/>iNineteen states have followed the lead of California and passed consumer privacy laws. Three went into effect this year and eight will become effective in 2025. The remainder become effective in 2026. Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2). While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider.
A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).
Enterprises need to determine which of these laws apply to then, and how to reconcile the differences between the laws, or adopt a high water mark approach. As enterprises prepare their annual privacy notice updates, a requirement under the California law, now is a good time to confirm what additional state laws will apply and ensure compliance with those that are, or will become in 2025, applicable. 2025 will also see the finalization of California’s data risk assessment and cybersecurity audit, and ADM/AI/Profiling, regulations, which will create complex operational and reporting requirements on businesses subject to the CCPA, which companies should be budgeting and planning for now.
For more information on becoming 2025-ready, contact the authors or your SPB relationship partner.
Table 1
| State Name and Link to Law | Consumer Privacy Law Title | Effective Date | |
| California | California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (collectively, CCPA) | Initial CCPA Effective Date: January 1, 2020 CPRA amendments Effective Date: January 1, 2023 | |
| Colorado | Colorado Privacy Act (Colorado Law) | July 1, 2023 | |
| Connecticut[5] | Connecticut Data Privacy and Online Monitoring Act (Connecticut Law) | July 1, 2023 | |
| Delaware | Delaware Personal Data Privacy Act (Delaware Law) | January 1, 2025 | |
| Florida | Florida Digital Bill of Rights (Florida Law) | July 1, 2024 | |
| Indiana | Indiana Consumer Data Protection Act (Indiana Law) | January 1, 2026 | |
| Iowa | Act Relating to Consumer Data Protection (Iowa Law) | January 1, 2025 | |
| Kentucky | Kentucky Consumer Data Protection Act (Kentucky Law) | January 1, 2026 | |
| Maryland | Maryland Online Data Privacy Act (Maryland Law) | October 1, 2025 | |
| Minnesota | Minnesota Consumer Data Privacy Act (Minnesota Law) | July 31, 2025* | |
| Montana | Montana Consumer Data Privacy Act (Montana Law) | October 1, 2024 | |
| Nebraska | Data Privacy Act (Nebraska Law) | January 1, 2025 | |
| New Hampshire | Act Relative to the Expectation of Privacy (New Hampshire Law) | January 1, 2025 | |
| New Jersey | Act Concerning Online Services, Consumers, and Personal Data (New Jersey Law) | January 15, 2025 | |
| Oregon | Oregon Consumer Privacy Act (Oregon Law) | July 1, 2024 | ** |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act (Rhode Island Law) | January 1, 2026 | |
| Tennessee | Tennessee Information Protection Act (Tennessee Law) | July 1, 2025 | |
| Texas | Texas Data Privacy and Security Act (Texas Law) | July 1, 2024 | |
| Utah | Utah Consumer Privacy Act (Utah Law) | December 31, 2023 | |
| Virginia | Virginia Consumer Data Protection Act (Virginia Law) | January 1, 2023 | |
Table 2
| Who is Covered? | |
|---|---|
| CCPA CPRA | For-profit “businesses” that meet thresholds, including affiliates, joint ventures, and partnerships that: (1) have a gross global annual revenue of > U.S. $25 million; (2) annually buy, sell, or “share” for cross-context behavioral advertising purposes PI of 100,000 or more California consumers or households; or (3) derive 50% or more of annual revenues from selling or “sharing” for cross-context behavioral advertising PI of California consumers. Non-profit exception from the term “Business.” |
| Virginia Law | Business entities, including for-profit and B-to-B entities, that conduct business in Virginia or produce products or services that target Virginia residents and, during a calendar year, either: (1) control or process personal data of at least 100,000 Virginia residents; or (2) derive 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Virginia residents. Full non-profit exception. |
| Colorado Law | Any legal entity that conducts business in Colorado or produces or delivers commercial products or services that intentionally target Colorado residents, and that satisfies one or both of the following: (1) during a calendar year, controls, or processes personal data of 100,000 or more Colorado residents; or (2) both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents. |
| Utah Law | Controllers or processors who: (1) conduct business in Utah or produce a product or service targeted to Utah residents; (2) have annual revenue of U.S. $25 million or more; and (3) (a) control or process data of 100,000 or more Utah residents in a calendar year; or (b) derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents. Full non-profit exception. |
| Connecticut Law | Individuals and entities that do business in Connecticut or produce products or services that are targeted to Connecticut residents, that in the preceding year either: (1) controlled or processed the personal data of at least 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of gross annual revenue from the sale of personal data. |
| Iowa Law | Persons conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa and that, during a calendar year, either: (1) control or process personal data of at least 100,000 consumers; or (2) both control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Full non-profit exception. |
| Indiana Law | Persons that: (1) conduct business in Indiana or produce products or services that are targeted to Indiana residents; and (2) during a calendar year, (a) control or process the personal data of at least 100,000 consumers who are Indiana residents; or (b) control or process the personal data of at least 25,000 consumers who are Indiana residents and derive more than 50% of gross revenue from the sale of personal data. Full non-profit exception. |
