Advertising Law Tool Kit 13th Edition 2025

Venable / 65 64 / Venable Privacy and Data Security — State Privacy Laws • Maintain mechanisms for consumers to submit rights requests, including new rights related to third-party disclosures and profiling. Certain state laws specifically require a link by which consumers can submit requests to opt out of sales of personal data or sharing for targeted advertising. • Maintain processes for responding to consumer rights requests, with close attention paid to deadlines for responding to such requests under applicable laws. • Develop or update contracts with vendors as required under applicable laws. • Conduct employee training in your company on the current and forthcoming state privacy laws. • Stay up to date on developments to help your business adapt to the evolving state data privacy landscape. The CPRA established the California Privacy Protection Agency (CPPA), which is responsible for issuing implementing regulations and enforcing the CPRA, and state attorneys general have issued relevant guidance. Even if they are not subject to comprehensive state privacy laws, businesses may have privacy- and security-related legal obligations. The below questions are critical for assessing your business’s corporate privacy and security practices. If you answer yes to any of the first ten questions or no to the last two, consider engaging experienced privacy counsel: • Do you use information about customers for marketing or other purposes not related to the particular sale or transaction in which you collected the information? • Do you knowingly sell personal data about consumers with whom you do not have a direct relationship? • Do you collect and retain contact information from individuals when they interact with you? • Do you ask visitors to your website to disclose their ages? Do you advertise to children online? Do you knowingly collect personal data from minors under the age of 18? • Do you process information that may be considered “sensitive” under state laws? Do you process or retain credit card information? Do you process or retain health-related information? • Do you have a privacy policy on your website or app? Is it outdated? • Do you provide services to companies subject to omnibus state privacy laws? • Do you conduct business with companies in the healthcare, financial services, video streaming, or telecommunications sectors? If so, do you process personal data about individuals when conducting business in these industries? • Do you monitor your employees in the workplace? • Do you collect, receive, or otherwise process personal data about customers, employees, vendors, or other individuals of Europe or other foreign jurisdictions? Do you transfer personal data about European individuals to other jurisdictions? • Do you have an effective written security program designed to safeguard personal data with adequate technical, administrative, and physical protections? Do you conduct regular tests of your data security program and mitigate any vulnerabilities detected in such tests? • Do you have an effective response plan in place for data security incidents?