PRIVACY POLICY

Paragraph

Paragraph


Last Modified: 11-29-23 
Purpose 
Mane focus hair lounge 
(hereinafter “we,” “our,” “us”) is committed to protecting your privacy and maintaining a quality online experience for our website users. 
This Privacy Policy describes the type of personal information we may collect from you or that you may provide when you visit 
Www.manefocuslounge.com 
(hereinafter “Website”) and our practices for handling, storing, and 
protecting that information as well as your rights in relation to your personal information and how you can contact us and supervisory authorities in the event you have questions about how we handle your personal information. 
Privacy Policy Consent 
Please read this Privacy Policy carefully and in its entirety before using our Website. If you do not agree with our policies and practices regarding your personal information and how we will treat it, your choice is to not use our Website. Your use of our Website constitutes your voluntary acceptance to be bound by this Privacy Policy, whether you have read it or have had the opportunity to read it and have chosen not to. 
This Privacy Policy applies to the information we collect: 
• On this Website. 
• In email, text, and other electronic messages between you and this Website. • [If you also advertise, include the following:] When you interact with our advertising on third party websites and services, if that advertising includes links to this Privacy Policy. It does not apply to information that is collected by: 
• Us offline or through any other means, including on any other website operated by any third party (including our affiliates). 
• Any third party (including our affiliates) through any content (including advertising) that
may link to or be accessible from (or on) the Website. 
Children’s Online Privacy Protection Act (COPPA) 
This Website and any products and services offered herein are not intended for persons under the 
age of 18. 
We prohibit children under the age of 18 from using any and all interactive portions of this Website, including leaving any comments, filling out forms, or otherwise submitting information. A child’s parent or guardian should contact us if we have inadvertently collected any information or content from that child without the parent or guardian’s authorization, so that we may delete that information from our records. 
[COPPA imposes certain requirements on websites or online services directed at children under 13 years old, including the requirement that sites must require parental consent for the collection 
or use of any personal information from children. The General Data Protection Regulation (GDPR) requires parental consent for children under 16 years old. 
If your site is directed at children under 18 years old, you will need to contact an attorney in your local area to discuss revisions to this section] 
CAN-SPAM Act of 2003 
We have taken the necessary steps to ensure that we are in compliance with the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 and will not send misleading information. 
[The CAN-SPAM Act of 2003 sets forth requirements for your email marketing. It requires that you: 
1. Don’t use false or misleading header information in your “from” and “reply” to sections of your emails 
2. Don’t use deceptive subject lines 
3. Identify that your message is an ad 
4. Tell recipients where you’re located – by including a valid physical postal address 5. Tell recipients how to opt out from receiving future emails from you 
6. Promptly honor opt out requests (i.e., within 10 business days) 
Keep these requirements in mind in your email marketing campaigns!] 
Personal Information We Collect 
The type of personal information we collect depends on how you are interacting with us. We generally collect the following categories of personal information: 
• Contact information, such as first and last name, email address, postal address, phone number, and other similar contact data; 
• Records and copies of your correspondence (including email address) if you contact us; • Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website and we will use a third-party payment processor to process the payment. We do not collect your credit card or debit card number, expiration date, or pin number; 
• Comments, feedback, questions and other information you provide to us;
• Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website; • Information about your computer and internet connection, including your IP address, operating system, and browser type. [OR]; and 
[The CCPA and the California Privacy Rights Act (CPRA) apply to any for-profit business that does business in California and: 
• Has annual gross revenues that exceed $25 million; 
• Collects, buys, receives, sells, or shares the personal information of 100,000 or more consumers or households each year; OR 
• Derives 50% of its annual revenues from selling or sharing personal information. See the definitions for “sale” and “sharing” referenced below in the How We Use the Information/Lawful Bases section. 
The CPRA has defined “sensitive personal information” as follows: 
• Social Security, driver’s license numbers, state identification card, and passport numbers; • financial account, debit card, or credit card numbers in combination with required security or access codes, passwords, or credentials allowing access to an account; • account login in combination with required security or access codes, passwords, or credentials allowing access to the account; 
• precise geolocation (i.e., information used or intended to be used to locate a consumer within a geographic area equal to or less than approximately 1/8 square mile); • information about racial or ethnic origin, religious beliefs, philosophical beliefs, or union membership; 
• contents of consumers’ mail, emails, or text messages, unless the business is the intended recipient of that information; 
• genetic data; 
• the processing of biometric information for the purpose of uniquely identifying a consumer; and 
• information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation. 
