Four states, four privacy laws, four different interpretations of what compliance actually means. California’s CCPA/CPRA, Virginia’s VCDPA, Colorado’s CPA, and Connecticut’s CTDPA are all fully in effect, and while they share core principles around consumer rights, they implement them in ways that directly conflict.
California treats web tracking as a disclosure problem: tell consumers what you’re doing. Colorado treats it as a technical enforcement problem: honor their browser signals automatically. Connecticut treats it as an experience problem: prove consumers can actually exercise their rights. Same intent, incompatible requirements.
This leaves compliance teams with a puzzle: how do you build one website that satisfies four definitions of “selling data,” four different consent requirements for sensitive information, and contradictory expectations for browser-level opt-outs? Get it wrong, and you’re either non-compliant in some states or over-engineering privacy controls in others.
This guide breaks down exactly where the laws diverge and shows you how to build a compliance model that works across all four states without defaulting to the most restrictive interpretation everywhere.
What you’ll learn
- How state thresholds differ and how each law determines who is covered.
- How consumer rights and consent requirements vary across the four states.
- How to design a unified compliance model that keeps you aligned with privacy laws across all jurisdictions.
Make Your Website Compliant with US State Privacy Laws
Applicability thresholds compared
At first glance, the state thresholds look interchangeable. Each law counts consumers, measures revenue, and asks whether a business is selling data.
But then, you look closer, and the boundaries shift. California broadens its reach by treating “sharing” (including cross-context behavioral advertising) the same as selling. Colorado broadens “sale” to include discounts. Virginia excludes employees and B2B contacts from its consumer count.
These definitional edges change who’s regulated. So to understand them better, let’s look at where each state draws its lines:
| State | Primary Threshold | Alternative Threshold |
|---|---|---|
| California (CCPA/CPRA) | > $25M annual revenue or process data of 100,000+ consumers/households | ≥ 50% of annual revenue from selling or sharing personal information |
| Virginia (VCDPA) | Process personal data of 100,000+ consumers | Process 25,000+ consumers and derive > 50% of revenue from data sales |
| Colorado (CPA) | Process personal data of 100,000+ consumers | Process 25,000+ consumers and receive revenue or discounts from selling data |
| Connecticut (CTDPA) | Process personal data of 100,000+ consumers (excluding payment-only transactions) | Process 25,000+ consumers and derive ≥ 25% of revenue from data sales |
Who It Applies To
California: For-profit entities collecting personal information from CA residents.
Virginia: Businesses operating in or targeting VA residents.
Colorado: Businesses operating in or targeting CO residents.
Connecticut: Businesses operating in or targeting CT residents.
What You Need to Know
California: “Sharing” counts as selling, so adtech alone can bring a company into scope.
Virginia: Employees and B2B contacts are excluded from “consumer,” narrowing applicability.
Colorado: Discounts qualify as a “sale,” capturing loyalty and incentive-based models.
Connecticut: Payment-only transactions are excluded, affecting e-commerce thresholds.
These thresholds determine whether the law applies, not how you meet it. With that question settled, the real work begins in managing rights, consent, and data use across states.
So let’s get into that next.
Comparing consumer rights across state privacy laws
The rights themselves are straightforward. All four states grant consumers the right to access their personal data, delete their data, and opt out of the sale of personal data.
But the complexity lies in how each state expects you to honor them once a request comes in.
So let’s look at each right one by one, clarify its scope, its jurisdictional reach, and the nuances that influence how teams actually put it into motion.
Right of access
The right of access gives consumers the ability to confirm whether a business is processing their personal data and to receive a copy of the information that can be reasonably linked to them. That baseline is shared across California, Virginia, Colorado, and Connecticut.
One thing to note is that California’s CCPA and CPRA expect more precision. It requires disclosure of “specific pieces” of personal information when the data can be tied back to the individual, which often brings cookie identifiers, session data, and event-level tracking records into scope.
Right of access applies under the CCPA/CPRA, VCDPA, CPA, and CTDPA.