| Tennessee Law | Persons that conduct business in Tennessee producing products or services that target Tennessee residents and that: (1) exceed $25 million in revenue; and (2) (a) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or (b) during a calendar year, control, or process personal information of at least 175,000 consumers. Full non-profit exception. |
| Montana Law | Persons that: (1) conduct business in Montana or produce products or services that are targeted to Montana residents; and (2) (a) control or process the personal data of at least 50,000 consumers, excluding personal data collected or processed solely for the purpose of completing a payment transaction; or (b) control or process the personal data of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data. Full non-profit exception. |
| Florida Law | (1) Controllers, which are defined as any sole proprietorship, partnership, LLC, corporation, association, or legal entity that meets the following requirements: (a) is organized or operated for the profit or financial benefit of its shareholders or owners; (b) conducts business Florida; (c) collects personal data about consumers, or is the entity on behalf of which such information is collected; (d) determines the purposes and means of processing personal data about consumers or jointly with others; (e) makes in excess of $1 billion in global gross annual revenues; and (f) satisfies at least one of the following: (i) derives 50% or more of its global gross annual revenues from the sale of advertisements online, including targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-paragraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor manufacturer or a subsidiary or affiliate thereof; or (iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. (2) Any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means: (a) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a controller; (b) control in any manner the election of a majority of the directors, or of individuals exercising similar functions; or (c) the power to exercise a controlling influence over the management of a company. Full non-profit exception. |
| Texas Law | Persons that: (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the U.S. Small Business Administration. Full non-profit exception. |
| Oregon Law | Persons that: (1) conduct business in Oregon, or provide products or services to residents of Oregon; and (2) during a calendar year, control, or process (a) the personal data of at least 100,000 consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) the personal data of at least 25,000 consumers, while deriving at least 25% of annual gross revenue from the sale of personal data. Limited non-profit exception. |
| Delaware Law | Persons that: (1) conduct business in Delaware or produce products or services that are targeted to Delaware residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. Limited non-profit exception. |
| New Jersey Law | Controllers that: (1) conduct business in New Jersey or produce products or services that are targeted to New Jersey residents; and (2) during the calendar year did any of the following: (a) controlled or processed the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 25,000 consumers and derived revenue or received a discount on the price of any goods or services from the sale of personal data. |
| New Hampshire Law | Persons that: (1) conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents; and (2) during a one-year period did any of the following: (a) controlled or processed the personal data of at least 35,000 unique consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. Full non-profit exception. |
| Kentucky Law | Persons that: (1) conduct business in Kentucky or produce products or services that are targeted to Kentucky residents; and (2) during a calendar year did any of the following: (a) controlled or processed the personal data of at least 100,000 consumers; or (b) controlled or processed the personal data of at least 25,000 consumers and derived more than 50% of their gross revenue from the sale of personal data. Full non-profit exception. |
| Maryland Law | Persons that: (1) conduct business in Maryland or produce products or services that are targeted to Maryland residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. Limited non-profit exception. |
| Nebraska Law | Persons that: (1) conduct business in Nebraska or produce products or services that are consumed by Nebraska residents; and (2) processes or engages in the sale of personal data; and (3) is not a small business, as determined by federal law. Full non-profit exception. |
| Rhode Island Law | For-profit entities that: (1) conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents; and (2) during the preceding calendar year did any of the following: (a) controlled or processed the personal data of at least 35,000 Rhode Island residents (excluding personal data processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 Rhode Island residents and derive more than 20% of the gross revenue from the sale of personal data. (Some sections of the law apply to any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island (or otherwise subject to Rhode Island jurisdiction) that collects, stores, and sells customer’s personal data.) Full non-profit exception. |
| Minnesota Law | Legal entities (subject to exclusions, such as most government entities) that: During a calendar year, control or process the personal data of at least 100,000 consumers (excluding payments processing); Derive over 25% of gross revenues from the sale of personal data and process the personal data of at least 25,000 consumers. Limited non-profit exception. |
Table 3
The following chart demonstrates the similarities and differences among current U.S. consumer privacy laws of general application, compares them to the GDPR and notes differences between the original CCPA and the current version amended by the California Privacy Rights Act (“CPRA”).
