprints, facial recognition, voiceprints), genetic data, precise geolocation data (within 1,750 feet), financial account information, government-issued identification numbers, racial or ethnic origin, religious beliefs, sexual orientation or gender identity, immigration status, and personal data of individuals under 16 years of age. Processing any of these categories requires affirmative opt-in consent from the consumer — meaning businesses cannot rely on pre-checked boxes or inferred consent.

Quick Answer

How should businesses prepare for the SECURE Data Act?

Businesses should begin SECURE Data Act preparation with a data inventory audit to map all personal data collected, stored, and shared. Next, conduct a gap analysis comparing current practices against the Act's requirements. Third, update or create a written privacy program including a public-facing privacy notice, internal data handling procedures, and a data breach response plan. Fourth, implement technical and organizational controls for data minimization, access management, and consumer rights fulfillment. Fifth, engage qualified privacy counsel to review your program and monitor legislative developments. Early preparation reduces cost and risk compared to reactive compliance after enactment.

Quick Answer

How does the SECURE Data Act compare to GDPR?

The SECURE Data Act and GDPR share foundational principles — data minimization, consumer rights, and accountability — but differ significantly in enforcement and scope. GDPR allows private lawsuits by individuals and imposes fines up to 4% of global annual revenue; the SECURE Data Act relies solely on FTC and state AG enforcement with no private right of action. GDPR requires a lawful basis for all processing; the SECURE Data Act uses an opt-out model for general data and opt-in only for sensitive categories. GDPR applies to any company processing EU residents' data regardless of location; the SECURE Data Act applies to U.S. companies meeting coverage thresholds. Both require data protection assessments for high-risk processing and mandate breach notification.

Quick Answer

What are the penalties for violating the SECURE Data Act?

Under the SECURE Data Act, the Federal Trade Commission (FTC) serves as the primary enforcement authority and may pursue civil penalties for violations. The Act authorizes penalties of up to $10,000 per violation per day for knowing or willful violations, with total penalties potentially reaching tens of millions of dollars for systemic non-compliance. State attorneys general may also bring civil actions on behalf of state residents. Critically, the Act does not include a private right of action, meaning individual consumers cannot sue businesses directly — a significant departure from California's CPRA, which allows limited private lawsuits. The FTC is also authorized to issue implementing regulations that may further define penalty structures post-enactment.

Quick Answer

What rights do consumers have under the SECURE Data Act?

The SECURE Data Act grants consumers four primary rights over their personal data. The right of access allows consumers to request confirmation of whether a business processes their data and to obtain a copy of that data. The right of correction enables consumers to request that inaccurate personal data be corrected. The right of deletion allows consumers to request erasure of their personal data, subject to certain exceptions for legal obligations and legitimate business purposes. The right of portability requires businesses to provide data in a structured, commonly used, machine-readable format upon request. Businesses must respond to verified consumer requests within 45 days, with a possible 45-day extension for complex requests. Businesses may not charge fees for fulfilling these requests.

Quick Answer

When does the SECURE Data Act require a data protection assessment?

The SECURE Data Act requires covered businesses to conduct and document data protection assessments before engaging in processing activities that present a heightened risk to consumers. Mandatory DPA triggers include: processing sensitive personal data, processing data for targeted advertising, selling personal data to third parties, processing data for profiling that produces legal or similarly significant effects, and any processing that presents a reasonably foreseeable risk of harm to consumers. DPAs must weigh the benefits of the processing against the risks to consumers and document the safeguards implemented to mitigate those risks. The FTC may request DPAs during investigations, making thorough documentation critical. DPAs must be updated when processing activities materially change.

Quick Answer

What does the SECURE Data Act require for sharing data with third parties?

The SECURE Data Act requires controllers to enter into written contracts with processors before sharing personal data for processing on their behalf. These contracts must specify the nature and purpose of processing, the types of data involved, the duration of processing, and the obligations and rights of both parties. Processors are prohibited from processing data beyond the scope of the controller's instructions. Controllers remain liable for processor violations if they fail to conduct reasonable due diligence or continue using a processor after discovering non-compliance. Third-party data sales — distinct from processor relationships — require consumer opt-out rights and must be disclosed in the business's privacy notice. Businesses that sell data must also honor opt-out requests from consumers who do not wish their data sold.