If you process “sensitive personal information” and CCPA/CPRA apply to your business you must include the following:] 
Limit the Use of My Sensitive Personal Information Sources of Personal Information We collect personal information from you as follows: 
You provide personal information to us when you: 
• Subscribe to or purchase our products and/or services; 
• Complete a contact or information request form. [OR]; and 
We automatically collect personal information when you: 
• Visit, interact with, or use our Website; 
• Access, use, or download content from us; and 
• Open emails or click links in emails from us. [OR]; and 
We collect personal information for third party advertisers that use cookies on our Website to provide interest-based advertising. See the Interest Based Advertising section below.
How We Use the Information/Lawful Bases 
We process personal information about you on one or more of the following bases: • To perform a contract; 
• With your consent; 
• For our legitimate interests; 
• To comply with the law; 
• To protect someone’s life; and/or 
• Public task. 
We process personal information to: 
• Process and fulfill an order, download, subscription, or other transaction; • Carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection; 
• Respond to your requests, inquiries, comments, and concerns; 
• Notify you about changes to our Website or any products or services we offer or provide through it; 
• Send marketing emails; 
• Inform you of and administer promotions, contests, sweepstakes or surveys; • Help us address problems with and improve our Website; 
• Protect the security and integrity of our Website; 
• Contact you for other business reasons, if necessary; and 
• Provide online behavioral advertising. [OR]; and 
• [any additional reasons you process personal information] 
[The CCPA/CPRA define “sale” of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary of other valuable consideration.” 
The CPRA defines “sharing” as any disclosure of personal information (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, or in writing, or by electronic or other means) to third parties for cross-contextual behavioral advertising whether or not for monetary or other valuable consideration. IF CCPA/CPRA APPLY TO YOU AND IF YOU DO NOT SELL OR SHARE PERSONAL INFORMATION YOU COLLECT FROM CONSUMERS, INCLUDE THE FOLLOWING SENTENCE:] 
We will not sell or share your personal information and have not done so in the last 12 months. [OR] 
In the last 12 months I have sold the following categories of personal information: • Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers 
• Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
• Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age 
• Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies • Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data 
• Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement 
• Geolocation data 
• Audio, electronic, visual, thermal, olfactory, or similar information 
• Professional or employment-related information 
• Education information 
• Inferences 
We may transfer your personal information to a third party in the event of a bankruptcy, dissolution, merger, sale, acquisition, or change of control. 
We may transfer your personal information to a third party if we need to comply with our legal obligations, resolve disputes, and/or enforce our agreements. 
Use of Cookies 
“Cookies” are small text files that are placed on a computer or other device and used to identify the user or device and to collect information when you visit a website. Cookies may be set by the 
website you are visiting (also known as “first party cookies) or by third parties who provide advertising or analytics services on the website (also known as “third party cookies). We use cookies for several different purposes. 
[This Section should be revised to reflect what type of cookies you use, their purposes, a link to third parties who install cookies as well as a link to their opt out site. Cookies are typically assigned to one of four categories, depending on their function and intended purpose: absolutely 
necessary cookies, performance cookies, functional cookies, and cookies for marketing purposes. 
You’ll want to look into the cookies that you use on your website, including third-party cookies like Google Analytics, Google AdSense, Facebook Pixel, etc. so that you can disclose them here. 
