Skip to content

Most of the modern state data privacy laws have attempted to exclude from their jurisdictional reach organizations that process de minimis amounts of personal information. The state statutes create different thresholds for what constitute de minimis processing base those thresholds largely on whether the organization sells personal information. The net result is that most states apply a two-tiered volume threshold. Under two-tiered systems, a first volume threshold applies to all organizations. If the organization sells personal information, the threshold “steps-down” to a second – lower – volume threshold. For example, under the Colorado Privacy Act, the first volume threshold is whether an organization controls or processes personal data of 100,000 in-state residents during a calendar year.[1] If the organization derives any revenue from the sale of personal information, the threshold “steps-down” to a second volume-trigger of 25,000 in-state residents.[2] 

[1] CRS § 6-1-1304(1)(b)(I) (2023).

[2] CRS § 6-1-1304(1)(b)(II) (2023).