Quick Answer

What must a privacy notice include under the SECURE Data Act?

The SECURE Data Act requires covered businesses to provide a privacy notice that is reasonably accessible, clear, and written in plain language. The notice must disclose: the categories of personal data collected and the purposes for which each category is processed; whether the business sells personal data or processes it for targeted advertising; the categories of third parties with whom data is shared; how consumers can exercise their rights of access, correction, deletion, and portability; how consumers can opt out of data sales and targeted advertising; the business's contact information for privacy inquiries; and the effective date of the notice. The notice must be provided at or before the point of data collection and must be updated within 30 days of any material change to data practices. Businesses operating websites must post the notice in a conspicuous location.

Quick Answer

What are the breach notification requirements under the SECURE Data Act?

The SECURE Data Act requires covered businesses to notify affected consumers and the FTC following a data breach involving personal data. Notification to the FTC must occur within 72 hours of discovering a breach that affects 500 or more consumers. Consumer notification must follow without unreasonable delay and must include: a description of the breach, the types of data involved, steps the business is taking to address the breach, and guidance on steps consumers can take to protect themselves. For breaches involving sensitive data categories, expedited notification timelines apply. The Act preempts all state breach notification laws, creating a single federal standard. Businesses that experience a breach and fail to notify within required timelines face enhanced civil penalties.

Quick Answer

What does data minimization mean under the SECURE Data Act?

Data minimization under the SECURE Data Act means that covered businesses may only collect, process, and retain personal data that is reasonably necessary, proportionate, and limited to what is required to fulfill a specific, disclosed purpose. Businesses cannot collect data "just in case" it may be useful later. In practice, this requires reviewing every data collection point — web forms, analytics tools, cookies, mobile apps, and third-party integrations — and eliminating fields or tracking mechanisms that exceed the stated purpose. Retention schedules must also reflect minimization: data should be deleted or de-identified once it is no longer needed for the purpose for which it was collected. Businesses that cannot articulate a clear, disclosed purpose for each data element they collect are at significant compliance risk.

Quick Answer

Does the SECURE Data Act restrict targeted advertising?

Yes. The SECURE Data Act classifies targeted advertising — defined as serving ads based on personal data collected across different businesses, websites, or applications — as a regulated processing activity that triggers specific obligations. Businesses engaged in targeted advertising must disclose this practice in their privacy notice and provide consumers with a clear, accessible mechanism to opt out. Unlike sensitive data processing, targeted advertising does not require opt-in consent — but opt-out requests must be honored promptly and cannot be overridden by pre-checked boxes or buried settings. Businesses must also conduct a data protection assessment before initiating or materially expanding a targeted advertising program. Ad networks and data brokers that facilitate targeted advertising on behalf of covered businesses are treated as processors and must operate under written contracts.

Quick Answer

Does the SECURE Data Act require businesses to appoint a privacy officer?

Yes. The SECURE Data Act requires covered businesses — those that meet the applicable processing volume or revenue thresholds — to designate a qualified individual responsible for coordinating and overseeing the company's data protection program. This person is commonly referred to as a privacy officer or data protection officer. The privacy officer does not need to be a full-time employee or an attorney; the role can be filled by a qualified consultant, outside counsel, or a senior employee with appropriate training. The privacy officer's responsibilities include maintaining the written privacy program, overseeing consumer rights request fulfillment, managing data protection assessments, and serving as the point of contact for FTC inquiries. For small businesses that qualify for the revenue-based exemption, a formal privacy officer designation is not required — but maintaining basic written data practices is still strongly advisable.

Quick Answer

What does the CCPA require businesses to do?

The CCPA (as amended by the CPRA) requires covered businesses to disclose what personal information they collect, the purposes for collection, and whether they sell or share it. Consumers have the right to know, delete, correct, opt out of sale/sharing, and limit use of sensitive personal information. Businesses must respond to consumer requests within 45 days, cannot discriminate against consumers who exercise their rights, and must enter into data processing agreements with service providers. The CPRA also created the California Privacy Protection Agency (CPPA), an independent enforcement body with rulemaking authority.

