State Privacy Laws readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Maintain a comprehensive cross-state matrix of consumer privacy rights, ensuring organizational processes satisfy the access, deletion, correction, portability, opt-out, and appeal requirements of each applicable state law.
Requirements
- Cross-state comparison of right of access (all comprehensive privacy states)
- Right to deletion with state-specific exemptions mapped (all states)
- Right to correction recognized and operationalized (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Tennessee, Indiana)
- Data portability in machine-readable format (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware)
- Opt-out of sale of personal data (all states with comprehensive privacy laws)
- Opt-out of targeted advertising (all states; definitions vary)
- Opt-out of profiling with legally or similarly significant effects (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware)
- Right to appeal a controller's refusal with documented process (Virginia VCDPA, Colorado CPA, Connecticut CTDPA)
Evidence Examples
| Artifact | Owner | Frequency |
| Consumer rights matrix comparing right availability, timelines, and exemptions across all applicable states | Privacy Program Manager | Quarterly |
| State-by-state feature comparison documenting definitional differences for each right | Privacy Counsel | Semi-annually |
| Appeal process documentation including response templates and escalation procedures | Privacy Operations Lead | Annually reviewed |
| Consumer rights request log with state attribution, request type, response date, and outcome | Privacy Operations Lead | Ongoing |
Establish and maintain controller-processor contracts that satisfy the required provisions of each applicable state privacy law, covering confidentiality, instruction limitations, audit rights, and sub-processor management.
Requirements
- Controller-processor contracts with required provisions per state (all comprehensive privacy states mandate processor agreements)
- Duty of confidentiality binding processor personnel who handle personal data
- Processing limited to controller's documented instructions with prohibition on unauthorized processing
- Audit rights enabling controller to assess processor compliance
- Sub-processor restrictions requiring notice and approval before engaging sub-processors
- Data return or deletion obligations upon termination of the processing relationship
- Harmonized contract template covering all state requirements in a single instrument
Evidence Examples
| Artifact | Owner | Frequency |
| Harmonized DPA template with state-by-state clause matrix showing which provisions satisfy which statutes | Privacy Counsel | Annually reviewed |
| Executed DPA register listing all processors, effective dates, and state coverage | Vendor Management Lead | Quarterly |
| Processor inventory with processing activities, data categories, and jurisdictional applicability | Privacy Program Manager | Semi-annually |
Conduct and maintain data protection assessments for processing activities that trigger assessment requirements under applicable state privacy laws, including targeted advertising, sale of personal data, profiling, and sensitive data processing.
Requirements
- Data protection assessments required by Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and Oregon (OCPA) for specified high-risk processing activities
- Assessment triggers: targeted advertising, sale of personal data, profiling with risk of unfair or deceptive treatment, processing sensitive data, and processing presenting heightened risk of harm
- Assessment content must weigh benefits of processing against potential risks to consumer rights, with state-specific content variations
- Maintain completed assessment records available for attorney general inquiry (Virginia, Colorado, Connecticut, Texas)
- Reassess when processing activities materially change or new state law triggers apply
Evidence Examples
| Artifact | Owner | Frequency |
| PIA trigger matrix mapping processing activities to state-specific assessment requirements | Privacy Program Manager | Quarterly |
| Completed PIA templates with risk-benefit analysis, mitigation measures, and approval signatures | Privacy Counsel | Per triggered activity |
| PIA inventory log tracking all assessments, dates, outcomes, and reassessment schedules | Privacy Operations Lead | Ongoing |
| AG inquiry response package with redacted PIA summaries and privilege-protected materials | Privacy Counsel | As needed |
Implement technical mechanisms to detect and honor universal opt-out preference signals such as Global Privacy Control, as required by Colorado, Connecticut, Texas, Montana, Delaware, and Oregon, with fallback opt-out mechanisms for all applicable states.
Requirements
- Global Privacy Control (GPC) signal recognition and honoring as required by Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Montana (MCDPA), Delaware (DPDPA), and Oregon (OCPA)
- Browser-level opt-out preference signal detection implemented across all consumer-facing digital properties
- Technical integration mapping GPC signals to downstream processing restrictions (sale, targeted advertising)
- Fallback opt-out mechanisms (cookie preference center, web form, toll-free number) for states without universal signal requirements or for consumers not using GPC-enabled browsers
- Documentation of opt-out signal processing logic and consumer preference persistence
Evidence Examples
| Artifact | Owner | Frequency |
| GPC implementation documentation including signal detection code, downstream processing logic, and browser compatibility testing | Engineering Lead | Annually reviewed |
| Opt-out signal testing results showing correct detection and honoring across browsers and platforms | QA Lead | Quarterly |
| Preference management records showing consumer opt-out state and processing restriction enforcement | Privacy Operations Lead | Ongoing |
Identify, classify, and apply heightened protections to sensitive data categories as defined by each applicable state privacy law, ensuring opt-in consent and data protection assessments where required.
Requirements
- Cross-state mapping of sensitive data definitions (racial/ethnic origin, religious beliefs, health and mental health data, sexual orientation, citizenship/immigration status, genetic data, biometric data, children's data, precise geolocation, financial data)
- Opt-in consent before processing sensitive data categories (required by Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Tennessee, Indiana)
- Data protection assessment triggered by sensitive data processing in states requiring PIAs
- Sensitive data inventory identifying all systems, databases, and processes that collect or store sensitive categories
- Heightened access controls and security measures for sensitive data categories
Evidence Examples
| Artifact | Owner | Frequency |
| Sensitive data inventory mapping data categories to systems, storage locations, and applicable state definitions | Privacy Program Manager | Semi-annually |
| Opt-in consent records with timestamps, consent language, and state-specific consent mechanism documentation | Privacy Operations Lead | Ongoing |
| Data classification policy defining sensitive categories with cross-state definitional alignment | Privacy Counsel | Annually reviewed |
Ensure personal data collection is limited to what is adequate, relevant, and reasonably necessary for disclosed purposes, with secondary use restricted to compatible purposes across all applicable state jurisdictions.
Requirements
- Data collection limited to what is adequate, relevant, and reasonably necessary for the disclosed purpose (all comprehensive privacy states)
- Purpose limitation restricting processing to purposes disclosed in the privacy notice or purposes compatible with disclosed purposes
- Secondary use restrictions prohibiting repurposing personal data for materially different purposes without additional consumer notice and consent
- State-specific variations in strictness documented and operationalized (Colorado and Oregon apply stricter necessity standards)
- Data retention policies aligned with purpose limitation, requiring deletion or de-identification when purpose is fulfilled
Evidence Examples
| Artifact | Owner | Frequency |
| Data collection justification register documenting the necessity rationale for each data element collected | Privacy Program Manager | Semi-annually |
| Purpose documentation mapping each processing activity to its disclosed purpose and legal basis | Privacy Counsel | Annually reviewed |
| Data audit report reviewing collection practices against minimization and purpose limitation standards | Privacy Operations Lead | Annually |
Implement age-appropriate protections for children's and teen data processing, addressing state-specific age thresholds, opt-in consent requirements, and the interaction between state privacy laws and federal COPPA requirements.
Requirements
- State-specific age thresholds identified and operationalized (under-13 COPPA interaction, 13-16 for most state laws, 16-18 for targeted advertising in Connecticut and Delaware)
- Opt-in consent requirements for processing children's and teen data under applicable state laws
- Age verification mechanisms appropriate to the risk level and state requirements
- Interaction with federal COPPA requirements documented, with state laws applying additional obligations beyond COPPA's scope
- Prohibition on targeted advertising to known children and teens in states with age-specific ad restrictions
Evidence Examples
| Artifact | Owner | Frequency |
| Age verification implementation documentation including mechanism type, accuracy assessment, and state coverage | Engineering Lead | Annually reviewed |
| Consent mechanism documentation for children's and teen data with state-specific consent flows | Privacy Operations Lead | Semi-annually |
| Age-specific data handling policies defining processing restrictions by age bracket and state | Privacy Counsel | Annually reviewed |
Maintain compliance documentation and response procedures aligned with state-specific cure periods and attorney general enforcement frameworks, ensuring timely remediation and regulatory correspondence capabilities.
Requirements
- Cure period lengths mapped per state (30 days Virginia and Connecticut, 60 days Colorado and Texas, no mandatory cure in some newer laws)
- Attorney general enforcement authority recognized as the primary (and in most states, exclusive) enforcement mechanism
- No private right of action under most state comprehensive privacy laws (distinction from CCPA/CPRA)
- Penalty framework comparison documented across applicable states
- Cure period response procedures with documented remediation timelines and evidence of cure
- Compliance documentation maintained proactively for AG inquiry readiness
Evidence Examples
| Artifact | Owner | Frequency |
| Cure period response procedures including intake, triage, remediation workflow, and evidence-of-cure documentation | Privacy Counsel | Annually reviewed |
| AG correspondence records including inquiry responses, document productions, and resolution outcomes | Privacy Counsel | As needed |
| Compliance timeline documentation showing cure period tracking per state with remediation milestones | Privacy Operations Lead | Ongoing |
Comply with state-specific data broker registration requirements and attorney general notification obligations, maintaining current registrations, annual reports, and renewal calendars across all applicable jurisdictions.
Requirements
- Data broker registration in states requiring it (Vermont, California, Texas, Oregon)
- AG notification for processor activities where required by state law
- Annual reporting requirements completed on time where applicable
- Registration renewal and update procedures maintained with calendar tracking
- Determination of data broker status under each state's definition (definitions vary)
Evidence Examples
| Artifact | Owner | Frequency |
| Data broker registration records for each applicable state including registration numbers, filing dates, and renewal dates | Privacy Counsel | Annually |
| AG correspondence log tracking notifications, inquiries, and responses across all applicable states | Privacy Counsel | Ongoing |
| Annual report filings with copies of submitted reports and confirmation receipts | Privacy Program Manager | Annually |
| Registration renewal calendar with automated reminders and responsible-party assignments | Privacy Operations Lead | Ongoing |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.