npm - open-agreements - Versions diffs - 0.7.7 → 0.8.0 - Mend

open-agreements 0.7.7 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/skills/legal-explainers/data-privacy-law-explainer/content/california.md ADDED Viewed

@@ -0,0 +1,107 @@
+---
+jurisdiction: "California"
+slug: california
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-03"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/california
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/california · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# California Consumer Privacy Law (CCPA/CPRA)[^about]
+California's Consumer Privacy Act, as amended by the CPRA, gives consumers rights over their personal information and imposes notice, privacy-policy, contracting, and security duties on businesses above defined thresholds — backed by CPPA and Attorney General enforcement and a narrow breach-only private right of action.
+## At a glance
+| Question | California |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If your business meets a CCPA threshold, you must post a CCPA-compliant privacy policy, honor consumer rights and opt-out signals, put statutory terms in your vendor contracts, and maintain reasonable security — or face CPPA/AG enforcement and, after a breach, consumer suits. |
+| **Main law** | Cal. Civ. Code § 1798.100 et seq. (CCPA, as amended by the CPRA) |
+| **Privacy policy required?** | Yes — an online privacy policy with statutorily fixed contents, updated at least every 12 months |
+| **Who does it cover?** | For-profit businesses doing business in California that meet a threshold — e.g., over $25,000,000 in annual gross revenue (CPI-adjusted to $26,625,000 for 2025–2026) |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Opt-out right or limits instead |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | Narrow — data breaches only (§ 1798.150) |
+| **Who enforces it?** | California Privacy Protection Agency (CPPA) and the Attorney General |
+## Does the CCPA apply to your business? {#does-ccpa-apply}
+**Short answer.** Only if you meet a threshold. The CCPA applies to a for-profit entity that does business in California, determines the purposes and means of processing consumers' personal information, and satisfies at least one statutory threshold — the most common being annual gross revenue over $25,000,000, a figure the CPPA adjusts for inflation (currently $26,625,000) [^stat-140-business].
+The revenue test is not the only trigger — the statute also reaches businesses that buy, sell, or share the personal information of 100,000 or more consumers or households, or that derive 50 percent or more of their annual revenue from selling or sharing personal information [^stat-140-business]. Meeting any one threshold brings the whole CCPA to bear.
+## What must your California privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A covered business must disclose its privacy practices in an online privacy policy and refresh that policy at least once every 12 months. The statute requires the policy to describe the consumer rights the CCPA grants and to give consumers two or more designated methods for submitting requests [^stat-130-policy]. Separately, at or before the point of collection, the business must give a notice at collection identifying the categories of personal information collected and the purposes for which they are used [^stat-100-notice].
+For a template privacy policy, that means the document is not a static disclaimer — it is a dated, annually-updated instrument that must, at minimum: (1) describe each consumer right under sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125; (2) list the categories of personal information collected, the sources, the business or commercial purposes, and the categories of third parties to whom information is disclosed or sold; and (3) state at least two methods for exercising rights. The notice at collection is a distinct, just-in-time disclosure given at the point of collection, not a substitute for the policy.
+The CPPA's implementing regulation spells out the same obligation in granular form: it enumerates exactly what the privacy policy must include, beginning with a comprehensive description of the business's information practices [^reg-7011-policy]. A template that maps each regulatory line item to a section of the policy is the most reliable way to demonstrate compliance.
+> [!NOTE]
+> **Practice note.**
+>
+> Treat the requirement to update the policy at least once every 12 months as a hard maintenance obligation, not a courtesy. A privacy policy whose last-reviewed date has gone stale is itself a compliance gap, independent of whether the underlying practices changed — the statute makes the annual refresh a standalone duty [^stat-130-policy].
+## What must your contracts with vendors and service providers say? {#vendor-contracts}
+**Short answer.** Whenever a business sells personal information to a third party, shares it, or discloses it to a service provider or contractor for a business purpose, the CCPA requires a written agreement with specific terms — most importantly that the information is disclosed only for limited and specified purposes and that the recipient is contractually bound to comply with the CCPA [^stat-100d-contracts].