GDPR, CCPA, CPRA, Virginia Law & Colorado Law
| GDPR | CCPA | CPRA | Virginia Law | Colorado Law | |
|---|---|---|---|---|---|
| Right to Access |  |
|
|
|
|
| Right to Confirm Personal Data is Being Processed | |
Implied | Implied | |
|
| Right to Data Portability | |
|
|
|
|
| Right to Delete[6] | |
|
|
|
|
| Right to Correct / Right to Rectification | |
X | |
|
|
| Right to Opt-Out of Sale |
[7] |
[8] |
[17] |
[9] |
[17] |
| Right to Opt-Out of Targeted / Behavioral Advertising[10] | |
X[11] | |
|
|
| Right to Object or Opt-Out of ADM | |
X |
[12] |
X |
[13] |
| Right to Opt-Out of Profiling[14] | |
X | |
|
|
| Choice Required for Processing of “Sensitive” Personal Data | Opt-In | X | Opt-Out[15] | Opt-In | Opt-In |
| Right to Object to or Restrict Processing Generally | |
X | X | X | X |
| Required Opt-Out Links on Website or Elsewhere | No Explicit Requirement | DNS | DNSell, DNShare, Sensitive PI Opt-Out[16] | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs |
| Right to Non-Discrimination[17] | Implied | |
|
|
|
| Specific Privacy Policy Content Requirements | |
|
|
|
|
| Purpose, Use, and/or Retention Limitations | |
Implied | |
|
|
| Privacy & Security Impact Assessments Sometimes Required | |
X | |
|
|
| “Reasonable” Security Obligation | |
Implied | |
|
|
| Notice at Collection Requirement | |
(Statute + Regs) |
|
X | X |
| Honor Universal Opt-out Signals | X | X | |
X | |
Utah Law, Connecticut Law, Nevada Law, Iowa Law & Indiana Law
| Utah Law | Connecticut Law | Nevada Law | Iowa Law | Indiana Law[18] | |
|---|---|---|---|---|---|
| Right to Access | |
|
X | |
|
| Right to Confirm Personal Data is Being Processed | |
|
X | |
|
| Right to Data Portability | |
|
X | |
|
| Right to Delete | |
|
X | |
|
| Right to Correct / Right to Rectification | X | |
X | X | |
| Right to Opt-Out of Sale |
[18] |
[17] |
[19] |
[18] |
[18] |
| Right to Opt-Out of Targeted / Behavioral Advertising | |
|
X | |
|
| Right to Object or Opt-Out of ADM | X | X | X | X | X |
| Right to Opt-Out of Profiling | X | |
X | X | |
| Choice Required for Processing of “Sensitive” Personal Data | Notice & Opp. to Opt-Out | Opt-In | X | Notice & Opp. to Opt-Out | Opt-In |
| Right to Object to or Restrict Processing Generally | X | X | X | X | X |
| Required Opt-Out Links on Website or Elsewhere | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs | None | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs |
| Right to Non-Discrimination | |
|
X | |
|
| Specific Privacy Policy Content Requirements | |
|
|
|
|
| Purpose, Use, and/or Retention Limitations | X | |
X | X | |
| Privacy and Security Impact Assessments Sometimes Required | X | |
X | X | |
| “Reasonable” Security Obligation | |
|
|
|
|
| Notice at Collection Requirement | X | X | X | X | X |
| Honor Universal Opt-out Signals | X | |
X | X | X |
Tennessee Law, Montana Law, Florida Law, Texas Law & Oregon Law
| Tennessee Law | Montana Law | Florida Law[20] | Texas Law | Oregon Law[21] | |
|---|---|---|---|---|---|
| Right to Access | |
|
|
|
|
| Right to Confirm Personal Data is Being Processed | |
|
|
|
|
| Right to Data Portability | |
|
|
|
|
| Right to Delete | |
|
|
|
|
| Right to Correct / Right to Rectification | |
|
|
|
|
| Right to Opt-Out of Sale |
[18] |
[17] |
[17] |
[17] |
[17] |
| Right to Opt-Out of Targeted / Behavioral Advertising | |
|
|
|
|
| Right to Object or Opt-Out of ADM | X | X | X | X | X |
| Right to Opt-Out of Profiling | |
|
|
|
|
