California, Colorado, Connecticut, Virginia, and Utah now have data privacy laws. Most went into effect in 2023. We are just beginning to see companies getting sued and fined for violating these laws. Other states that have signed laws that will go into effect from 2024 – 2026 are Indiana, Iowa, Montana, Tennessee, and Texas. A dozen other states are considering laws.
YOU DON’T HAVE TO BE LOCATED IN A STATE FOR THEIR LAW TO APPLY TO YOUR BUSINESS
States are interested in providing additional protection to their residents, so these laws are mainly triggered when you have the data of a certain number of state residents and/or if you make money by selling personal data. For the purposes of these laws, “doing business in the state’ means “offering products or services to residents of the state.” The “controller” is whoever has control over data – for instance, you have control over your mailing list.
NOTE – You can be located in ANY state and have these laws apply. They are NOT triggered by being located in or having employees in a state. For instance, if you are located in Michigan but have 100K customers in Virginia – the Virginia Consumer Privacy Data Act (VCDPA) applies to your business.
| # Trigger | Revenue Trigger | Privacy Rights |
California –CCPA/CCPR
| Buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices | OR derive 50% or more of its annual revenue from selling consumer personal information.
Also applies to all businesses with more than 25M annual revenue (from all regions). | Right to Know Right to Limit Use Right to Correct Right of Access Right to Deletion Right to Opt-Out of Sales & Sharing Right to Non-Discrimination Right to Opt-In for Minors |
Colorado Colorado Privacy Act (CPA) | More than 100,000 Colorado residents annually | OR derive revenue (doesn’t provide a % threshold) from the sale of personal data AND have personal data of at least 25,000 consumers | Right of Access Right of Correction Right of Deletion Right of Portability Right to Limit Processing Right to Opt-Out of Sales Right to Appeal |
Connecticut Connecticut Data Privacy Act (CTDPA | More than 100,000 Connecticut residents annually | OR derive over 25 percent of their gross revenue from the sale of personal data AND control or process the personal data of 25,000 or more consumers | Right of Access Right of Correction Right of Deletion Right of Portability Right to Restrict Processing Right to Opt-Out of Sales (where applicable) Right to Non-Discrimination |
Virginia – Virginia Consumer Data Protection Act (VCDPA) | At least 100,000 Virginia residents annually | OR derive more than 50% of gross revenue from the sale of personal data and process data of at least 25,000 Virginia residents | Right of Access Right of Correction Right of Deletion Right to Opt-Out of Sales Right to Opt-In for Processing Sensitive Data Right to Appeal All sensitive data collection is opt-in rather than opt-out If a consumer submits a request concerning their data rights, you must respond within 45 days |
Utah Utah Consumer Privacy Act (UCPA)
| At least 100,000 Utah residents annually BUT seems to exclude all businesses with revenue under 25M) | OR derive more than 50% of gross revenue from the sale of personal data and process data of at least 25,000 consumers | Right to Access Right to Deletion Right to Opt-Out Right to Know Right to Non-Discrimination |
It’s early days for these laws and the enforcement mechanisms vary. California allows residents to sue companies for data collection violations and has created the California Privacy Protection Agency to help consumers do that. Other states allow their attorney general’s offices to impose maximum fines between $5,000 and $20,000 per violation.
