Privacy Policy Annex A

ANNEX A
to PJM Privacy Policy and Notice (Revised 04/2026)

A number of U.S. states have enacted laws regulating the collection, use and retention of Personal Information. At the time of the most recent revision of the PJM Privacy Policy and Notice, to date twenty (20) U.S. states have enacted comprehensive consumer data privacy laws, which are summarized below.

New Jersey 

The New Jersey Data Privacy Act (NJDPA) provides New Jersey residents with comprehensive privacy protections against how companies collect and use their Personal Information. The law applies to entities that do business in the state and handle the Personal Information of at least 100,000 consumers per year, or at least 25,000 if the company also sells Personal Information. NJDPA took effect on Jan. 15, 2025.

The NJDPL protects the right of New Jersey consumers to:

  • Confirm whether a controller processes their data;
  • Correct inaccuracies in their Personal Information;
  • Delete their Personal Information;
  • Say "no" to (opt out of) a controller selling their Personal Information or using their Personal Information for targeted advertising and some types of profiling (for example, profiling to determine whether a consumer should receive a loan or mortgage, a job offer, or an insurance policy).

You can obtain detailed information regarding this Law from: https://www.njconsumeraffairs.gov/ 

California

California was the first state to enact comprehensive data privacy legislation via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). CCPA, signed into law on June 8, 2018, and which went into effect on Jan. 1, 2020, establishes privacy rights and business requirements for collecting and selling Californians’ Personal Information. On Nov. 3, 2020, California voters approved the CPRA, which amended and expanded the CCPA. You can obtain detailed information regarding these Laws from: California Privacy Protection Agency, 400 R Street Suite 350, Sacramento, CA 95811; https://cppa.ca.gov/

Colorado

Colorado signed the Colorado Privacy Act (CPA) into law on June 8, 2021, and it became effective as of July 1, 2023. The CPA lays out five key rights for Colorado consumers:

  1. Right to access.
  2. Right to correction.
  3. Right to delete.
  4. Right to data portability.
  5. Right to opt out.

The CPA protects information that can be linked to an identifiable individual and excludes de-identified Personal Information and publicly available data.

You can obtain detailed information regarding this Law from: Office of the Attorney General, Colorado Department of Law 1300 Broadway, 10th Floor, Denver, CO 80203;  https://coag.gov/resources/colorado-privacy-act/

Connecticut

The Connecticut Data Privacy Act (CTDPA), was effective as of July 1, 2023, includes stronger data protections for children but a similar framework as its predecessors. You can obtain detailed information regarding this Law from:  Office of the Attorney General, 165 Capitol Avenue, Hartford, CT 06106; Phone: 860.808.5440; Email: ag.breach@ct.gov

Delaware

Effective Jan. 1, 2025, the Delaware Personal Data Privacy Act adopted stronger privacy rights for consumers, such as heightening protections for children’s data, broadening definitions of sensitive data, and opt out rights regarding the processing of Personal Information for targeted advertising purposes. You can obtain detailed information regarding this Law from: Delaware Department of Justice, Carvel State Building, 20 N. French St., Wilmington, DE 19801; https://www.stateregstoday.com/living/cybersecurity/privacy-and-cybersecurity-laws-in-delaware#google_vignette

Florida

While Florida adopted many of the same provisions as other states’ comprehensive privacy laws, there is reasonable debate as to whether it is truly “comprehensive” in scope. Florida’s law only regulates companies that make more than $1 billion in gross annual revenues and derive more than half their revenue from online ads. Most provisions went into effect July 1, 2024.

The Florida Digital Bill of Rights tackles issues related to tech platforms, like addressing alleged censorship of conservative viewpoints. The law requires search engines, such as Google, to disclose if they prioritize results based on political ideology and prohibits government-mandated content moderation on social media. 

You can obtain detailed information regarding this Law from: Florida Department of State, R.A. Gray Building, 500 South Bronough Street, Tallahassee, Florida 32399;  https://dos.fl.gov/privacy-policy/

Indiana

The Indiana Consumer Data Protection Act regulates businesses that process the Personal Information of at least 100,000 Indiana residents, or ones that handle the information of at least 25,000 state consumers but derive more than 50% of their revenue from selling data. It will take effect on Jan. 1, 2026. You can obtain detailed information regarding this Law from: https://www.in.gov/mph/cdo/privacy/

Iowa

The Iowa Consumer Data Protection Act (ICDPA), is considered one of the most business-friendly privacy laws, which privacy advocates say results in weaker data protections. Iowa’s law, which went into effect on Jan. 1, 2025, does not grant consumers the right to delete or correct data collected by third parties. You can obtain detailed information regarding this Law from: https://www.stateregstoday.com/living/consumer-protection/data-privacy-and-security-in-iowa#google_vignette

Kentucky

The Kentucky Consumer Data Act (KCDPA) applies to entities that conduct business in the state or target residents and manage the Personal Information of at least 100,000 consumers per year. That threshold drops to 25,000 consumers if a business derives more than half its gross revenue from selling Personal Information. Businesses will have the opportunity to remedy violations within 30 days without penalty. Exemptions under the law include government entities, federally regulated financial institutions, and nonprofits. The law will go into effect Jan. 1, 2026. You can obtain detailed information regarding this Law from: https://www.kentucky.gov/policies/Pages/default.aspx

Maryland

The Maryland Online Data Privacy Act (MODPA) imposes more stringent privacy standards on businesses than similar laws in other states. Consumer advocates say language requiring a company to minimize the data it holds marks a departure from industry-supported measures elsewhere.

Maryland’s law applies to companies that handle the Personal Information of at least 35,000 residents per year, or 10,000 residents if more than 20% of the company’s revenue comes from selling Personal Information. Children will receive heightened data privacy protections, as will sensitive data related to a person’s religious beliefs, sexual orientation, immigration status, and other similar information. The law takes effect on Oct. 1, 2025.

You can obtain detailed information regarding this Law from: https://cpo.maryland.gov/

Minnesota

The Minnesota Consumer Data Privacy Act (MCDPA) will give consumers similar protections to privacy laws in other states, however it also allows consumers to question automated decisions made about them via profiling. Profiling is the use of Personal Information to evaluate or predict an individual’s health, interests, economic status, or other characteristics.

The law will take effect July 31, 2025, and cover companies that handle the Personal Information of at least 100,000 Minnesota consumers each year. That threshold will drop to 25,000 consumers if the company makes more than a quarter of its revenue from selling Personal Information. Companies that fall under the federal definition of a small business will be exempt.

You can obtain detailed information regarding this Law from: https://www.ag.state.mn.us/Data-Privacy/

Montana

Montana’s Consumer Data Privacy Act limits the collection of Personal Information to “adequate, relevant, and reasonably necessary” information. Residents have the right to opt-out or decline the sale of their Personal Information. This law went into effect Oct. 1, 2024.

You can obtain detailed information regarding this Law from: https://www.ag.state.mn.us/Data-Privacy/

New Hampshire

The New Hampshire Privacy Act (NHPA) applies to companies that handle the Personal Information of at least 35,000 state residents a year, or 10,000 if more than a quarter of their gross revenue comes from selling Personal Information. Consumers have the right to know what data a company collects and opt out of certain uses, such as targeted advertising. The law took effect Jan. 1, 2025.

You can obtain detailed information regarding this Law from: https://www.doj.nh.gov/data-privacy-enforcement

Nebraska

The Nebraska Data Privacy Act (NDPA) applies to companies that do business in the state or target its residents and also process or sell Personal Information. The law excludes federally defined small businesses and includes numerous exemptions, such as for federally regulated financial institutions. Residents have the right to request that businesses correct or delete their Personal Information. They can opt out of having their Personal Information sold or used for targeted advertising or profiling. The law took effect Jan. 1, 2025.

You can obtain detailed information regarding this Law from: https://protectthegoodlife.nebraska.gov/data-privacy-homepage

Oregon

The Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and Personal Information, and children’s data protections, and it doesn’t have the same exemptions found in other state privacy laws. OCPA has made Oregon the eleventh state to pass comprehensive privacy legislation – the sixth in 2023 – and the law took effect July 1, 2024. You can obtain detailed information regarding this Law from: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/privacy/

Rhode Island

The key consumer privacy protection laws in Rhode Island include the Identity Theft Protection Act (R.I.G.L. § 11-49.2), which requires businesses and government agencies to take certain precautions to protect personal information, and the Data Breach Notification law (R.I.G.L. § 11-49.3), which requires companies to notify individuals if their personal information is compromised in a data breach. Rhode Island’s privacy protections have drawn criticism from consumer advocates who argued they don’t meaningfully limit how companies collect or use Personal Information. Consumers will have the right to confirm what data a company collects, correct it, receive a copy, and opt out of certain uses. Companies must also secure consent before processing Sensitive Personal Information.

The attorney general will be the sole enforcer of the law, which doesn’t allow individuals to sue over violations. The law will take effect Jan. 1, 2026.

You can obtain detailed information regarding this Law from: https://www.stateregstoday.com/family/privacy/consumer-privacy-protection-in-rhode-island

Tennessee

Individuals are able to take legal action against companies in Tennessee for violating their privacy rights under the Tennessee Consumer Protection Act and other state laws provide protections for individuals against data breaches and other privacy violations by companies. If a company is found to have violated an individual’s privacy rights, the individual may be able to file a lawsuit to seek damages and hold the company accountable. The Tennessee Information Protection Act enables consumers to confirm that a business has collected their Personal Information, obtain a copy of the information, and request that inaccuracies be corrected. This law makes Tennessee the eighth state to sign comprehensive data privacy into law, and became effective on July 1, 2025.

You can obtain detailed information regarding this Law from: https://www.stateregstoday.com/living/cybersecurity/privacy-and-cybersecurity-laws-in-tennessee

Texas

Enacted effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) applies to large companies that do business in Texas or sell, collect, or process Personal Information. Small businesses are mostly exempt.

Key provisions of the TDPSA require controllers to:

  • provide Texas residents with rights to access, delete, and correct their Personal Information
  • allow Texas residents to opt out of the sale of their Personal Information and opt out of the processing of Personal Information for targeted advertising or for “profiling” purposes
  • obtain consent to collect a consumer’s sensitive data, including data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation
  • establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Personal Information that are “appropriate” to the volume and nature of the Personal Information
  • conduct data protection assessments for activities that involve targeted advertising, the selling of selling Personal Information, profiling, the processing of sensitive data, or that otherwise present a heightened risk of harm to consumers
  • provide a specific notice for selling sensitive data

The TDPSA also imposes certain requirement on “processors” (a person or entity that processes Personal Information on behalf of a controller). Processors must, by contract, agree to assist controllers in meeting their obligations under the TDPSA.

Controllers subject to the TDPSA are required to disclose the following in their external-facing privacy policies: (1) the categories of personal data processed; (2) the purpose of the processing; (3) how consumers can exercise their rights; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with whom the controller shares personal data; and (6) whether the controller sells personal data or processes personal data for targeted advertising. Like Virginia and Colorado, the TDPSA focuses on "targeted advertising" rather than adopting the CPRA's concept of "sharing" personal data in the "cross context behavioral advertising" or CCBA context (sharing is not a defined term under the TDPSA). The TDPSA also requires controllers to specifically state whether they sell sensitive personal data or biometric data, requiring them to include one or both of the statements (as applicable):

  • "NOTICE: We may sell your sensitive personal data."
  • "NOTICE: We may sell your biometric personal data."

These disclosures must be posted in the privacy notice.

You can obtain detailed information regarding this Law from: https://classactionu.org/data-breach/state-data-privacy-laws/texas/

Utah

The current privacy and cybersecurity laws in Utah include the Utah Consumer Privacy Act (UCPA) and the Utah Data Breach Notification Law. These Laws aim to protect individuals and organizations by regulating the collection, use, and disclosure of personal information by businesses within the state. UCPA, which went into effect in 2020, requires businesses to provide transparency on the data they collect and allows individuals to access or delete their personal information. The Data Breach Notification Law mandates that businesses notify individuals in the event of a data breach involving sensitive personal information. Both of these Laws also provide penalties for non-compliance, with UCPA allowing individuals to sue companies for violations. Additionally, Utah has created the Office of Privacy and Data Protection to oversee compliance with these Laws and provide resources for businesses and consumers on data privacy and security practices.

You can obtain detailed information regarding these Laws from: Office of Data Privacy
4315 South 2700 West, Taylorsville, UT 84129; officeofdataprivacy@utah.govhttps://www.stateregstoday.com/living/cybersecurity/privacy-and-cybersecurity-laws-in-utah

Virginia

On March 21, 2021, Virginia became the second state to pass comprehensive data privacy legislation, with the enactment of Virginia Consumer Data Protection Act (VCDPA). The law went into effect on Jan. 1, 2023.

Under the VCDPA, businesses that collect or process personal information of Virginia residents must comply with specific regulations on data protection, privacy policies, and data breach notifications. The law also grants consumers the right to access, correct, and delete their personal information held by businesses.

You can obtain detailed information regarding this Law from: Virginia Attorney General’s Office, 202 N 9th St, Richmond, VA 23219: https://www.stateregstoday.com/living/cybersecurity/privacy-and-cybersecurity-laws-in-virginia

The EEA, Switzerland and the United Kingdom

Privacy rights for individuals in the European Economic Area impact by the General Data Protection Regulation (GDPR), in Switzerland, under the Revised Swiss Federal Act on Data Protection or individuals in and the United Kingdom under the UK General Data Protection Regulation.

Generally, the “Data Controller” for your Personal Information under these Laws is PJM. The owner of the Personal information is the “Data Subject” or “you.”

Residents in these countries/member countries have the following data protection rights:

  • Right to be Informed – through this Privacy Notice you are being informed about the collection and use of your Personal Information
  • Right of Access – you have the right to ask us for a copy of your Personal Information
  • Right of Rectification – you have the right to ask us to correct information you think is inaccurate or incomplete
  • Right to Erasure (“the right to be forgotten”) – under certain circumstances, you have the right to ask us to delete your Personal Information
  • Right to Restrict Processing – you have the right to limit the processing of your Personal Information
  • Right to Data Portability – you have the right to ask that we transfer your Personal Information to another organization
  • Right to Object – you have the right to object to the processing of your Personal Information
  • Rights in Relation to Automated Processing and Profiling – you have the right not to be subject to solely automated decisions in the processing of your Personal Information

To the extent applicable, the EU’s General Data Protection Regulation provides further information about your rights. You also have the right to lodge complaints with your national or regional Data Protection Authority.

If you are inclined to exercise these rights, we request an opportunity to discuss with you any concerns you may have. To protect the Personal Information we hold, we may also request further information to verify your identity when exercising these rights. Upon a request to erase information, we will maintain a core set of Personal Information to ensure we do not contact you inadvertently in the future or subsequently add additional data about you during a periodic update. PJM may also need to retain some information for legal purposes, including U.S. IRS compliance. In the event of an actual or threatened legal claim, we may retain your information for purposes of establishing, defending against, or exercising our rights with respect to such claim.

If you provide information directly to PJM from the European Economic Area (EEA), Switzerland or the United Kingdom, you consent to the transfer of your Personal Information outside of the EEA to the United States. You understand that the current laws and regulations of the United States may not provide the same level of protection as the data and privacy laws and regulations of the EEA. You are under no statutory or contractual obligation to provide any Personal Information to us.

You can obtain detailed information regarding the GDPR from: https://factlineup.com/data-privacy-laws-in-european-union/

You can obtain detailed information regarding the UK General Data Protection Regulation from: https://www.gov.uk/data-protection

You can obtain detailed information regarding the (Swiss) Federal Act on Data Protection (FADP) from: https://www.kmu.admin.ch/kmu/en/home/facts-and-trends/digitization/data-protection/new-federal-act-on-data-protection-nfadp.html

Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets the ground rules for how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. PIPEDA also applies to the personal information of employees of federally-regulated businesses.

You can obtain detailed information regarding this Law from: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/