Journal #0 May 29, 2026

State Privacy Rights

State-by-state consumer privacy rights for the StaycationGo platform.

State Privacy Rights

Last Updated: May 29, 2026

The following US states have enacted comprehensive consumer privacy laws that grant residents specific rights regarding their personal data. If you are a resident of any of these states, you may exercise the rights described below by contacting hello@staycationgo.com with the subject line "Privacy Rights Request."

Your Rights

Depending on your state, you may have some or all of the following rights:

Right to Know / Access. Request disclosure of the categories and specific pieces of personal data we have collected about you, the sources from which it was collected, the purposes of collection, and the third parties with whom we have shared it.

Right to Delete. Request deletion of your personal data, subject to certain legal exceptions (such as tax recordkeeping, fraud prevention, and ongoing legal obligations).

Right to Correct. Request correction of inaccurate personal data we hold about you.

Right to Opt Out of Sale or Sharing. Direct us to stop selling or sharing your personal data for purposes of targeted advertising. You can exercise this right by clicking "Do Not Sell or Share My Personal Information" in our website footer, enabling the Global Privacy Control (GPC) signal in your browser, or contacting us at hello@staycationgo.com.

Right to Limit Sensitive Data Use. Direct us to limit our use of sensitive personal data (such as precise geolocation, government ID numbers, and biometric data) to what is necessary to provide our services.

Right to Data Portability. Request a copy of your personal data in a portable, machine-readable format.

Right to Opt Out of Profiling. Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.

Right to Appeal. If we deny your request, you may appeal the decision. If your appeal is denied, we will provide information about how to file a complaint with your state's Attorney General or applicable regulator.

States with Comprehensive Privacy Laws

California (CCPA/CPRA, effective January 1, 2023). All rights listed above apply. California residents may also authorize an agent to submit requests on their behalf. The California Privacy Protection Agency (CPPA) oversees enforcement. Additional protections apply to residents under 16 years of age.

Colorado (CPA, effective July 1, 2023). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Universal opt-out mechanism (GPC) recognized.

Connecticut (CTDPA, effective July 1, 2023). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Universal opt-out mechanism (GPC) recognized.

Delaware (DPDPA, effective January 1, 2025). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Applies to controllers processing data of 35,000 or more residents. Universal opt-out mechanism recognized.

Indiana (INCDPA, effective January 1, 2026). Rights to know, delete, correct, opt out of sale/targeted advertising, and data portability. 60-day cure period for violations.

Iowa (ICDPA, effective January 1, 2025). Rights to know, delete, opt out of sale/targeted advertising, and data portability. No right to correct. 90-day cure period for violations.

Kentucky (KCDPA, effective January 1, 2026). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability.

Maryland (MODPA, effective October 1, 2025, with enforcement from April 1, 2026). All rights listed above apply. Maryland imposes the strictest data minimization standard: collection must be reasonably necessary and proportionate to provide the specific service requested. Sensitive data collection must be strictly necessary. Sale of sensitive data is prohibited entirely.

Minnesota (MCDPA, effective July 31, 2025). All rights listed above apply. Minnesota uniquely grants the right to question the results of profiling and receive a meaningful explanation. Universal opt-out mechanism recognized.

Montana (MCDPA, effective October 1, 2024). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Universal opt-out mechanism recognized.

Nebraska (NDPA, effective January 1, 2025). Rights to know, delete, correct, opt out of sale/targeted advertising, and data portability. Broad applicability with no revenue or data volume threshold.

New Hampshire (NHPA, effective January 1, 2025). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability.

New Jersey (NJDPA, effective January 15, 2025). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Financial account data with access codes is classified as sensitive data requiring opt-in consent. 15-day response deadline for opt-out requests. Penalties of $10,000 for first violations and $20,000 for subsequent violations.

Oregon (OCPA, effective July 1, 2024). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Oregon requires disclosure of specific named third parties (not just categories) receiving personal data. Sale of precise geolocation data (within 1,750 feet) is prohibited as of January 1, 2026.

Rhode Island (RIDTPPA, effective January 1, 2026). Rights to know, delete, correct, opt out of sale/targeted advertising, and data portability. Applies to all commercial websites serving Rhode Island residents regardless of data volume thresholds. Requires naming specific third parties receiving personal data. No cure period. Penalties of $10,000 per violation.

Tennessee (TIPA, effective July 1, 2025). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Affirmative defense available for controllers that maintain a privacy program substantially conforming to NIST Privacy Framework.

Texas (TDPSA, effective July 1, 2024). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability. Broadest applicability of any state: applies to all non-small-businesses with no revenue or data volume threshold. Universal opt-out mechanism recognized. Biometric data used for identity verification requires conspicuous disclosure in the privacy notice. The Texas Attorney General secured a settlement exceeding $1 billion against a major technology company in 2025.

Utah (UCPA, effective December 31, 2023). Rights to know, delete, opt out of sale/targeted advertising, and data portability. No right to correct. No right to appeal. The narrowest of all state privacy laws.

Virginia (VCDPA, effective January 1, 2023). Rights to know, delete, correct, opt out of sale/targeted advertising, opt out of profiling, and data portability.

How to Exercise Your Rights

Email hello@staycationgo.com with the subject line "Privacy Rights Request." Include your full name, the email address associated with your account or booking inquiry, your state of residence, and a description of the right you wish to exercise.

We acknowledge receipt within 10 business days and respond substantively within 45 days. If we need additional time, we will notify you of an extension of up to 45 additional days. New Jersey opt-out requests are processed within 15 days.

You may designate an authorized agent to submit requests on your behalf. The agent must provide written proof of authorization, and we may verify your identity directly.

Contact

Jeanna One Inc. d/b/a StaycationGo

12 San Miguel, Rolling Hills Estates, California 90274

hello@staycationgo.com

StaycationGo Journal