You can visit the website for each optional third-party cookie that you use to obtain further information about the cookie’s function, what information it collects, and how your website user can opt out of it OR you can use a cookie tracking software that will scan your website and provide this information for you and you can hyperlink the resulting Cookies Policy here. Such software is helpful because if you use cookies that track personal information, you will need to make sure that you are first obtaining your website viewer’s consent before they are activated under the GDPR by using a cookie opt-in – and the software should provide it. If you will be hyperlinking your Cookies Policy, you can include this text with “Cookies Policy” hyperlinked, otherwise be sure to delete it:] Please see our Cookies Policy for more information. You can disable cookies through your web browser’s settings, but disabling this function may
diminish your experience on our Website as some features may not work as intended. [INCLUDE THE FOLLOWING SECTION ONLY IF YOUR WEBSITE PARTICIPATES IN INTEREST BASED ADVERTISING (I.E., ADVERTISING THAT SPECIFICALLY TARGETS A USER BASED ON THEIR ONLINE ACTIVITY, AKA “TARGETED ADS” AND “ONLINE BEHAVIORAL ADVERTISING”), SUCH AS GOOGLE ADWORDS. OTHERWISE OMIT IT:] 
Interest Based Advertising 
Our Website also allows third parties to collect certain personal information during your visit to the Website to provide interest-based advertising to you. 
Website users may opt out of online behavioral advertising by: 
• Going to their account privacy settings in their browser and turning off personalization; • Going to the Digital Advertising Alliance’s opt out tool, http://optout.aboutads.info; • Going to the Network Advertising Initiative’s opt out tool, 
https://www.networkadvertising.org/choices; or 
• Going to https://www.youronlinechoices.com/, if you’re based in the EU. 
Automated Decision-Making 
We use the personal information that we collect for automated decision-making (i.e., making a decision solely by automated means without any human involvement) if it is authorized by legislation, if you have provided explicit consent, or if it is necessary for entering into or performance of a contract. 
When using automated decision-making, we will provide you with further information about the logic involved, your right to obtain human intervention, the potential consequences of the processing, and your right to contest the automated decision. 
Profiling 
We use the personal information that we collect for profiling (i.e., automated processing of the information to evaluate certain personal aspects of a natural person to predict their behavior and make decisions regarding it) if it is authorized by legislation, if you have provided explicit consent, or if it is necessary for entering into or performance of a contract. When profiling, we will provide you with further information about the logic involved, your right to obtain human intervention, the potential consequences of the processing, and your right to contest the automated profile. 
“Do Not Track” (DNT) Signals 
Some browsers transmit Do Not Track (DNT) signals to websites. 
Due to the lack of a common interpretation of DNT signals throughout the industry, we do not currently alter, change, or respond to DNT requests or signals from these browsers. 
How the Information is Shared 
Depending on how you interact with us, we share information with our third-party service providers, agents and representatives, including, but not limited to, [1] eCommerce platform providers, payment processing providers, email service providers, IT service providers, security and software service providers, in order to process the information as necessary to complete a transaction, fulfill your request, or otherwise on our behalf based on our instructions and in
compliance with this Privacy Policy and any other appropriate confidentiality and security measures. 
We also will disclose your personal information if we have a good faith belief that such disclosure is necessary to: 
• meet any applicable law, regulation, legal process or other legal obligation; • detect, investigate and help prevent security, fraud or technical issues; and/or • protect the rights, property, or safety of us, our Website, our users, employees, or others. Our current third-party service providers include: 
• [2] vagaro.com 
[This Section should be revised to reflect exactly: 
• [1] What types of third-party service providers you use, and 
• [2] Who your current third-party service providers are 
Information Retention 
We retain your personal information for as long as necessary to fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting and preventing fraud and abuse, and enforcing our agreements, or until such time as you let us know you would like for us to delete it or unsubscribe from our marketing contacts. 
Passwords 
Certain features of our Website require the creation of a username and password. You are responsible for keeping your username and password confidential. We ask that you not share your username or password with anyone. We cannot and will not be liable for any loss or damage arising from your failure to protect your username or password. 
You agree to notify us immediately of any unauthorized use of your username or password or any other breach of security. 
Information Protection and Security 
Our Website uses commercially acceptable security measures to prevent your personal information from being lost, used, or accessed in an unauthorized way. We use a Secure Sockets 
Layer (SSL) certificate and [NOTE: VERIFY THAT THIS IS ACCURATE AND YOU HAVE THIS INSTALLED ON YOUR WEBSITE!] never transmit your credit card information via email. If you receive an email from us that appears to be a request for personal information, do not respond because it may be a phishing scam designed to steal your personal information. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. 
Should there be a data breach, we will notify you when we are legally required to do so. 
Your Rights to Control Your Information 
You can unsubscribe from our email newsletters or updates at any time through the unsubscribe links found in the communications you receive from us.
