We recently updated our Privacy Policy Generator to cover 11 more data privacy laws:
These laws join the following legislation our generator and templates already cover:
Our generator now includes clauses and details to help businesses comply with 26 data privacy laws worldwide.
I’ll briefly describe each of the 11 laws, their enforcement date, and who they apply to.
Quick Summary of Termly’s Update: The 11 Laws
We’ve updated our Privacy Policy Generator to accommodate the 11 upcoming U.S. state-level data privacy laws described below.
You can add these laws to your policy by selecting them individually in a drop-down tab that appears when answering the questions asked by our Privacy Policy Generator.
Delaware Personal Data Privacy Act (DPDPA)
Enforcement Date: January 1, 2025
The DPDPA protects the personal information of individuals in the U.S. state of Delaware and requires the following details in a compliant privacy policy:
- The categories of personal data processed.
- The purpose for the processing.
- How consumers can exercise their rights and appeal the controller’s decisions regarding their requests.
- The categories of personal data shared with third parties, if any.
- The categories of the third parties the data is shared with, if any.
- An active email address or online mechanism consumers can use to contact the controller.
- A disclosure of whether the controller sells personal data or uses it for targeted advertising and how the consumer can opt out of these processing activities.
- One or more secure ways consumers can submit requests to exercise their rights.
- A link to your website within your privacy notice leading to a web page where consumers can opt out of targeted advertising and the sale of their data.
What Businesses It Applies To
According to Section 12D-103 of the DPDPA, businesses must comply with this law if they conduct business in the state or produce products or services that target residents and meet either of the following during a calendar year:
- Control or process the personal information of no less than 35,000 consumers (excluding personal information processed solely for completing payment transactions) or
- Control or process the personal data of no less than 10,000 consumers and derive more than 20% of your gross annual revenue from the sale of personal data.
Florida Digital Bill of Rights (FDBR)
Enforcement Date: July 1, 2024
The FDBR protects the personal data of people in Florida and obligates businesses to include the following information in a privacy policy:
- The categories of personal information and sensitive personal information processed.
- The purpose for processing the data.
- How consumers can exercise their rights and appeal a controller’s decisions based on their requests.
- The categories of personal data a controller shares with third parties, if any.
- The categories of third parties that the controller shares data with, if any.
- A description of the methods of how consumers can submit requests to exercise their rights.
What Businesses It Applies To
According to Section 6. Section 501.703, the FDBR applies to entities that do business in Florida or provide goods and services to state residents who meet Section 5. Section 501.702’s definition of a controller.
Businesses must be for-profit, make an excess of $1 billion in gross annual revenue, and meet one of the following additional conditions:
- Derive 50% or more of your revenue from selling ads online or
- Operate a smart speaker or voice command component service (but those connected to vehicles are exempt) or
- Operate an app store or digital platform that offers at least 250,000 different software applications.
Indiana Consumer Data Protection Act (Indiana CDPA)
Enforcement Date: January 1, 2026
The Indiana CDPA applies to the personal data of people in Indiana and requires businesses to include the following details in a privacy policy:
- The categories of personal data collected.
- The purpose for processing the personal data.
- How consumers can exercise their rights and appeal the controller’s decision regarding their request.
- The categories of data shared with third parties, if any.
- The categories of the third parties data is shared with, if any.
What Businesses It Applies To
According to Section 1 of the law, businesses must comply with the Indiana CDPA if they conduct business in Indiana or produce products or services targeted at state residents and, during a calendar year, meet either of the following:
- Controls or processes the personal data of at least 100,000 Indiana residents or
- Controls or processes the personal data of at least 25,000 Indiana residents and derives more than 50% of their gross annual revenue from the sale of personal data.
Iowa Consumer Data Protection Act (Iowa CDPA)
Enforcement Date: January 1, 2025
The Iowa CDPA protects the personal information of people in Iowa and requires businesses to present users with a privacy policy explaining the following:
- The categories of personal data processed.
- The purpose for processing the data.
- A description of how consumers can exercise their rights and appeal a controller’s decision.
- The categories of data shared with third parties, if any.