+This is the provision that makes a data processing agreement a statutory requirement rather than a best practice. A recipient that lacks a compliant contract does not qualify as a service provider or contractor, which means the disclosure can be treated as a sale or a share — triggering opt-out rights and disclosure obligations the business may not have planned for. The implementing CPPA regulation supplies the specific clauses a compliant template DPA must carry — including identifying the limited and specified business purposes and barring generic, contract-wide descriptions [^reg-7051-contracts].
+## Can a consumer sue your business after a data breach? {#data-breach-lawsuits}
+**Short answer.** Yes, but only for a data breach. The CCPA's private right of action is narrow: it lets a consumer sue when nonencrypted, nonredacted personal information is exposed because the business failed to maintain reasonable security. Outside that breach scenario, the CCPA is enforced by the CPPA and the Attorney General, not by private plaintiffs [^stat-150-pra].
+There is no California appellate decision squarely defining the outer edges of this private right of action. The Ninth Circuit has, however, recognized that CCPA breach claims carry real settlement value: in reviewing a data-breach class settlement it noted the CCPA claims "potentially conferred statutory damages to the California subclass"[^cpk-9th] and were weighed in assessing the settlement’s adequacy [^cpk-9th]. For a business, the practical takeaway is that the litigation exposure is concentrated entirely at the security-failure-plus-breach boundary.
+## Do the new CPPA rules on AI, risk assessments, and cybersecurity audits apply to you? {#ai-cyber-risk-rules}
+**Short answer.** Possibly — and the deadlines are approaching. A 2025 CPPA rulemaking package, effective January 1, 2026, layered three new obligations on top of the base CCPA: risk assessments, annual cybersecurity audits, and rules governing automated decisionmaking technology (ADMT). Each reaches only businesses whose processing crosses a defined risk threshold, and the heaviest duties phase in on a staggered schedule rather than all at once [^reg-7200-admt].
+There are three thresholds to map against your operations. First, a risk assessment is required before you begin any processing that presents significant risk to privacy — which the regulation defines to include selling or sharing personal information, processing sensitive personal information, and using ADMT for a significant decision [^reg-7150-risk]. Second, an annual cybersecurity audit is required once your processing presents significant risk to security, with the first audit report due April 1, 2028 for the largest businesses and phasing in later for smaller ones [^reg-7120-cyber][^reg-7121-timing]. Third, if you use ADMT to make a significant decision about a consumer — in lending, housing, education, employment, or healthcare — you must reach compliance, including pre-use notices and opt-out and access rights, no later than January 1, 2027 [^reg-7200-admt].
+> [!NOTE]
+> **Practice note.**
+>
+> For a template privacy program, inventory now where automated tools drive significant decisions and where high-risk processing occurs. The documentation obligations are dated: ADMT compliance by January 1, 2027 and the first cybersecurity-audit reports and risk-assessment submissions from April 1, 2028 — so the records need to exist before those dates, not after [^reg-7121-timing].
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-03. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not California. This article synthesizes California primary law and is not legal advice from a California-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-140-business]: **Cal. Civ. Code § 1798.140** — "that does business in the State of California, and that satisfies one or more of the following thresholds: (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to subdivision (d) of Section 1798.199.95. (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information." *Cal. Civ. Code § 1798.140(d)(1).* <https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140>
+[^stat-130-policy]: **Cal. Civ. Code § 1798.130** — "Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:" *Cal. Civ. Code § 1798.130(a)(5).* <https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130>
+[^stat-100-notice]: **Cal. Civ. Code § 1798.100** — "A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:" *Cal. Civ. Code § 1798.100(a).* <https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100>
+[^reg-7011-policy]: **Cal. Code Regs. tit. 11, § 7011** — "The privacy policy shall include the following information:" *Cal. Code Regs. tit. 11, § 7011(e).* <https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf#page=13>
+[^stat-100d-contracts]: **Cal. Civ. Code § 1798.100(d)** — "A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:" *Cal. Civ. Code § 1798.100(d).* <https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100>
