CCPA
Consumer Rights Disclosure
California Consumer Privacy Act (as amended by CPRA) requires businesses to provide a 'notice at collection' informing consumers about the categories of personal information collected, the purposes of collection, whether data is sold or shared, and retention periods. The absence of any privacy policy means no CCPA-mandated disclosures exist, including the required 'Do Not Sell or Share My Personal Information' link if applicable. Even passive collection of IP addresses and browsing data through server logs may trigger CCPA obligations if the business meets the applicability thresholds.
RecommendationDetermine whether CCPA applicability thresholds are met (annual gross revenue over $25M, data of 100,000+ consumers, or 50%+ revenue from selling/sharing data). If applicable, implement a notice at collection, provide a comprehensive privacy policy with all CCPA-required disclosures, and add a 'Do Not Sell or Share My Personal Information' link. Include categories of personal information collected, purposes, retention periods, and instructions for consumers to exercise their rights.
CCPA
Privacy Policy
California Consumer Privacy Act / California Privacy Rights Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
CPA
Privacy Policy
Colorado Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
CTDPA
Privacy Policy
Connecticut Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
DPDPA
Privacy Policy
Delaware Personal Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
GDPR
Privacy Policy
General Data Protection Regulation requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
GDPR
Privacy Policy
The website lacks a privacy policy entirely. Under GDPR Articles 13 and 14, data controllers must provide comprehensive information to data subjects about how their personal data is processed, including the identity of the controller, purposes of processing, legal basis, data retention periods, and data subject rights. Even if the site claims minimal data collection, server logs and IP addresses constitute personal data under GDPR, requiring transparency disclosures.
RecommendationPublish a comprehensive privacy policy that includes: identity and contact details of the data controller, Data Protection Officer contact (if applicable), purposes and legal basis for processing, categories of personal data collected (including server logs and IP addresses), data retention periods, data subject rights (access, rectification, erasure, portability, objection), and information about any cross-border transfers. Ensure the policy is accessible from every page via a persistent footer link.
GDPR
Cross-Border Transfer
Without a privacy policy, there is no transparency about whether personal data (including IP addresses captured in server logs) is transferred outside the EEA. If the website is hosted on infrastructure outside the EU, or uses any third-party services with servers in non-adequate countries (e.g., the United States), GDPR Chapter V requires appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding corporate rules. The absence of any disclosure makes it impossible for EU data subjects to understand where their data flows.
RecommendationAudit the hosting infrastructure and any third-party service providers to identify all international data transfers. Document the legal transfer mechanism for each (EU adequacy decision, SCCs, or other Article 46 derogation). Disclose all cross-border transfers in the privacy policy, including the destination countries and the safeguards in place. If relying on the EU-US Data Privacy Framework, ensure the receiving entities are certified.
ICDPA
Privacy Policy
Iowa Consumer Data Protection Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
INCDPA
Privacy Policy
Indiana Consumer Data Protection Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
KCDPA
Privacy Policy
Kentucky Consumer Data Protection Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
MCDPA
Privacy Policy
Montana Consumer Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
MNCDPA
Privacy Policy
Minnesota Consumer Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
MNCDPA
Data Protection Assessment
The Minnesota Consumer Data Privacy Act (MNCDPA) requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, profiling, sale of personal data, and processing of sensitive data. Similarly, GDPR requires Data Protection Impact Assessments (DPIAs) under Article 35. Without a privacy policy or documented compliance program, there is no evidence that such assessments have been conducted for any processing activities, even baseline processing such as server log collection.
RecommendationIdentify all processing activities and evaluate whether any trigger the data protection assessment requirements under MNCDPA, GDPR, and other applicable state laws. Conduct and document assessments for any high-risk processing. Even for low-risk activities, maintain internal documentation demonstrating that the assessment obligation was considered. Retain these assessments for review by regulators upon request, as required by multiple state laws.
MODPA
Privacy Policy
Maryland Online Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
MODPA
Data Minimization
The Maryland Online Data Privacy Act (MODPA) imposes stricter data minimization requirements than most US state privacy laws, prohibiting the collection of personal data beyond what is reasonably necessary and proportionate to provide the specific product or service requested by the consumer. MODPA also restricts the sale of sensitive data and has unique provisions around geofencing near healthcare facilities. Without any privacy disclosures, compliance with these heightened minimization obligations cannot be demonstrated.
RecommendationConduct a data inventory to identify all personal data collected (including passive collection via server logs). Document the necessity and proportionality of each data element collected relative to the service provided. Publish a privacy policy that clearly articulates the limited purposes for data collection and demonstrates compliance with MODPA's strict data minimization standard. Ensure no sensitive data is sold without explicit consent.
NDPA
Privacy Policy
Nebraska Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
NHPA
Privacy Policy
New Hampshire Privacy Act (SB 255) requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
NJDPA
Privacy Policy
New Jersey Data Privacy Act (SB 332) requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
NJDPA
Data Retention
The New Jersey Data Privacy Act, along with GDPR, CCPA/CPRA, and most modern state privacy laws, requires controllers to disclose data retention periods or the criteria used to determine retention. Without any privacy policy, there is no indication of how long personal data (including server logs containing IP addresses, access timestamps, and user agent strings) is retained. NJDPA specifically requires controllers to limit collection to what is adequate, relevant, and reasonably necessary, which inherently requires defined retention schedules. This gap is common across all 20 regulations checked.
RecommendationEstablish a formal data retention schedule that specifies how long each category of personal data is retained (e.g., server logs retained for 30-90 days, analytics data retained for 12 months). Document the justification for each retention period. Publish retention periods or the criteria for determining them in the privacy policy. Implement automated deletion processes to enforce the retention schedule and conduct periodic reviews.
OCPA
Privacy Policy
Oregon Consumer Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
OCPA
Children's Privacy
The Oregon Consumer Privacy Act (OCPA) provides heightened protections for children's data, requiring opt-in consent for processing personal data of consumers known to be between 13 and 15 years old. Additionally, COPPA applies to websites directed at children under 13. Without a privacy policy, there are no disclosures about whether the site is directed at children, whether age verification mechanisms are in place, or how children's data would be handled. Multiple state laws (CTDPA, NJDPA, MODPA, MNCDPA) also impose heightened obligations regarding minors' data.
RecommendationAssess whether the website is directed at children or likely to be accessed by minors. If so, implement age verification or age-gating mechanisms. Include a dedicated children's privacy section in the privacy policy. If not directed at children, state this clearly. For compliance with OCPA and similar state laws, implement mechanisms to obtain opt-in consent before processing data of known minors aged 13-15, and ensure COPPA compliance for users under 13.
RIDPA
Privacy Policy
Rhode Island Data Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
TDPSA
Privacy Policy
Texas Data Privacy and Security Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
TIPA
Privacy Policy
Tennessee Information Protection Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
UCPA
Privacy Policy
Utah Consumer Privacy Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.
VCDPA
Privacy Policy
Virginia Consumer Data Protection Act requires a clear, accessible privacy policy. No privacy policy link was found on this page.
RecommendationCreate and publish a comprehensive privacy policy that covers data collection, usage, sharing, and user rights. Link it prominently in the footer of every page.