Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations:
Jurisdictional criteria |
California 2022 CCPA |
California 2023 CPRA |
Virginia 2023 VCDPA |
Colorado 2023 CPA |
Utah 2023 UCPA |
Conn. 2023 CTDPA |
Statute per se exempts organizations with revenue less than $25 million regardless of quantity of data if other eligibility thresholds are not met. | ✘ | ✘ | ✘ | ✘ | ✔[1] | ✘ |
Statute per se applies to organizations with more than $25 million regardless of quantity of data. | ✔[2] | ✔[3] | ✘ | ✘ | ✘ | ✘ |
Statute applies to organizations that control or process data of 50,000 state residents. |
✔[4]
|
✘ | ✘ | ✘ | ✘ | ✘ |
Statute applies to organizations that control or process data of 100,000 state residents. |
✔[5]
|
✔[6] | ✔[7] | ✔[8] | ✔[9] | ✔[10] |
Statute exempts from computation data subjects whose information was used solely for completing payment transactions. | ✘ | ✘ | ✘ | ✘ | ✘ | ✔[11] |
Statute applies to organizations that derive any revenue from the sale of data (and process information from at least 25,000 state residents). | ✘ | ✘ | ✘ | ✔[12] | ✘ | ✘ |
Statute applies to organizations that derive 25% of their revenue from the sale of data (and process information from at least 25,000 state residents). | ✘ | ✘ | ✘ | ✔[13] | ✘ | ✔[14] |
Statute applies to organizations that derive 50% of their revenue from the sale of data (and process information from at least 25,000 state residents). |
✔[15] (note no requirement to process 25,000 state residents) |
✔[16] | ✔[17] | ✔[18] | ✔[19] | ✔[20] |
[1] Utah Code Ann. § 13-61-102(1)(b) (2022).
[2] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020).
[3] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020).
[4] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).
[5] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).
[6] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).
[7] Va. Code 59.1-572(A) (2022).
[8] C.R.S. § 6-1-1304(b)(I).
[9] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).
[10] Connecticut Substitute Bill No. 6, § 2 (2022).
[11] Connecticut Substitute Bill No. 6, § 2 (2022).
[12] C.R.S. § 6-1-1304(b)(II) (2022).
[13] C.R.S. § 6-1-1304(b)(II) (2022).
[14] Connecticut Substitute Bill No. 6, § 2 (2022).
[15] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).
[16] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).
[17] Va. Code 59.1-572(A) (2022).
[18] C.R.S. § 6-1-1304(b)(II) (2022).
[19] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).
[20] Connecticut Substitute Bill No. 6, § 2 (2022).