+[^reg-7051-contracts]: **Cal. Code Regs. tit. 11, § 7051** — "Identify the specific business purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with the business, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified business purpose(s) set forth within the contract." *Cal. Code Regs. tit. 11, § 7051(a)(2).* <https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf#page=50>
+[^stat-150-pra]: **Cal. Civ. Code § 1798.150** — "Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action" *Cal. Civ. Code § 1798.150(a)(1).* <https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.150>
+[^cpk-9th]: **In re California Pizza Kitchen, Inc., 129 F.4th 667 (9th Cir. 2025)** — "The district court also considered the California Consumer Privacy Act (CCPA) claims—which potentially conferred statutory damages to the California subclass—in assessing the adequacy of the settlement." *In re California Pizza Kitchen, Inc., 129 F.4th 667 (9th Cir. 2025).* <https://www.courtlistener.com/opinion/10338139/in-re-aviva-kirsten-v-california-pizza-kitchen-inc/#:~:text=The%20district%20court%20also%20considered,the%20adequacy%20of%20the%20settlement.>
+[^reg-7200-admt]: **Cal. Code Regs. tit. 11, § 7200** — "A business that uses ADMT for a significant decision prior to January 1, 2027, must be in compliance with the requirements of this Article no later than January 1, 2027." *Cal. Code Regs. tit. 11, § 7200(b).* <https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf#page=112>
+[^reg-7150-risk]: **Cal. Code Regs. tit. 11, § 7150** — "Every business whose processing of consumers’ personal information presents significant risk to consumers’ privacy as set forth in subsection (b) must conduct a risk assessment before initiating that processing." *Cal. Code Regs. tit. 11, § 7150(a).* <https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf#page=100>
+[^reg-7120-cyber]: **Cal. Code Regs. tit. 11, § 7120** — "Every business whose processing of consumers’ personal information presents significant risk to consumers’ security as set forth in subsection (b) must complete a cybersecurity audit." *Cal. Code Regs. tit. 11, § 7120(a).* <https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf#page=88>
+[^reg-7121-timing]: **Cal. Code Regs. tit. 11, § 7121** — "April 1, 2028, if the business’s annual gross revenue for 2026 was more than one hundred million dollars ($100,000,000) as of January 1, 2027." *Cal. Code Regs. tit. 11, § 7121(a)(1).* <https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf#page=88>

package/skills/legal-explainers/data-privacy-law-explainer/content/colorado.md ADDED Viewed

@@ -0,0 +1,87 @@
+---
+jurisdiction: "Colorado"
+slug: colorado
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-04"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/colorado
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/colorado · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Colorado Consumer Privacy Law (CPA)[^about]
+The Colorado Privacy Act gives Colorado consumers rights over their personal data and imposes notice, universal-opt-out, contracting, and consent duties on controllers above defined thresholds — it reaches nonprofits, is enforced by the Attorney General and district attorneys, has no cure period, and provides no private right of action.
+## At a glance
+| Question | Colorado |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you do business in Colorado and meet the 100,000-consumer (or 25,000 plus data-sale) threshold — nonprofits included — the CPA requires a privacy notice, a universal opt-out mechanism, processor contracts, and consent to process sensitive data, enforced by the Attorney General with no consumer lawsuits and no cure period. |
+| **Main law** | Colo. Rev. Stat. §§ 6-1-1301 et seq. (Colorado Privacy Act) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Controllers doing business in Colorado (or targeting Coloradans) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving revenue from selling data — nonprofits included; no revenue floor |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — the statute bars any private right of action |
+| **Who enforces it?** | Colorado Attorney General and district attorneys |
+## Does the Colorado Privacy Act apply to your business? {#does-cpa-apply}
+**Short answer.** It depends on volume, not revenue — and unlike most states, nonprofits are not exempt. The CPA applies to a controller that does business in Colorado or targets Colorado residents and meets one of two thresholds: controlling or processing the personal data of 100,000 or more consumers in a year, or 25,000 or more consumers while deriving revenue (or a discount) from selling personal data [^stat-1304-apply].
+Two features make Colorado broader than the California or Texas models. First, there is no dollar revenue floor — the trigger is consumer-count plus a Colorado nexus. Second, the CPA reaches nonprofit organizations, which several other state privacy laws carve out entirely. As with the other state regimes, a consumer is a Colorado resident acting in an individual or household context, not an employee or a business contact, and entity- and data-level exemptions (for GLBA, HIPAA, and FCRA-regulated data, among others) still apply.