Quick Answer

Which businesses are required to comply with the CCPA?

The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: (1) annual gross revenues exceeding $25 million; (2) annually buy, sell, receive, or share for commercial purposes the personal information of 100,000 or more California consumers or households; or (3) derive 50% or more of annual revenues from selling or sharing California consumers' personal information. Nonprofits and government entities are generally exempt. Employee and B2B data received limited exemptions that expired under the CPRA — as of January 1, 2023, employee and contractor data is fully covered. Businesses outside California that serve California residents are also covered if they meet the thresholds.

Quick Answer

What rights do California consumers have under the CCPA?

Under the CCPA as amended by the CPRA, California consumers have six rights: (1) Right to Know — consumers can request disclosure of what personal information a business collects, uses, discloses, and sells; (2) Right to Delete — consumers can request deletion of their personal information, subject to exceptions; (3) Right to Correct — consumers can request correction of inaccurate personal information; (4) Right to Opt Out of Sale/Sharing — consumers can direct businesses not to sell or share their personal information; (5) Right to Limit Use of Sensitive Personal Information — consumers can restrict use of sensitive PI to necessary purposes; and (6) Right to Non-Discrimination — businesses cannot penalize consumers for exercising their rights. Businesses must respond to requests within 45 days, extendable by 45 days with notice.

Quick Answer

What is sensitive personal information under the CCPA/CPRA?

The CPRA defines sensitive personal information (SPI) to include: Social Security numbers and government-issued IDs; financial account credentials (login + security codes); precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of mail, email, or text messages; genetic data; biometric data processed for identification; health or medical information; and information about sexual orientation or sex life. Businesses that collect SPI must disclose this in their privacy notice, provide consumers with a "Limit the Use of My Sensitive Personal Information" opt-out link, and restrict use of SPI to purposes reasonably necessary to provide the requested service — unless the consumer consents to additional uses.

Quick Answer

How is the CCPA enforced and what are the penalties?

The CCPA is enforced by two authorities: the California Attorney General (AG), who has brought enforcement actions since 2020, and the California Privacy Protection Agency (CPPA), which gained independent enforcement authority under the CPRA effective July 2023. Civil penalties are up to $2,500 per unintentional violation and up to $7,500 per intentional violation — with each consumer record treated as a separate violation, meaning systemic non-compliance can result in multi-million dollar penalties. The CCPA also includes a limited private right of action for consumers whose non-encrypted or non-redacted personal information is subject to unauthorized access due to a business's failure to implement reasonable security measures. The CPPA has issued regulations on opt-out preference signals (e.g., Global Privacy Control), automated decision-making, and cybersecurity audits.

Quick Answer

Which states have comprehensive consumer privacy laws in effect?

As of 2025, the following states have enacted comprehensive consumer privacy laws: California (CCPA/CPRA, effective 2020/2023), Virginia (VCDPA, effective January 2023), Colorado (CPA, effective July 2023), Connecticut (CTDPA, effective July 2023), Utah (UCPA, effective December 2023), Texas (TDPSA, effective July 2024), Florida (FDBR, effective July 2024), Montana (MCDPA, effective October 2024), Oregon (OCPA, effective July 2024), Delaware (DPDPA, effective January 2025), Iowa (ICDPA, effective January 2025), Nebraska (NDPA, effective January 2025), New Hampshire (NHPA, effective January 2025), New Jersey (NJDPA, effective January 2025), Tennessee (TIPA, effective July 2025), Indiana (IDCPA, effective January 2026), Kentucky (KCDPA, effective January 2026), Maryland (MODPA, effective October 2025), Minnesota (MHMD, effective July 2025), Rhode Island (RIDPA, effective January 2026), and Vermont (VDPA, effective January 2027). Additional states have legislation pending.

Quick Answer

How do state privacy laws differ from each other?