- The categories of the third parties data is shared with, if any.
- A disclosure of whether a business sells personal data to any third parties or engages in targeted advertising and how users can opt out of these activities.
- Establish and describe the secure, reliable means for consumers to submit requests to exercise their rights.
What Businesses It Applies To
According to the text of the Iowa CDPA, this law applies to entities that conduct business in Iowa or produce products and services targeted at residents of the state and meet either of the following thresholds during a calendar year:
- Controls or processes personal data of 100,000 or more consumers or
- Controls or processes personal data of at least 25,000 consumers and generates over 50% of their gross annual revenue from the sale of personal data.
Kentucky Consumer Data Protection Act (KCDPA)
Enforcement Date: January 1, 2026
The KCDPA protects the personal data of people in Kentucky and requires covered businesses to provide users with a privacy policy that explains:
- The categories of personal data processed.
- The purpose of the processing.
- How consumers can exercise their rights and appeal a controller’s decision regarding a request.
- The categories of personal data the controller shares with third parties.
- The categories of the third parties themselves.
- If the controller sells personal data to third parties or processes data for targeted advertising.
- Details about how consumers can exercise their right to opt out of such processing.
- One or more secure, reliable ways for consumers to submit requests to act on their rights.
What Businesses It Applies To
Businesses must comply with the KCDPA if they conduct business in or target products and services at residents of the state and meet one of the following during a calendar year:
- Processed and controls the personal data of at least 100,000 consumers or
- Processed and controls the personal data of at least 25,000 consumers and earns 50% of gross annual revenue from the sale of personal data.
Montana Consumer Data Privacy Act (MCDPA)
Enforcement Date: October 1, 2024
The MCDPA applies to the personal data of people in Montana and requires businesses to present consumers with a privacy notice that explains the following:
- The categories of personal data processed.
- The purpose of processing the data.
- The categories of personal data the controller shares with third parties, if any.
- The categories of the third parties the controller shares data with, if any.
- An email address or other mechanism consumers can use to contact the controller.
- A description of how consumers can exercise their rights, including how to appeal a controller’s decisions regarding their requests.
- Two or more ways consumers can submit requests to act on their data privacy rights.
What Businesses It Applies To
According to Section 3 of the law, businesses must comply with the MCDPA if they conduct business in Montana or produce products or services targeted to residents of the state and meet either of the following thresholds:
- Controls or processes the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction or
- Controls or processes the personal data of no less than 25,000 consumers and derives more than 25% of their gross annual revenue from the sale of personal data.
New Hampshire Data Privacy Law (SB 255)
Enforcement Date: January 1, 2025
The upcoming New Hampshire data privacy law protects the personal data of residents of the state and requires businesses to present users with a privacy policy that explains:
- The categories of personal data processed.
- The purposes for processing the data.
- How consumers can exercise their rights and appeal a controller’s decision regarding these requests.
- The categories of data shared with third parties, if any.
- The categories of third parties the data is shared with, if any.
- An active email address or other online mechanism the consumer can use to contact the controller.
- Whether you sell data to third parties or process data for targeted advertising.
- How the consumer can opt out of this type of data processing.
What Businesses It Applies To
Organizations that conduct business in New Hampshire or who produce products or services targeted to residents of the state that meet the following in a calendar year must comply with the law:
- Controls or processes the personal data of at least 35,000 unique consumers (excluding data processed solely to complete a payment transaction) or
- Controls or processes the personal data of no less than 10,000 unique consumers and derives more than 25% of their gross annual revenue from the sale of personal data.
New Jersey Data Privacy Act (NJDPA)
Enforcement Date: January 16, 2025
The NJDPA applies to the personal data of people in New Jersey and requires businesses to present users with a privacy notice explaining:
- The categories of personally identifiable information collected through the online service.
- The categories of all third parties the operator may disclose the information to.
- If the third party collects personally identifiable information over time across different online services.
- A description of how individuals can review or request to change their collected information.
- How the operator will notify users about changes to the privacy policy and an effective date.
- One or more methods consumers can use to submit verifiable requests to follow through on their privacy rights.