+## What must your Colorado privacy policy contain? {#privacy-policy-contents}
+**Short answer.** The CPA imposes a duty of transparency: a controller must give consumers a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes of processing, how to exercise and appeal consumer rights, the categories shared with third parties, and the categories of third parties [^stat-1308-notice].
+For a template privacy policy, treat section 6-1-1308 as the content checklist. Two Colorado specifics go beyond the baseline list. If you process personal data for targeted advertising or sell it, the policy must disclose that and provide a clear, conspicuous opt-out method both inside the notice and in a separate, readily accessible location [^stat-1308-optout-disclosure]. And processing sensitive data — or the personal data of a known child — requires consent, so the data practices the notice describes must line up with the consents the controller actually collects [^stat-1308-sensitive-consent].
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** Processing by a processor must be governed by a binding contract between the controller and the processor — so a data processing agreement is a statutory requirement. The contract must set out the processing instructions, including the nature and purpose of the processing [^stat-1305-contract].
+Section 6-1-1305 then enumerates the rest of the required terms: the types of personal data and the duration of processing; a duty to delete or return the data at the controller's direction; an obligation to make available the information needed to demonstrate compliance; and a right to reasonable audits (or, alternatively, an annual independent audit report) [^stat-1305-contract]. A compliant template DPA tracks each of these, and no contract can relieve either party of the liabilities the CPA assigns to its role.
+## Must you honor a universal opt-out signal? {#universal-opt-out}
+**Short answer.** Yes. This is where Colorado is stricter than many states: since July 1, 2024, a controller that processes personal data for targeted advertising or sells it must let consumers opt out through a user-selected universal opt-out mechanism that meets the technical specifications the Attorney General has adopted [^stat-1306-uoom].
+In practice that means honoring browser-level signals such as the Global Privacy Control, not just a website opt-out link — and the Attorney General maintains a public list of recognized mechanisms in the CPA Rules. The opt-out is one of a fuller set of consumer rights (access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling), to which a controller must respond within 45 days. A template privacy program should wire the universal-opt-out handling into its consent and preference logic, not bolt it on as a static link.
+## Can a consumer sue your business under the CPA? {#consumer-lawsuit}
+**Short answer.** No. The CPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it [^stat-1311-nopra]. Enforcement belongs exclusively to the Colorado Attorney General and district attorneys [^stat-1311-enforce].
+One Colorado wrinkle raises the stakes: the CPA's right-to-cure provision was repealed effective January 1, 2025, so a controller can no longer count on a guaranteed notice-and-cure window before an enforcement action. Violations are deceptive trade practices subject to the Colorado Consumer Protection Act's penalties. The compliance posture, then, is to build the privacy notice, opt-out, and contracting controls in advance rather than relying on a cure period that no longer exists.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-04. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Colorado. This article synthesizes Colorado primary law and is not legal advice from a Colorado-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-1304-apply]: **Colo. Rev. Stat. § 6-1-1304** — "this part 13 applies to a controller that: (a) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and (b) Satisfies one or both of the following thresholds:" *Colo. Rev. Stat. § 6-1-1304(1).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1308-notice]: **Colo. Rev. Stat. § 6-1-1308** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data collected or processed by the controller or a processor; (II) The purposes for which the categories of personal data are processed; (III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request; (IV) The categories of personal data that the controller shares with third parties, if any; and (V) The categories of third parties, if any, with whom the controller shares personal data." *Colo. Rev. Stat. § 6-1-1308(1)(a).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1308-optout-disclosure]: **Colo. Rev. Stat. § 6-1-1308** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing." *Colo. Rev. Stat. § 6-1-1308(1)(b).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1308-sensitive-consent]: **Colo. Rev. Stat. § 6-1-1308** — "A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian." *Colo. Rev. Stat. § 6-1-1308(7).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1305-contract]: **Colo. Rev. Stat. § 6-1-1305** — "Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out: (a) The processing instructions to which the processor is bound, including the nature and purpose of the processing; (b) The type of personal data subject to the processing, and the duration of the processing; (c) The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and (d) The following requirements: (I) At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (II) (A) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and (B) The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request." *Colo. Rev. Stat. § 6-1-1305(5).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1306-uoom]: **Colo. Rev. Stat. § 6-1-1306** — "a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313." *Colo. Rev. Stat. § 6-1-1306(1)(a)(IV)(B).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1311-nopra]: **Colo. Rev. Stat. § 6-1-1311** — "nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law." *Colo. Rev. Stat. § 6-1-1311(1)(b).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>
+[^stat-1311-enforce]: **Colo. Rev. Stat. § 6-1-1311** — "the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13." *Colo. Rev. Stat. § 6-1-1311(1)(a).* <https://content.leg.colorado.gov/sites/default/files/images/olls/crs2024-title-06.pdf>

package/skills/legal-explainers/data-privacy-law-explainer/content/connecticut.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+jurisdiction: "Connecticut"
+slug: connecticut
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-04"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/connecticut
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/connecticut · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Connecticut Consumer Privacy Law (CTDPA)[^about]
+The Connecticut Data Privacy Act gives Connecticut consumers rights over their personal data and imposes notice, universal-opt-out, contracting, and consent duties on controllers above defined thresholds — it is enforced exclusively by the Attorney General, its cure period sunset at the end of 2024, and it provides no private right of action.
