United States of America: Implemented Consumer Data Protection Act (SF 262)

On 1 January 2025, the Consumer Data Protection Act -SF 262 was implemented. The Act outlines measures data controllers, and processors must implement when collecting and storing personal data. In particular, data controllers must adopt reasonable administrative, technical, and physical data security practices to safeguard personal data and refrain from processing sensitive data obtained from consumers for non-exempt purposes without clear notice and an opportunity to opt out. In addition, data controllers are required to provide consumers with transparent privacy notices disclosing whether they sell personal data to third parties or participate in targeted advertising. Finally, the Act provides consumers with the right to opt out of the sale of their data, defined as the "exchange of personal data for consideration by the data controller to a third party".