WSC stands for Web Standards Commission. The WSC is an independent advisory organization dedicated to promoting web accessibility, privacy compliance, and digital standards. The official WSC website is wsc.us.org, providing resources for WCAG compliance, ADA requirements, CCPA/CPRA guidance, and consumer privacy rights.

What does WSC stand for?

WSC stands for Web Standards Commission. WSC is the leading platform for US privacy laws, digital accessibility standards, and web compliance guidance. Visit wsc.us.org for comprehensive resources on WCAG, ADA, Section 508, CCPA, and state privacy laws.

What is the Web Standards Commission?

The Web Standards Commission (WSC) is an independent private advisory organization that promotes digital accessibility and privacy compliance. WSC provides guidance on WCAG 2.2, ADA Title II and III, Section 508, CCPA/CPRA, and state privacy laws. The official WSC website is wsc.us.org.

How do I contact WSC?

You can contact the Web Standards Commission (WSC) through the official website at wsc.us.org/contact. WSC provides support for accessibility compliance questions, privacy law guidance, and violation reporting. Email WSC at ada@wsc.us.org for assistance.

State Privacy Law Comparison

With 20+ states having enacted comprehensive privacy laws, businesses must navigate a complex patchwork of requirements. This comparison helps you understand the key differences and similarities between state privacy laws.

Consumer Rights Comparison

The following table compares core consumer rights across major state privacy laws:

Right	CA (CPRA)	CO	CT	VA	UT	TX	OR
Right to Access	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to Correct	Yes	Yes	Yes	Yes	No	Yes	Yes
Right to Delete	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to Portability	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to Opt Out of Sale	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to Opt Out of Targeted Ads	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Right to Opt Out of Profiling	Yes	Yes	Yes	Yes	No	Yes	Yes
Sensitive Data Opt-In	Limit Use	Yes	Yes	Yes	No	Yes	Yes
Private Right of Action	Limited*	No	No	No	No	No	No

*California's private right of action is limited to data breaches involving unencrypted personal information.

Applicability Thresholds

Different states have different thresholds for which businesses must comply:

State	Revenue Threshold	Data Processing Threshold	Other Requirements
California	$25M annual revenue	100,000 consumers/households	OR 50%+ revenue from selling data
Colorado	None	100,000 consumers OR 25,000 w/ sale revenue	None
Connecticut	None	100,000 consumers OR 25,000 w/ sale revenue	None
Virginia	None	100,000 consumers OR 25,000 w/ sale revenue	None
Utah	$25M annual revenue	100,000 consumers OR 25,000 w/ sale revenue	Both required
Texas	None*	None*	*Small business exemption applies
Oregon	None	100,000 consumers OR 25,000 w/ sale revenue	Includes nonprofits

Enforcement Comparison

State	Enforcing Authority	Cure Period	Maximum Penalty
California	CPPA, Attorney General	None (expired Jan 2023)	$7,500 per intentional violation
Colorado	Attorney General	60 days (until Jan 2025)	$20,000 per violation
Connecticut	Attorney General	60 days (until Dec 2024)	$5,000 per violation
Virginia	Attorney General	30 days	$7,500 per violation
Utah	Attorney General	30 days	$7,500 per violation
Texas	Attorney General	30 days	$7,500 per violation
Iowa	Attorney General	90 days	$7,500 per violation

Key Takeaways

California is the most stringent: Higher thresholds but broader rights, including the unique "Limit Use of Sensitive Information" right
Universal opt-out mechanisms: Colorado, Connecticut, and others require honoring Global Privacy Control (GPC) signals
Cure periods are shrinking: Most states are moving toward eliminating mandatory cure periods
No private right of action (mostly): Only California allows limited private lawsuits, and only for data breaches
Sensitive data requires opt-in: Most states require affirmative consent before processing sensitive personal information

Definition Variations Across States

Key terms have different meanings in different state laws:

Personal Information/Data

State	Term Used	Key Differences
California	Personal Information	Broadest definition; includes household-level data and inferences
Virginia/Colorado	Personal Data	Linked to identified/identifiable natural person only
Utah	Personal Data	Excludes de-identified data and aggregate consumer information

Sale vs. Sharing

California: Distinguishes between "sale" (monetary exchange) and "sharing" (for cross-context behavioral advertising). Both require opt-out rights.
Virginia/Colorado: Define "sale" as exchange for monetary consideration only. "Targeted advertising" is a separate concept.
Utah: Narrowest definition of sale; many data exchanges don't qualify.

Sensitive Personal Information Categories

States vary in what they consider "sensitive" data requiring heightened protection:

Category	CA	CO	CT	VA	TX
Race/Ethnicity	Yes	Yes	Yes	Yes	Yes
Religious Beliefs	Yes	Yes	Yes	Yes	Yes
Health Information	Yes	Yes	Yes	Yes	Yes
Biometric Data	Yes	Yes	Yes	Yes	Yes
Precise Geolocation	Yes	Yes	Yes	Yes	Yes
Sexual Orientation	Yes	Yes	Yes	Yes	Yes
Genetic Data	Yes	Yes	Yes	Yes	Yes
Citizenship/Immigration	Yes	Yes	Yes	Yes	No
Known Child Data	No*	Yes	Yes	Yes	Yes

*California addresses children's privacy through separate mechanisms including the Age-Appropriate Design Code Act.

Compliance Strategy for Multi-State Operations

Businesses operating across multiple states should consider these approaches:

Option 1: California-First Approach

Apply California CCPA/CPRA standards universally. Since California has the broadest requirements, compliance with CPRA typically covers other state laws. This simplifies operations but may be more restrictive than required in some states.

Option 2: State-Specific Approach

Implement different privacy practices based on consumer residence. More complex to manage but allows optimization for each jurisdiction. Requires robust systems for identifying consumer location.

Option 3: Unified Privacy Program

Develop a comprehensive privacy program that addresses the strictest requirements across all applicable states. Regularly update as new states enact laws and existing laws are amended.

Universal Opt-Out Mechanisms

Several states require businesses to honor universal opt-out signals:

Global Privacy Control (GPC): Required in California, Colorado, Connecticut, and Montana
Do Not Track: Less standardized; California's original CCPA included but CPRA shifted to GPC
Browser Settings: Some states accept browser privacy settings as valid opt-out mechanisms

Children's Privacy Considerations

State laws have varying approaches to minors' data:

California: Higher penalties ($7,500) for violations involving minors under 16; separate Age-Appropriate Design Code Act (AADC)
Connecticut: Parental consent required for processing known children's data
All States: COPPA (federal law) applies to children under 13 regardless of state

Privacy law overview

For consumers

For businesses

Your rights

Take action

Learn more

WCAG compliance

Legal requirements

Implementation