Data Privacy and Security: Protecting Your Customers and Your Brand

The landscape of data privacy in the United States has shifted dramatically, fueled by increasing concerns over the collection, use, and distribution of personal online and offline data. In the absence of a comprehensive federal privacy law, states have stepped up, enacting robust data privacy regulations to safeguard their residents. At present, over 20 states have introduced privacy laws, each designed to address specific local consumer protection priorities. These laws provide individuals with greater control over their personal online and offline data, including rights to access, correct, delete, and transfer data. As we move into 2025, businesses must navigate this patchwork of state-level laws to stay compliant while honoring consumer rights.

The drive for stronger data privacy protections stems from growing consumer demand for more control over their personal information, particularly sensitive data such as offline data, biometric data, and children’s information. State laws respond to these concerns by granting individuals the ability to opt out of data sales, limit data collection, and impose restrictions on how businesses use data for targeted advertising. As more laws take effect, businesses face mounting responsibilities to implement robust data privacy measures and regularly assess their data handling practices. Stirista is dedicated to upholding these laws and respecting the data privacy of the businesses we work with, as well as their customers. That’s why we’ve summarized some of the newer data privacy laws that you may need to follow!

CRPA (California Privacy Rights Act)

The CRPA is, at its core, an addition to the CCPA. It builds on the original law by enabling consumers to limit the sale and sharing of their personal information. It also allows consumers to exercise greater control over the use of their sensitive personal information by covered entities. This As of January 1, 2023, businesses affected by CCPA will also have to follow these rules: 

• Notify consumers that it sells personal information to third parties, and that consumers have the right to opt out
• Post a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of Sensitive Personal Information” link (or a clearly labeled link that combines both) on the homepage as well as any other page that collects user’s personal information
• Allow consumers to to opt out of the sale and/or sharing of their personal information as well as limit the use of their sensitive personal information without creating an account
• Properly inform consumers of their right to opt out and provide the do not sell link in an online privacy policy or CPRA-specific description of rights
• Respect opt-out decisions for a minimum of 12 months before asking the consumer again to authorize the sale/sharing of personal information or use of sensitive personal information
• Provide adequate training to individuals responsible for handling consumer privacy rights inquiries and processing opt-out requests

It’s critical for identity resolution vendors to ensure they remain in compliance with these guidelines. This includes respecting consumer choices regarding opt-out and restricting the use of sensitive personal data. Identity resolution vendors and their expertise are key to managing this process effectively, helping businesses stay within legal boundaries while maintaining consumer trust. As identity resolution vendors continue to refine their practices, they must align their tools with CPRA requirements to guarantee the responsible handling of personal information.

Washington & Nevada’s Consumer Health Data Laws

Washington’s MHMDAand Nevada’s SB 370(collectively, “CHD Laws”) went into effect as of March 31, 2024. They both limit what consumer health data companies can legally collect. This means that companies that are operating/serving consumer within these states collecting health data are obligated to do the following: 

• Obtain consent for collecting and sharing health information that is not necessary to provide the product or service a consumer requested
• Providing individual rights of access, withdrawal of consent and deletion of any health data provided
• Prohibiting geofencing around certain health facilities to identify or track consumers seeking health services
• Post a Consumer Health Privacy Policy on the homepage as well as any other page that collects user’s personal information

For businesses leveraging data enhancement, it is crucial to ensure that any enhancement efforts align with these legal requirements. Companies using data enhancement strategies must disclose how enhanced data is being used, ensuring that consumer consent is obtained and maintained. As part of compliance with the new laws, businesses should be mindful of how they incorporate data enhancement techniques into their operations without violating consumer privacy.

Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA) will take effect on July 1, 2025. It applies to businesses with annual revenues over $25 million that handle personal data of at least 100,000 Tennessee residents, or sensitive data of at least 25,000 residents. TIPA grants Tennessee residents rights similar to those in the CDPA and CPA, such as access, correction, and deletion of their data. This act also addresses the sale of personal data, requiring businesses to notify consumers when their data is sold. Additionally, TIPA includes protections for sensitive data, particularly children’s information, which may potentially set a benchmark for other state privacy laws.

Stirista is dedicated to adhering to public policies and respecting all of our users’ data. Any data we collect is public or given consensually. What makes Stirista’s data unique is that it’s then fueled by our in-house ESP and DSP. No competing data organization has the level of detail on all data points that we do, nor the ability to update the data as quickly. We make sure you’re up to date with new data regulations because we take them seriously ourselves!