+## At a glance
+| Question | Connecticut |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 100,000-consumer (or 25,000 plus data-sale) threshold in Connecticut, the CTDPA requires a privacy notice, recognition of universal opt-out signals, processor contracts, and consent for sensitive data — enforced by the Attorney General, with no consumer lawsuits and a cure period that expired at the end of 2024. |
+| **Main law** | Conn. Gen. Stat. §§ 42-515 et seq. (Connecticut Data Privacy Act) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Connecticut (or targeting residents) that control or process the data of 100,000+ consumers a year, or 25,000+ while deriving 25%+ of gross revenue from selling data — no revenue floor; nonprofits exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — the statute bars any private right of action |
+| **Who enforces it?** | Connecticut Attorney General (exclusive) |
+## Does the Connecticut Data Privacy Act apply to your business? {#does-ctdpa-apply}
+**Short answer.** It depends on consumer volume, not revenue. The CTDPA applies to persons that do business in Connecticut or target its residents and, in the preceding year, controlled or processed the personal data of 100,000 or more consumers, or 25,000 or more while deriving more than 25% of gross revenue from selling personal data [^stat-516-apply].
+Like Colorado, Connecticut sets no dollar revenue floor — the trigger is a consumer-count plus a Connecticut nexus, and the 100,000-consumer count excludes data processed solely to complete a payment transaction. Unlike Colorado, Connecticut exempts nonprofit organizations, along with the usual entity- and data-level carve-outs for state agencies and GLBA-, HIPAA-, and FCRA-regulated data. A consumer is a Connecticut resident acting in an individual or household context, not an employee or business contact.
+## What must your Connecticut privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties [^stat-520-notice].
+For a template privacy policy, treat section 42-520 as the content checklist. Connecticut also requires data minimization (collection limited to what is adequate, relevant, and reasonably necessary) and consent before processing sensitive data, so the practices the notice describes must line up with the consents actually collected. If you sell personal data or process it for targeted advertising, the policy must clearly disclose that and how to opt out.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — making a data processing agreement a statutory requirement, not a best practice [^stat-521-contract].
+Section 42-521 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations [^stat-521-contract]. A compliant template DPA tracks each of these.
+## Must you honor a universal opt-out signal? {#universal-opt-out}
+**Short answer.** Yes. Since January 1, 2025, a controller must let consumers opt out of targeted advertising and the sale of their personal data through an opt-out preference signal — a browser- or device-level mechanism such as the Global Privacy Control — not just a website link [^stat-520-uoom].
+This puts Connecticut among the states (with California and Colorado) that require honoring universal opt-out signals. A template privacy program should wire opt-out-preference-signal handling into its consent and preference logic. The opt-out is part of a fuller set of consumer rights — access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling — to which a controller must respond within 45 days.
+## Can a consumer sue your business under the CTDPA? {#consumer-lawsuit}
+**Short answer.** No. The CTDPA states that nothing in it provides a basis for a private right of action, so consumers cannot sue under it [^stat-525-nopra]. Enforcement belongs to the Connecticut Attorney General, who treats violations as unfair trade practices.
