Learn About State Laws Protecting Privacy Rights

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe some common state requirements for data breach notifications.
  • Describe the impact of CalOPPA on the use of website privacy notices.
  • Explain how Salesforce is committed to protecting customers’ data.


On top of the federal privacy statutes that protect specific types of data and specific industries across the United States, states have their own laws addressing privacy protection. It can be tricky to isolate differing state privacy laws, especially when companies and customers frequently do business across state lines. For example, organizations must be aware of whose data they are collecting, where the data subjects reside, and what state laws therefore apply.

Map of the United States

Notification Statutes in US States and Territories

Perhaps you have received an email or letter from a company informing you that your personal information was compromised in a security incident. What you may not know is, those letters are carefully crafted to satisfy the requirements imposed by over 50 different US jurisdictions.

Every US state except Alabama and South Dakota, as well as three US territories—Puerto Rico, Guam, and the Virgin Islands—require organizations that own or maintain personal information to notify individuals when certain data relating to them is accessed or acquired in an unauthorized way. Although they differ in some specific ways, these laws are generally all designed to help provide individuals with information to protect themselves after their personal information is exposed.

State laws differ on the specific data they cover, but they all protect residents’ sensitive information such as Social Security numbers, other government-issued ID numbers (for example, a driver’s license number), and financial account information. Some state laws also protect other data, such as email addresses and passwords, medical information, or biometric information.

Note that these state definitions are generally narrower than the definition of personal data under European Laws. For more information about privacy laws in the European Union, see the European Union Privacy Law Basics module.

In addition to the requirement that businesses notify individuals if their personal information has been compromised, some states require that businesses notify a governmental agency, the state attorney general, or credit reporting agencies. The notice must conform to the specific requirements of each data subject’s resident state. For example, data subjects in California must receive a notice that contains specific headings, such as “What We Are Doing.” Notices to data subjects in Rhode Island must contain an explanation of how to request a security freeze.

Massachusetts: A Pioneer in Privacy Law

It’s great that businesses notify you when your personal information has been hacked, but you may be wondering, do they need to do anything to avoid such data breaches in the first place? The answer is yes.

Padlock over a screen of computer code

In 2010, Massachusetts became one of the first states to require organizations to implement safeguards on the storage and use of its residents’ personal information. Specifically, the Massachusetts General Law Chapter 93H and its regulations require organizations to develop and implement a written, regularly audited plan specifically designed to protect consumers’ personal information. The plan must include technical, physical, and administrative safeguards, such as limiting the collection of data, restricting access to the data, and monitoring security hazards.

Other states followed suit and passed laws requiring organizations that collect, store, or use their residents’ personal information to take reasonable security measures to protect this data. These laws tend to be vague about the specific measures an organization must implement. That allows organizations some flexibility in their security plans based on their size, industry, and the changing technologies available.

California: Leading the Way

California is often the first jurisdiction to impose obligations on companies to protect the privacy of its residents. Given California’s size and the volume of business that connects to California residents, these obligations and protections frequently become standard practices nationwide.

The California Online Privacy Protection Act (CalOPPA)

For example, perhaps you have noticed that most websites and mobile apps have a link to a privacy policy that outlines how they collect, use, and share your personal information. California was the first state to require the conspicuous posting of such a policy by all commercial websites and online services that collect personally identifiable information from California consumers. 

This law, the California Online Privacy Protection Act (CalOPPA), defines personally identifiable information to include all details collected about an individual visitor to the website—everything from name to hair color. So if your business runs a website that California residents visit, and you collect any personal information from those visitors, you must abide by CalOPPA.

Under CalOPPA, the posted privacy policy must list the categories of information the website collects, the third parties who may receive the information, and the process (if any) for the visitor to review and amend the information. The policy also must disclose how the website operator responds to Do Not Track requests and whether third parties may collect the visitors’ information. Any business failing to adhere to its own privacy policy faces civil liability under California’s Unfair Competition Law.

