Skip to Content

Comprehensive State Consumer Data Protection Acts: Part 1 – Do I Need to Comply?

Every company doing business in California, Colorado, and Virginia needs to determine whether the states’ new privacy laws impact their businesses and if so, what steps they need to take to comply with these new laws.  In this part one of our series on the  comprehensive state consumer data protection acts, we walk you through the thresholds for determining the applicability of the new laws. 

There are specific thresholds for determining whether each state’s law applies to your company.  In Virginia and Colorado, business and commercial information is expressly excluded.  Consumers are defined as individuals acting only in an individual or household context.  In California, business information is presently exempt, but the exemption expires January 1, 2023.  Generally, each state’s law will apply to any entity that:

California’s CCPA applies to a broader range of businesses – any with $25M in annual revenue.  Virginia and Colorado have fairly high thresholds, but do not have a separate revenue only threshold like the CCPA.  All three are meant to capture medium to big businesses, or those in the business of selling personal data, not small, Mom-and-Pop operations. 

The analysis of whether the laws impact your business doesn’t end after the above factors are considered.   Even if the criteria are met, the Virginia and Colorado Acts expressly exclude application to:

What’s Next?

If your business meets the criteria outlined in the first chart and does not meet one of the carve-outs set out in the second chart, you need to start planning for the 2023 mandates; and in the case of California, take immediate steps to ensure you comply.  We walk though those requirements and steps to comply in the second and third articles in our series, but if you have any questions about the applicability of the laws to your business, please reach out to us or our colleagues here at LB3. 

Learn more:

  • Part 2 – Your obligations under the Acts, and how to comply.
  • Part 3 – Enforcement regimes under the Acts, and how the Acts affect business agreements with IT and telecom providers.

You may also enjoy Deb and Laura’s related two-part podcast on this subject:

  • Part 1 – Contracting obligations enterprises must follow to comply with these Acts.
  • Part 2 – What these Acts mean for enterprise buyers of technology.

Share This