+There is an important timing wrinkle: the CTDPA's mandatory right-to-cure ran only from July 1, 2023 through December 31, 2024 [^stat-525-cure]. Since the start of 2025, a cure is discretionary, not guaranteed — the Attorney General may, but need not, offer one. The compliance posture is to build the privacy notice, opt-out, and contracting controls up front rather than counting on a cure window that has lapsed.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-04. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Connecticut. This article synthesizes Connecticut primary law and is not legal advice from a Connecticut-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-516-apply]: **Conn. Gen. Stat. § 42-516** — "apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers" *Conn. Gen. Stat. § 42-516.* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-516>
+[^stat-520-notice]: **Conn. Gen. Stat. § 42-520** — "reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with which the controller shares personal data;" *Conn. Gen. Stat. § 42-520(c).* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-520>
+[^stat-521-contract]: **Conn. Gen. Stat. § 42-521** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (2) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in sections 42-515 to 42-525 , inclusive; (4) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (5) allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under sections 42-515 to 42-525 , inclusive, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request." *Conn. Gen. Stat. § 42-521(c).* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-521>
+[^stat-520-uoom]: **Conn. Gen. Stat. § 42-520** — "Not later than January 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale." *Conn. Gen. Stat. § 42-520(e).* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-520>
+[^stat-525-nopra]: **Conn. Gen. Stat. § 42-525** — "Nothing in sections 42-515 to 42-524 , inclusive, or section 42-526 , shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law." *Conn. Gen. Stat. § 42-525(d).* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-525>
+[^stat-525-cure]: **Conn. Gen. Stat. § 42-525** — "During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524 , inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible." *Conn. Gen. Stat. § 42-525(b).* <https://www.cga.ct.gov/current/pub/chap_743jj.htm#sec_42-525>

package/skills/legal-explainers/data-privacy-law-explainer/content/delaware.md ADDED Viewed

@@ -0,0 +1,85 @@
+---
+jurisdiction: "Delaware"
+slug: delaware
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/delaware
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/delaware · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Delaware Consumer Privacy Law (DPDPA)[^about]
+The Delaware Personal Data Privacy Act gives Delaware residents rights over their personal data and imposes notice, contracting, and consent duties on controllers above unusually low thresholds — it reaches early-stage startups and most nonprofits, is enforced exclusively by the Delaware Department of Justice, and provides no private right of action.
+## At a glance
+| Question | Delaware |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you control or process the data of 35,000 Delaware residents (or 10,000 plus a fifth of revenue from selling data), the DPDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Department of Justice, whose temporary right-to-cure expired at the end of 2025, with no consumer lawsuits. |
+| **Main law** | Del. Code tit. 6 §§ 12D-101 et seq. (Delaware Personal Data Privacy Act) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Delaware (or targeting residents) that control or process the data of 35,000+ consumers a year, or 10,000+ while deriving more than 20% of gross revenue from selling data — no revenue floor, and only insurance-crime nonprofits are exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — enforcement belongs solely to the Delaware Department of Justice |
+| **Who enforces it?** | Delaware Department of Justice (exclusive) |
+## Does the Delaware Personal Data Privacy Act apply to your business? {#does-dpdpa-apply}
+**Short answer.** It turns on how many Delaware residents you reach, not how much money you make. The DPDPA applies to persons that do business in Delaware or target its residents and that, in the prior calendar year, controlled or processed the personal data of at least 35,000 consumers, or at least 10,000 consumers while deriving more than 20% of gross revenue from selling personal data [^stat-103-apply].
+The thresholds here are among the lowest in the country, and there is no dollar revenue floor — so an early-stage, pre-revenue startup that simply touches 35,000 Delaware residents is covered. Delaware is also unusually broad on nonprofits: rather than exempting them as a class, it carves out only a nonprofit dedicated exclusively to preventing and addressing insurance crime, so most charitable and trade organizations fall within the law. A consumer is a Delaware resident acting in a personal or household context, not an employee or a business-to-business contact. State agencies, GLBA-regulated financial institutions, and certain federally regulated data remain excluded.
+## What must your Delaware privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties, the categories of those third parties, and a way to contact the controller [^stat-106-notice].