You can unsubscribe from our text message advertisements at any time by email Local data protection laws may give you rights with respect to personal information if you are located in or a resident of that country, state, or territory. 
THESE RIGHTS ARE NOT GUARANTEED AND IT IS IMPORTANT FOR YOU TO CONSULT YOUR LOCAL DATA PROTECTION LAWS TO DETERMINE WHAT RIGHTS MAY BE AVAILABLE TO YOU. 
These rights may include the following: 
Right May Apply To 
Right to disclosure/access (to know the 
personal information collected about you and 
request a copy) 
Residents of California, Colorado, 
Connecticut, Montana, Oregon, Texas, Utah, 
Virginia, Australia, Canada, the European 
Union and/or the European Economic Area, 
and the United Kingdom 
Right to correct/rectification (to have your 
inaccurate personal information corrected) 
Residents of California, Colorado, 
Connecticut, Montana, Oregon, Texas, 
Virginia, Canada, Australia, Quebec, the 
European Union and/or the European 
Economic Area, and the United Kingdom 
Right to erasure/deletion (to have all or 
some of your personal information deleted 
upon a verifiable request) 
Residents of California, Colorado, 
Connecticut, Montana, Texas, Oregon, Utah, 
Virginia, the European Union and/or the 
European Economic Area, and the United 
Kingdom 
Right to nondiscrimination (the right to 
equal service and price even if you exercise 
your rights) 
Residents of California, Montana, Oregon, 
Texas, and Virginia 
Right to obtain a specific list of third 
parties your personal information was 
shared with 
Residents of Oregon 
Right to opt out of sale of personal 
information 
Residents of California, Colorado, 
Connecticut, Montana, Nevada, Oregon,
Texas, Utah, and Virginia 
Right to opt out of use of personal 
information for the purposes of targeted advertising 
Residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia Right to opt of use of personal information for profiling 
Residents of Connecticut, Oregon, and Texas Right to opt out of use of personal 
information for profiling in furtherance of decisions that produce legal or similarly significant effects 
Residents of Colorado, Montana, and Virginia Right to limit use and disclosure of 
sensitive personal information 
Residents of California and Connecticut Right to data portability (to have your personal information transferred to you or a third party in machine-readable format, where technically feasible) 
Residents of Quebec, the European Union and/or the European Economic Area, and the United Kingdom 
Right to data portability (to have your personal information transferred to you in a readily-usable format that lets you transmit that information to a third party) 
Residents of California, Colorado, Montana, Oregon, Texas, Utah, and Virginia 
Right to data portability (to have your personal information transferred to you in a readily-usable format that lets you transmit that information to a third party where processing is carried out by automated means) Residents of Connecticut 
Right to withdraw consent (to withdraw your consent that we handle your personal information at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on your consent before its withdrawal) 
Residents of Canada, Quebec, the European Union and/or the European Economic Area,
and the United Kingdom 
Right to not identify yourself or of using a 
pseudonym 
Residents of Australia 
Right to restriction of processing (to limit 
the purposes that your personal information 
may be used for) 
Residents of the European Union and/or the 
European Economic Area, and the United 
Kingdom 
Right to object (to object to the processing of 
your personal information in cases where our 
processing is based on direct marketing) 
Residents of the European Union and/or the 
European Economic Area, and the United 
Kingdom 
Right to stop unwanted direct marketing Residents of the European Union and/or the European Economic Area, and Australia 
Right to complain (to lodge a complaint with 
competent authorities in the proper 
jurisdiction if you are not content with how 
we collect, share, and process your personal 
information) 
Residents of Canada, Australia, Quebec, the 
European Union and/or the European 
Economic Area, and the United Kingdom 
Right to appeal (a decision made regarding 
an exercise of rights) 
Residents of Montana, Oregon, and Texas 
These rights are not absolute and they do not always apply in all cases. We will honor your rights 
under applicable data protection laws. 
CALIFORNIA CIVIL CODE SECTION 1798.83 (“SHINE THE LIGHT LAW”) [As a note, businesses with less than 20 full time or part-time employees are exempt from the Shine the Light Law. See California Civil Code Section 1798.83(c)(1). If you fall within that exemption, you can delete this section dealing with the Shine the Light Law. If you do not fall within the exemption and have made disclosures of personal information to third parties who will use that personal information to solicit a purchase, rental, lease, or exchange of products directly 
to individuals by means of mail, telephone, or email then include this section.] California Civil Code Section 1798.83 or the “Shine the Light Law” permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, see the Contact Us section below.
Exercising Your Rights 
If you wish to exercise any of the rights specified above, please submit a request via email to: 
Please be sure to specify which right you want to exercise and provide us with enough information to verify your identity. If we cannot verify your identity, we may not be able to fulfill your request. 
We will respond to your request within 30-45 calendar days of receipt, depending on where you reside. We will notify you in writing via email if we need more time to respond. We may deny your request if certain exceptions in the law apply. We will provide you the reason(s) for denial in writing via email. 
You have the right to appeal our decision with respect to your request to exercise your rights. You may appeal the decision by emailing the address provided above in this section. We will respond to you appeal within 30-45 calendar days of receipt, depending on where you reside. We will notify you in writing via email if we need more time to respond. Use and Transfer of Your Information Out of the European Economic Area (EEA) or Canada 
This Website is operated in the United States and the third parties with whom we might share your personal information (as explained above) are also located in the United States or other countries located outside the EEA and Canada. 
If you are located outside of the United States, please be aware that any information you provide 
will be transferred to the United States. By using this Website and/or providing your information, you consent to this transfer. 
Contact Us 
If you have any questions, comments, complaints, or suggestions in relation to this Privacy Policy or our privacy practices, please contact us by using this web form: Www.manefocuslounge.comcalling this toll-free telephone number: 
7737990524 , or by email or postal mail: 
Yvonneschair@gmail.com 
Yvonne Comas 
1640 w divison st Chicago IL 60622 
[If you’ve appointed a Data Protection Officer under GDPR, be sure to include their contact details as well] 
Changes to this Privacy Policy 
The date this Privacy Policy was last revised is identified at the top of the page. It is our policy to post any changes we make to our Privacy Policy on this page. If we make any material changes to how we treat our Website users’ personal information, we will notify you of any such changes 
by email (if you have provided your email to us) and/or by a prominent notice displayed on our Website’s home page and updating the revised date of our Privacy Policy. We recommend that you check this Privacy Policy when you visit our Website to be sure that you are aware of our most current policy. 
Please also read our Terms and Conditions of Use. 
DATA PRIVACY LAW WHO IT APPLIES TO
Australia Privacy Act of 1988 Applies to business if website collects personal information of residents of Australia 
or Australian territories. 
California Consumer Privacy Act 
(CCPA)/California Privacy Rights Act 
(CPRA) 
SEE NOTES ABOVE IN TEMPLATE. 
Canada’s Personal Information Protection and 
Electronic Documents Act (PIPEDA) 
Applies to business if website collects the 
personal information of Canadians. 
Colorado Privacy Act (CPA) Applies to business if: 
• Conduct business in Colorado or produce 
or deliver commercial products or services 
that are intentionally targeted towards 
residents of Colorado; and 
• Satisfies one of the following thresholds: 
o Controls or processes the personal 
data of 100,000 or more Colorado 
consumers during a calendar year; 
or 
o Derives revenue or receives a 
discount on the price of goods or 
services from the sale of personal 
data and processes or controls the 
personal data of 25,000 or more 
Colorado consumers. 
Exempts airlines, public utilities, financial 
institutions, governmental entities in 
Colorado, entities covered by the Health 
Insurance Portability and Accountability Act 
(HIPAA), those collecting/processing data for 
Colorado health insurance law purposes, 
those collecting/processing data for, 
employment records purposes, those 
processing de-identified personal data, 
consumer reporting agencies, and higher 
education institutions. 
Connecticut SB6 Applies to business if: 
• Controlled or processes the personal data 
of 100,000 or more Connecticut residents; 
or 
• Controlled or processed the personal data 
of 25,000 or more residents of
Connecticut and derived more than 25% 
of their gross revenue from the sale of 
personal data. 
Exempts non-profits, higher education 
institutions, national securities associations, 
financial institutions and entities that need to 
comply with HIPAA. 