State privacy laws share a common architecture — consumer rights (access, deletion, correction, portability, opt-out), controller/processor obligations, and data protection assessments — but diverge in important ways. Coverage thresholds vary: Virginia and Colorado cover businesses processing data of 100,000+ consumers; Texas covers businesses that process data of Texas residents and exceed $25M in revenue; Utah has a higher threshold of 100,000 consumers or $25M revenue plus 50% from data sales. Private rights of action differ significantly: California's CPRA allows limited breach-related lawsuits; most other states (Virginia, Colorado, Texas, Florida) provide no private right of action. Cure periods also vary: Texas allows 30 days to cure violations before enforcement; Virginia and Colorado provide 60-day cure periods; California's CPPA has discretion over cure periods. Sensitive data definitions and opt-in requirements also differ across states.

Quick Answer

How should businesses approach compliance with multiple state privacy laws?

The most practical approach to multi-state privacy compliance is to build a "highest common denominator" program anchored to California's CCPA/CPRA — the most comprehensive and broadly applicable state law. Because most other state laws are less stringent than CCPA/CPRA, a CCPA-compliant program will satisfy the majority of requirements in Virginia, Colorado, Connecticut, Utah, Texas, and most other states. Key steps include: (1) conducting a data inventory to map all personal data collected and processed; (2) updating your privacy notice to disclose data practices, consumer rights, and opt-out mechanisms; (3) implementing a consumer rights request fulfillment process with 45-day response capability; (4) adding "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links where required; (5) entering into data processing agreements with all service providers; and (6) conducting data protection assessments for high-risk processing. State-specific requirements — such as Texas's 30-day cure period or Maryland's data minimization rules — should be layered on top of this foundation.

Quick Answer

What does Virginia's VCDPA require?

The Virginia Consumer Data Protection Act (VCDPA) applies to businesses that either (1) control or process personal data of 100,000 or more Virginia consumers annually, or (2) control or process data of 25,000 or more consumers and derive over 50% of gross revenue from the sale of personal data. The VCDPA grants consumers rights to access, correct, delete, and obtain a portable copy of their data, and to opt out of targeted advertising, data sales, and profiling for significant decisions. Controllers must conduct data protection assessments for high-risk processing, enter into contracts with processors, and provide a clear privacy notice. Unlike California's CCPA, the VCDPA has no private right of action — enforcement is solely by the Virginia AG, with a 30-day cure period before penalties apply. Penalties are up to $7,500 per violation.

Quick Answer

What does the Texas TDPSA require and who does it cover?

The Texas Data Privacy and Security Act (TDPSA) applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents, process or engage in the sale of personal data, and are not a small business as defined by the U.S. Small Business Administration. Unlike most state privacy laws, the TDPSA does not have a specific consumer-count threshold — instead using the SBA small business definition as the exemption. The TDPSA grants consumers rights to access, correct, delete, and obtain a portable copy of their data, and to opt out of targeted advertising, data sales, and profiling for significant decisions. Sensitive data requires opt-in consent. Controllers must conduct data protection assessments for high-risk processing. Enforcement is by the Texas AG, with a 30-day cure period. Penalties are up to $7,500 per violation, with treble damages for intentional violations.

Quick Answer

Which state privacy laws are new or taking effect in 2025 and 2026?

Several state privacy laws took effect in early 2025: Delaware's DPDPA (January 1, 2025), Iowa's ICDPA (January 1, 2025), Nebraska's NDPA (January 1, 2025), New Hampshire's NHPA (January 1, 2025), and New Jersey's NJDPA (January 15, 2025). Tennessee's TIPA and Minnesota's MHMD take effect in mid-2025. Maryland's MODPA — one of the most stringent state laws, with a data minimization requirement and prohibition on selling sensitive data — takes effect October 1, 2025. Indiana's IDCPA, Kentucky's KCDPA, and Rhode Island's RIDPA take effect January 1, 2026. Vermont's VDPA is scheduled for January 1, 2027. Additionally, several states including Illinois, Massachusetts, and Pennsylvania have active privacy legislation under consideration. The pace of state legislation is accelerating, making a unified compliance program increasingly important for multi-state businesses.