Requires Risk Assessment - Some states require organizations to conduct risk assessments (or data protection assessments) in order to evaluate benefits and any potential harms that may stem from running a particular business process or protocol. In addition, these businesses may be required to document their findings. An example of a business process could be your marketing function, which requires the use of sensitive data to market. States that require a risk assessment, require that you assess the privacy risks of running your marketing function.
Applies to Employee Data - At present, most state data privacy laws do not extend employee data. One way in which California's legislation stands apart from other state-level legislation is by treating employee data akin to consumer data. This provides employees, contractors, and job applicants with the same privacy rights afforded to consumers.
Protects Consumers from Discrimination - Under this right, businesses may not discriminate against consumers who exercise their data privacy rights enshrined by data privacy law.
Provides Right to Appeal - If an organization denies a customer’s request to exercise their data privacy right (for instance, if the request is covered by an exemption provided by the law), the consumer may appeal their decision. The business must therefore provide a way to appeal and respond to the appeal within a certain number of days.
Requires Consent to Process Sensitive Data - Many state data privacy laws require businesses to gain explicit consent from consumers before they process and use any of their sensitive data. The definition of “sensitive data” varies across states, with Virginia providing a baseline definition, and Oregon and Delaware providing a slightly broader definition by including transgender and nonbinary status.
Provides Right to Limit Use of Sensitive Info - California further differs from other states with data privacy laws by affording consumers the right to instruct organizations to cease using their sensitive information—also known as "sensitive data" in other states. However, there’s a limit to this right and instances in which it doesn’t apply, such as when a business requires sensitive data in order to fulfill orders or provide requested services.
Requires Opt-Out Signal Recognition - Some data privacy laws (like California) include language requiring businesses to recognize opt-out preference signals (such as the Global Privacy Control [GPC]) that communicate a consumer’s preference to opt out of particular uses of their sensitive data. Although none of the states (except California) currently require businesses to recognize these signals due to enforcement delays, several will begin mandating this beginning March 29, 2024.