What Businesses It Applies To
According to the official version of the NJDPA, it applies to entities that conduct business in New Jersey or produce products and services targeted to residents of the state and who meet one of the following thresholds in a calendar year:
- Controls or processes the personal data of 100,000 individuals, not including data processed solely to complete a payment transaction or
- Controls or processes the personal data of at least 25,000 individuals and derives revenue from or receives a discount for selling the information.
Oregon Consumer Privacy Act (OCPA)
Enforcement Date: July 1, 2024
The OCPA protects the personal information of people in Oregon and obligates businesses to present users with a privacy policy informing them about the following details:
- The categories of personal data processed, including any sensitive data.
- The purpose for processing the information.
- An explanation of how consumers can exercise their rights and appeal a controller’s denial of those requests.
- A list of all categories of personal data shared with third parties, including sensitive data.
- A description of the categories of third parties you share personal data with.
- An active email address or online method consumers can use to contact the controller.
- Any business name the controller is registered with the Secretary of State and any assumed business names the controller uses.
- A description of any processing of personal data for targeted advertising or profiling by which a consumer may opt-out.
- A description of the methods established by the controller for consumers to submit requests to follow through on their rights.
What Businesses It Applies To
According to Section 2(1) of the OCPA, businesses must comply with this law if they conduct business in Oregon or provide products or services to residents of the state and meet either of the following within a calendar year:
- Controls or processes personal data of 100,000 or more consumers, excluding data controlled or processed solely to complete payment transactions or
- Controls or processes personal data of 25,000 or more consumers while deriving 25% or more of gross annual revenue from the sale of personal data.
Tennessee Information Protection Act (TIPA)
Enforcement Date: July 1, 2025
The TIPA protects the personal information of people in Tennessee and requires businesses to present users with a privacy policy that explains:
- What categories of personal information the controller processes.
- The purpose for processing the personal information.
- How they can exercise their rights, including how to appeal a controller’s decision regarding a request.
- The categories of personal information the controller shares with third parties, if any.
- The categories of third parties the controller shares the personal information with, if any.
What Businesses It Applies To
According to Section 2, Part 47-18-3202. Scope of the TIPA, it applies to entities that do business in Tennessee or produce products or services targeting residents of the state, earn more than $25 million in annual revenue, and either:
- Controls or processes the personal information of at least 25,000 Tennessee consumers and derives 50% of gross annual revenue from the sale of that information or
- Processes or controls the personal information of at least 175,000 Tennessee consumers during a calendar year.
Texas Data Privacy and Security Act (TDPSA)
Enforcement Date: July 1, 2024
The TDPSA applies to the personal data of people in Texas and obligates businesses to provide users with a privacy notice explaining the following information:
- The categories of personal data processed, including sensitive data.
- The purpose for processing the data.
- How consumers can exercise their rights and the process for appealing the decision.
- The categories of data shared with third parties, if any.
- The categories of the third parties data is shared with, if any.
- A description of how consumers can submit requests to exercise their rights.
What Businesses It Applies To
According to Section 541.002 of the TDPSA, businesses must comply with this law if they meet the following thresholds:
- Conducts business in Texas or produces goods or services consumed by residents of the state and
- Processes or sells personal data and
- Is not a small business as defined by the United States Small Business Administration (SBA) — i.e., companies with fewer than 500 employees — unless the business engages in the sale of sensitive personal data.
Termly Is Always Up To Date
Our mission is to help small and medium-sized businesses simplify compliance with data privacy laws, and we’re dedicated to staying up-to-date on new, upcoming, and evolving pieces of legislation.
Our legal team, product engineers, and privacy experts collaborate to make updates to our policy generators as needed to ensure we’re serving our users the products they need.
We inform our users about these updates by sending informative emails, creating press releases, and publishing support articles.
We promise to keep improving our offerings by incorporating other pieces of legislation as they enter into action.
Summary
Our Privacy Policy Generator can now help businesses meet the requirements of 26 different data privacy laws.
Expect this number to continue growing as new privacy laws are enacted around the world.
reviewed by Miljo Dragutinovic Content Manager