Skip to main content

U.S. State Data Privacy Laws

Last Updated: October 2023
* Please note, the title of this document has been revised from “CCPA” to “U.S. State Data Privacy Laws”

State Data Privacy Basics

Certain states have passed data protection statutes that are designed to enhance consumer data privacy protections. Where applicable, these state data privacy statutes apply to residents of the applicable state. Certain state laws will go into effect in 2024 or 2025.

  • California Consumer Privacy Act (as amended by the California Privacy Rights Act)
  • Colorado Privacy Act
  • Connecticut Personal Data Privacy and Online Monitoring Act
  • Delaware Personal Data Privacy Act
  • Indiana Consumer Protection Act
  • Iowa Data Protection Act
  • Montana Consumer Data Privacy Act
  • Oregon Consumer Privacy Act
  • Virginia Consumer Data Protection Act
  • Tennessee Information Protection Act
  • Texas Data Privacy and Security Act

How does Customer.io comply with US State Data Privacy Laws?

We understand that state data privacy laws continue to evolve. Each year, new states pass data protection laws or add or amend regulations applicable to current data protection laws. At Customer.io, we review our data collection and processing practices regularly. In addition, we:

  • Make our data protection addendum a part of every customer’s contract with Customer.io
  • We have a comprehensive written information security policy and program
  • We do not sell customer data
  • We share customer data with subprocessors, and ensure that our subprocessors contractually agree to comply with applicable data protection law
  • We undergo an annual SOC2 Type 2 audit of our controls related to confidentiality, security, availability and integrity
  • We have internal processes in place that allow us to respond to data subject requests

Data Processing Addendum

On an annual basis, we review and update our Data Processing Addendum to ensure that our legal agreements comply with applicable US state data protection laws. Customers do not need to request a DPA as our DPA is incorporated into each of our customer agreements.

How can you exercise your rights under state data privacy laws?

Each state may provide different data protection rights to residents of their state.

If you are a customer of ours (Customer.io) and you’d like to exercise your rights under state data protection laws, please review our Privacy Policy for details on how to contact us.

If you are a customer of one of our customers and are receiving messages via Customer.io‘s platform – we cannot respond to your request direction – please contact the company of which you are a direct customer.

We aim to help companies create better customer experiences with relevant communication and that requires the fair and secure use of personal data that was given with full consent and transparency.

If you have any questions or concerns regarding security at Customer.io, please send us a detailed message to compliance@customer.io