General Data Protection Regulation (GDPR) • Applies to business if it: • processes personal information as part of 
the activities of one of its branches 
established in the European Union, 
regardless of where the data is processed; 
or 
• is established outside the European Union 
and is offering goods or services (paid or 
for free) or is monitoring the behavior of 
individuals in the European Union. 
Montana Consumer Data Privacy Act 
(MCDPA) 
Applies to businesses in Montana or that 
produce products or services that are targeted 
to residents of Montana and meet one or more 
of the following factors: 
• Control or process the personal data of 
not less than 50,000 Montana 
residents (excluding personal data 
controlled or processed solely for 
completing payment transactions); or 
• Control or process the personal data of 
not less than 25,000 Montana 
residents and derive more than 25% of 
gross revenue from the sale of 
personal data. 
Exempts non-profits, higher education 
institutions, national securities associations, 
financial institutions and entities that need to 
comply with HIPAA. 
Nevada Revised Statutes Chapter 603A Applies if a person: • Owns and operates a website for 
business purposes; 
• Collects and maintains personal 
information from consumers who 
reside in Nevada and use the website; 
and
• Purposefully directs its activities 
towards Nevada, consummates a 
transaction with the State of Nevada 
or a resident of Nevada, purposefully 
avails itself of the privilege of 
conducting activities in Nevada or 
otherwise engages in any activity that 
constitutes sufficient nexus with 
Nevada to satisfy the requirements of 
the U.S. Constitution. 
Exempts those that live in Nevada if your 
revenue is derived primarily from a source 
other than selling goods, services or credit on your website; and your website has less than 20,000 unique visitors per year as well as 
financial institutions and entities that need to 
comply with HIPAA. 
Oregon SB619 Applies if person conducts business in Oregon or provides products or services to 
residents of Oregon and that, during a 
calendar year: 
• Processors or controls the personal 
data of 100,000 or more residents of 
Oregon; or 
• Processors or controls the personal 
data of 25,000 or more residents of 
Oregon and derives 25% or more of 
annual gross revenue from the sale of 
personal data; or 
• signed a contract for the processing of 
data with a company that does need to 
comply with this law. 
Exempts non-profits that are established to 
detect or prevent fraudulent acts in connection with insurance and non-profits that provide 
programming to radio or television networks. 
Quebec Law 25 Applies to business if persons collect, hold, use or share personal information in the 
course of carrying on an enterprise. 
“Enterprise” is defined as “the carrying on by 
one or more persons of an organized 
economic activity, whether or not it is 
commercial in nature, consisting of 
producing, administering or alienating
property, or providing a service.” 
Includes non-profits. 
Texas Data Privacy and Security Act 
(TDPSA) 
Applies if person conducts business in Texas or produces a product or service consumed by residents of Texas and that processes or 
engages in the sale of personal data. 
Exempts non-profits, small businesses, as 
defined by the United States Small Business Administration. The Small Business 
Administration defines “small business” as 
either an independent business with less than 500 employees or a business that makes under a certain amount of gross revenue per year. 
HOWEVER, small businesses may not 
engage in the sale of sensitive personal data without receiving prior consent from the 
consumer. 
United Kingdom’s Data Protection Act of 
2018 
Applies if business monitors the behavior of 
UK residents via interest-based advertising, 
use of cookies, etc. 
Utah Consumer Privacy Act (UCPA) Applies to business if: • Has annual revenue of $25,000,000 or 
more; and 
• Meets one of the following thresholds: 
o During a calendar year, controls or 
processes the personal data of 
100,000 or more Utah residents; or 
o Derives 50% or more of its annual 
gross revenue from the sale of 
personal data and controls or 
processes the personal data of 
25,000 or more Utah consumers. 
Exempts state agencies and other such 
political organizations, financial institutions, 
HIPAA-defined covered entities and their 
business associates, higher education 
institutions, non-profits, and air carriers. 
Virginia Consumer Data Protection Act 
(VCDPA) 
Applies to business if during a calendar year:
• control or process the personal data of at least 100,000 Virginia residents 
• control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data 
Exempts state agencies and other such political organizations, financial institutions, HIPAA-defined covered entities and their business associates, higher education institutions, and non-profits.