If you’d like to see an example of a privacy policy designed to comply with CalOPPA, scroll down to the bottom of this page (or any other Trailhead page) and click the link to the Salesforce Privacy Statement. 

The Shine the Light Act

California also led the way in the US in regulating the sharing of individuals’ personal information for marketing purposes. Under the Shine the Light Act, when a California resident requests it, for-profit companies must disclose any personal information they share with third parties, and who those third parties are. Businesses are exempt if they have a public privacy policy outlining customers’ privacy rights and allowing their customers to opt in or out of data sharing. A business that fails to respond properly to a customer’s request can be liable for civil damages if the failure was willful.

Silhouette of woman in front of sunrise

The Song-Beverly Credit Card Act

Have you ever been asked for your email address when checking out at a store? Or for your zip code when filling up your car? Another California law regulates questions like these: the Song-Beverly Credit Card Act, or Song-Beverly.

Under this law, retailers and other businesses cannot ask a customer for personal identification information during a credit card transaction. Personal identification information under the law consists of any information regarding the customer other than the information on the credit card.

The customer, the California attorney general, the district attorney, or the city attorney can sue a business violating Song-Beverly for a $250 penalty for the first violation and $1,000 for each subsequent violation. However, the business can avoid the fine if it shows the violation was unintentional and that the violation contravened the business’s policies.

So how can the store clerk ask for your email address or the gas pump require your zip code? A clerk can request your email only if it is clear to the customer that the sale is not contingent on the information. A gas-pump request for zip code falls into a specific exception carved out of Song-Beverly for use of zip codes at retail gas stations in order to prevent identity theft.

The California Consumer Privacy Act (CCPA)

Informally known as California’s version of the GDPR, California followed in the EU’s footsteps and implemented their own all-inclusive privacy law called the California Consumer Privacy Act (CCPA). Effective January 1, 2020, California was the first US state to roll out a comprehensive data protection regulation. Similar to the way the GDPR works, CCPA protects the data privacy rights of California residents and affects businesses that collect or use personal information of Californians (even if the business itself is not in California). Get to know more about CCPA through the California Consumer Privacy Acts Basics module. 

The Salesforce Commitment to Privacy

At Salesforce, trust is our #1 value, and we embody that value through our robust security and privacy programs, which are designed to help meet the highest standards in the industry.

Our services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards we use to protect our customers’ personal information. For some of our services, these certifications include: 

  • The International Organization for Standardization (ISO) 27001 and 27018 standard
  • The American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) reports
  • The Payment Card Industry Data Security Standards (PCI DSS)
  • The German Federal Office for Information Security BSI Cloud Computing Compliance Controls Catalogue (C5)
  • The UK Cyber Essentials Scheme

Certain services also have earned the TRUSTe Certified seal, signifying that the privacy certification organization TRUSTe reviewed our privacy practices and found them to be in compliance with their certification standards. 

Logos of Salesforce certifications: International Organization for Standardization, American Institute of CPAs’ System and Organization Controls, the Payment Card Industry Data Security Standards, the German Federal Office for Information Security BSI Cloud Computing Compliance Controls Catalogue (C5), the Cyber Essentials Scheme, TRUSTe Certified Privacy

Moreover, Salesforce offers customers a robust data processing addendum containing strong privacy commitments that few software companies can match. Salesforce also publishes Trust and Compliance documentation for each of our major services. This documentation describes the architecture of each service, the security- and privacy-related audits and certifications the service has received, and the applicable administrative, technical, and physical controls. The documentation also describes the infrastructure environment and entities material to our provision of services. 

The US’s sectoral approach to privacy law is a fragmented one, differing depending on industry, data type, and regulatory authority. However, don’t underestimate this patchwork of laws. In many cases they contain rigorous requirements, and violations of these laws can lead to substantial penalties and lawsuits. Compliance with all of these laws involves complex thought and knowledge about both the privacy laws themselves and about the business functions that such laws may affect.


Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities