Skip to content

Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations:

Jurisdictional criteria

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Conn. 2023

CTDPA

Statute per se exempts organizations with revenue less than $25 million regardless of quantity of data if other eligibility thresholds are not met. [1]
Statute per se applies to organizations with more than $25 million regardless of quantity of data. [2] [3]
Statute applies to organizations that control or process data of 50,000 state residents.

[4]

 

Statute applies to organizations that control or process data of 100,000 state residents.

[5]

 

[6] [7] [8] [9] [10]
Statute exempts from computation data subjects whose information was used solely for completing payment transactions. [11]
Statute applies to organizations that derive any revenue from the sale of data (and process information from at least 25,000 state residents). [12]
Statute applies to organizations that derive 25% of their revenue from the sale of data (and process information from at least 25,000 state residents). [13] [14]
Statute applies to organizations that derive 50% of their revenue from the sale of data (and process information from at least 25,000 state residents).

[15]

(note no requirement to process 25,000 state residents)

[16] [17] [18] [19] [20]

[1] Utah Code Ann. § 13-61-102(1)(b) (2022).

[2] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020).

[3] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020).

[4] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[5] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[6] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).

[7] Va. Code 59.1-572(A) (2022).

[8] C.R.S. § 6-1-1304(b)(I).

[9] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).

[10] Connecticut Substitute Bill No. 6, § 2 (2022).

[11] Connecticut Substitute Bill No. 6, § 2 (2022).

[12] C.R.S. § 6-1-1304(b)(II) (2022).

[13] C.R.S. § 6-1-1304(b)(II) (2022).

[14] Connecticut Substitute Bill No. 6, § 2 (2022).

[15] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[16] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).

[17] Va. Code 59.1-572(A) (2022).

[18] C.R.S. § 6-1-1304(b)(II) (2022).

[19] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).

[20] Connecticut Substitute Bill No. 6, § 2 (2022).