+Section 12D-106(c) is the content checklist for a Delaware privacy policy. The DPDPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary — and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous disclosure of that practice and how to opt out. As of January 1, 2026, the opt-out mechanism must also honor a universal opt-out preference signal such as Global Privacy Control. The notice the policy presents should match the data practices the controller actually carries out.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A binding contract must govern any processor's handling of personal data on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice — and that contract must set out the processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties [^stat-107-contract].
+Section 12D-107(b) then layers in the required processor commitments: a duty of confidentiality for everyone handling the data, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, advance notice before engaging a subcontractor (which must be bound by written contract to the same obligations), and cooperation with reasonable assessments. A compliant template DPA tracks each of these.
+## Do you need consent to process sensitive data? {#sensitive-data}
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead obtain a parent's or guardian's consent and otherwise comply with Delaware's children's-data provisions [^stat-106-consent]. Sensitive data covers data revealing race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, transgender or nonbinary status, or citizenship or immigration status; genetic or biometric data; the personal data of a known child; and precise geolocation [^stat-102-sensitive].
+This is the opt-in model that the Virginia-family privacy laws share — consent must be a freely given, specific, informed, and unambiguous affirmative act, and it cannot be manufactured through buried terms of use or dark patterns. Delaware also goes further than some peers for teenagers: a controller cannot run targeted advertising on, or sell the data of, a consumer it knows to be at least 13 but under 18 without that consumer's consent.
+## Can a consumer sue your business under the DPDPA? {#consumer-lawsuit}
+**Short answer.** No. The DPDPA gives the Delaware Department of Justice exclusive enforcement authority and expressly forecloses any private right of action [^stat-111-enforce]. The law's right-to-cure was temporary: through the end of 2025 the Department had to issue a notice and allow 60 days to fix a curable violation, but that mandatory cure period applied only to the period ending December 31, 2025 [^stat-111-cure].
+Unlike Virginia's permanent cure period, Delaware's sunset on January 1, 2026. Since then, whether to offer a controller a chance to cure is left to the Department's discretion, weighed against factors such as the number of violations and the likelihood of injury to the public — so a covered business can no longer count on a guaranteed off-ramp. The practical posture is to build the notice, consent, and contracting controls up front rather than rely on a cure window that may not be offered.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Delaware. This article synthesizes Delaware primary law and is not legal advice from a Delaware-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-103-apply]: **Del. Code tit. 6 § 12D-103** — "This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following: (1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data." *Del. Code tit. 6 § 12D-103(a).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-106-notice]: **Del. Code tit. 6 § 12D-106** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following: (1) The categories of personal data processed by the controller. (2) The purpose for processing personal data. (3) How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request. (4) The categories of personal data that the controller shares with third parties, if any. (5) The categories of third parties with which the controller shares personal data, if any. (6) An active electronic mail address or other online mechanism that the consumer may use to contact the controller." *Del. Code tit. 6 § 12D-106(c).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-107-contract]: **Del. Code tit. 6 § 12D-107** — "A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties." *Del. Code tit. 6 § 12D-107(b).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-106-consent]: **Del. Code tit. 6 § 12D-106** — "Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with § 1204C of this title." *Del. Code tit. 6 § 12D-106(a)(4).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-102-sensitive]: **Del. Code tit. 6 § 12D-102** — "‘Sensitive data’ means personal data that includes any of the following: a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status. b. Genetic or biometric data. c. Personal data of a known child. d. Precise geolocation data." *Del. Code tit. 6 § 12D-102(30).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-111-enforce]: **Del. Code tit. 6 § 12D-111** — "Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law." *Del. Code tit. 6 § 12D-111(d).* <https://delcode.delaware.gov/title6/c012d/index.html>
+[^stat-111-cure]: **Del. Code tit. 6 § 12D-111** — "During the period beginning on January 1, 2025, and ending on December 31, 2025, the Department of Justice shall, prior to initiating any action for a violation of any provision of this chapter, issue a notice of violation to the controller if the Department of Justice determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Department of Justice may bring an enforcement proceeding pursuant to subsection (a) of this section." *Del. Code tit. 6 § 12D-111(b).* <https://delcode.delaware.gov/title6/c012d/index.html>