| Choice Required for Processing of “Sensitive” Personal Data | Opt-In | Opt-In | Opt-In (with a right to opt out later) | Opt-In | Opt-In |
| Right to Object to or Restrict Processing Generally |
X | X | X | X | X |
| Required Opt-Out Links on Website or Elsewhere | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs |
| Right to Non-Discrimination | |
|
|
|
|
| Specific Privacy Policy Content Requirements | |
|
|
|
|
| Purpose, Use, and/or Retention Limitations | |
|
|
|
|
| Privacy and Security Impact Assessments Sometimes Required | |
|
|
|
|
| “Reasonable” Security Obligation | |
|
|
|
|
| Notice at Collection Requirement | X | X | X | X | X |
| Honor Universal Opt-out Signals | X | |
X | |
|
Delaware Law, New Jersey Law, New Hampshire Law, Kentucky Law & Minnesota Law
| Delaware Law[22] | New Jersey Law | New Hampshire Law | Kentucky Law | Minnesota Law[23] | |
|---|---|---|---|---|---|
| Right to Access | |
|
|
|
|
| Right to Confirm Personal Data is Being Processed | |
|
|
|
|
| Right to Data Portability | |
|
|
|
|
| Right to Delete | |
|
|
|
|
| Right to Correct / Right to Rectification | |
|
|
|
|
| Right to Opt-Out of Sale |
[17] |
[17] |
[17] |
[18] |
[17] |
| Right to Opt-Out of Targeted / Behavioral Advertising | |
|
|
|
|
| Right to Object or Opt-Out of ADM | X | X | X | X | |
| Right to Opt-Out of Profiling | |
|
|
|
|
| Choice Required for Processing of “Sensitive” Personal Data | Opt-In | Opt-In | Opt-In | Opt-In | Opt-In |
| Right to Object to or Restrict Processing Generally | X | X | X | X | X |
| Required Opt-Out Links on Website or Elsewhere | Targeted Ad & Sale Opt-Outs | Targeted Ad, Sale & Profiling Opt-Outs | Targeted Ad & Sale Opt-Outs | None | Not required, but noted as an approved method. |
| Right to Non-Discrimination | |
|
|
|
|
| Specific Privacy Policy Content Requirements | |
|
|
|
|
| Purpose, Use, and/or Retention Limitations | |
|
|
|
|
| Privacy and Security Impact Assessments Sometimes Required | |
|
|
|
|
| “Reasonable” Security Obligation | |
|
|
|
|
| Notice at Collection Requirement | X | X | X | X | X |
| Honor Universal Opt-out Signals | |
|
|
X | |
Maryland Law, Nebraska Law & Rhode Island Law
| Maryland Law[24] | Nebraska Law | Rhode Island Law | |
|---|---|---|---|
| Right to Access | |
|
|
| Right to Confirm Personal Data is Being Processed | |
|
|
| Right to Data Portability | |
|
|
| Right to Delete | |
|
|
| Right to Correct / Right to Rectification | |
|
|
| Right to Opt-Out of Sale |
17 |
17 |
17 |
| Right to Opt-Out of Targeted / Behavioral Advertising | |
|
|
| Right to Object or Opt-Out of ADM | X | X | X |
| Right to Opt-Out of Profiling | |
|
|
| Choice Required for Processing of “Sensitive” Personal Data | Only when strictly necessary, no sale allowed | Opt-In | Opt-In |
| Right to Object to or Restrict Processing Generally | X | X | X |
| Required Opt-Out Links on Website or Elsewhere | Targeted Ad & Sale Opt-Outs | Targeted Ad & Sale Opt-Outs | X |
| Right to Non-Discrimination | |
|
|
| Specific Privacy Policy Content Requirements | |
|
|
| Purpose, Use, and/or Retention Limitations | |
|
|
| Privacy and Security Impact Assessments Sometimes Required | |
|
|
| “Reasonable” Security Obligation | |
|
|
| Notice at Collection Requirement | X | X | X |
| Honor Universal Opt-out Signals | |
|
X |
[1] For example, Washington’s My Health My Data Act and a similar Nevada law. See https://www.privacyworld.blog/2024/04/are-you-ready-for-washington-and-nevadas-consumer-health-data-laws.
[2] For example, the California Age-Appropriate Design Code Act (“CA AADCA”). See https://www.privacyworld.blog/2023/10/california-attorney-general-appeals-federal-court-ruling-that-online-child-safety-act-is-likely-unconstitutional/ and https://www.privacyworld.blog/2023/07/texas-two-steps-into-the-childrens-privacy-dance-the-securing-children-online-through-parental-empowerment-act/. A 9th Circuit federal Court of Appeals decision has struck down the risk assessment and abatement provisions of CA AADCA, and laws making favored and disfavored content distinctions for minors face similar challenges. See https://www.privacyworld.blog/2024/08/are-data-practice-risk-assessments-at-risk-in-the-us/.
[3] For example, Colorado’s Artificial Intelligence (AI) law (C.R.S. 6-1-1701).
[4] A data broker is typically a controller that sells personal data that the controller did not collect directly from consumers. CA, NV, VT, OR and TX all regulate data brokers. VT and NV do not have broad consumer privacy laws and do so on a separate basis.
[5] The General Statutes of Connecticut are supplemented as of January 1, 2024 here.
[6] In California, Utah, and Iowa, deletion obligations are limited to PI collected from the consumer; all other state consumer privacy laws include PI collected about the consumer is in scope of the deletion right.
[7] Selling personal data under the GDPR generally would require the consent of the data subject for collection and would be subject to the right to object to processing.
[8] Any consideration sufficient, but cash consideration not required.
[9] Cash consideration required.
[10] Right to opt-out of cross-context behavioral advertising sharing for California; right to opt-out of targeted advertising in all other state consumer privacy laws.
[11] However, certain data disclosures inherent in this type of advertising are arguably a “sale,” subject to opt-out rights. The CPRA Regulations combine the opt-out right for “sale” and “share.”
[12] Subject to substantial expansion under the CPRA Regulations. Based on preliminary rulemaking activities, it appears that the CPPA is contemplating a GDPR-like approach for ADM and profiling.
[13] Under the CPA Rules, if a consumer requests to opt out of human involved automated processing, organizations can reject the request, but must inform the consumer of the rejection within 45 days and include the following information or link to such information: the decision subject to profiling, the categories of PI used, the logic used in the profiling process, the role of human involvement, how profiling is used in the decision-making process, benefits and potential consequences of the decision, and how consumers can correct or delete the data used in the profiling.
[14] The CPRA’s concept of profiling subject to change under the regulations. The profiling concepts in the other 2023 state consumer privacy laws require legal or substantially similar effects.
[15] Under the CPRA, the Sensitive PI opt-out right applies to certain processing activities beyond business purposes. Section 7027 of the CA Regs includes contextual but not cross-context behavioral advertising.
[16] Businesses will be able to utilize “a single, clearly labeled link” to cover all opt-outs. The CA Regs permit titling the link “Your Privacy Choices” or “Your California Privacy Choices” plus an icon. It is not clear if organizations need to provide both sale/share and limit sensitive info opt-outs where it is not engaging in activities that necessitate both in order to use the alternative link. The former could work well to direct a consumer to the other state opt-outs too.
[17] The CCPA (and the CPRA) take a more onerous approach to non-discrimination with respect to financial incentives and price/service differences, requiring businesses to prove that they are reasonably related to the value of the consumer’s data to the business.
[19] In Nevada, website and online service operators are required to offer an “opt-out,” but only for limited disclosures of certain information and only if the disclosure is made in exchange for monetary consideration.
[20] Florida Law also contains the rights to: (i) opt out of the collection or processing of sensitive data; and (ii) opt out of the collection of personal data through voice or facial recognition.
[21] Oregon Law also contains the right to obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data, OR any personal data (at the controller’s option).
[23] Under the Minnesota Law, a consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead
