United States of America: Implemented Consumer Data Privacy Act (HF 4757) including data protection measures

On 31 July 2025, the Consumer Data Privacy Act (HF 4757) comes into effect. The Act is applicable to legal entities conducting business in the state or providing products or services aimed at state residents. Specifically, it will pertain to entities that, within a calendar year, either control or process the personal data of at least 100’000 consumers or derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25’000 consumers. Small businesses, as defined by the United States Small Business Administration, are exempt from the provisions of the Act. The Act grants users the right to request a list of specific third parties to which the controller has disclosed their personal data. Moreover, consumers will have the right to review and correct their personal data used in profiling. Additionally, a simple opt-out mechanism from data collection will be provided to consumers. Furthermore, providers are required not to retain personal data that is no longer relevant or reasonably necessary for the purposes for which it was collected and processed unless retention is mandated by law. Controllers are required to document and maintain a description of the policies and procedures adopted to comply with the Act. Finally, the Act prohibits controllers from processing personal data based on sensitive attributes such as race, ethnicity, religion, gender, or sexual orientation in a manner that unlawfully discriminates against consumers or classes of consumers regarding housing, employment, credit, education, or access to goods, services, facilities, privileges, advantages, or accommodations in any place of public accommodation.