Right to deletion
The right to deletion allows consumers to ask a business to remove personal data collected about them. All four states recognize this right, and the core requirement is the same: delete what you can, and justify what you cannot.
But third-party data creates the main complication. Connecticut offers flexibility here by allowing controllers to either delete the data or restrict it by placing it on a limited-use list. That flexibility is helpful in high-volume environments where identity signals are thin.
The right of access applies across the CCPA and CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and the Connecticut Data Privacy Act.
Right to correction
The right to correction requires businesses to fix inaccurate personal data that a consumer has identified.
However, things get more complicated when you look at web analytics and tracking technologies. These systems generate behavioral data that can’t be corrected in a literal sense, since the underlying logs are immutable. So the operational burden shifts to adjusting downstream profiles or models to reflect corrected information rather than rewriting immutable logs.
Right to correction applies under the CCPA via CPRA amendments, VCDPA, CPA, and CTDPA.
Right to data portability
Portability requirements are consistent across all four states, which means businesses must provide the consumer with their data in a readily usable, machine-readable format.
The hard part is tying together the data you can clearly link to a user and the data that lives at the browser level. California, through the CCPA and CPRA, pushes teams a little further here because it expects more online identifiers to be included. So the work becomes understanding which identifiers belong to the person and which stand alone.
In short, the right to portability applies under CCPA/CPRA, VCDPA, CPA, and CTDPA
Opt-out of targeted advertising
This right is explicit in the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA).
California reaches the same outcome through a different pathway. Under the CCPA/CPRA, cross-context behavioral advertising is treated as “sharing” personal information, so opting out of “sharing” functions similarly to opting out of targeted advertising.
Opt-out of targeted advertising applies under CPRA (via “sharing”), VCDPA, CPA, CTDPA
Opt-out of profiling
The opt-out of profiling allows consumers to prevent automated decision-making when it has legal or similarly significant effects, such as decisions related to housing, employment, credit, benefits, or essential services.
Virginia, Colorado, and Connecticut each recognize this right in a fairly consistent way.
However, California takes a narrower view of what counts as profiling. Under the CCPA and CPRA automated decision-making rules, the right applies only in defined high-impact scenarios.
In short, the right to opt out of profiting applies under VCDPA, CPA, and CTDPA. However, for California, it exists in some capacity, but it’s less rigorous.
So, when you lay these rights side by side, you can see the common threads along with the edges that shape how teams actually implement them:
| Right | CA | VA | CO | CT |
|---|---|---|---|---|
| Access | ✓ | ✓ | ✓ | ✓ |
| Deletion | ✓ | ✓ | ✓ | ✓ |
| Correction | ✓ | ✓ | ✓ | ✓ |
| Portability | ✓ | ✓ | ✓ | ✓ |
| Targeted Ads Opt-out | ✓* | ✓ | ✓ | ✓ |
| Profiling Opt-out | Limited | ✓ | ✓ | ✓ |
Comparing consent and opt-out requirements across states
Consumer control is moving closer to the browser, yet the rules that shape it are evolving out of sync across states. One state leans on opt-in, another on limit-use, another on signal-based opt-outs. So compliance teams end up shouldering more burden by troubleshooting edge cases and patching inconsistent behaviors.
To fix that, the first step is understanding how each of these states approaches the consent model.
Opt-out vs opt-in models
All four states let standard personal data processing run on an opt-out basis. In other words, you can collect and use most data until the consumer tells you to stop. The only real challenges show up once the data becomes sensitive, because that is where the states begin to diverge.
Sensitive data consent
Virginia, Colorado, and Connecticut require opt-in consent before sensitive data is processed.
However, California, through the CCPA and CPRA, takes a different path and uses a limited-use framework instead of an opt-in model.
Put simply, while you need explicit consent before collecting sensitive data in other states, in California, you need a mechanism that lets consumers narrow how that data is used.
Universal opt-out mechanisms
Colorado and Connecticut require businesses to honor universal signals such as Global Privacy Control because both laws treat browser-level opt-outs as a core consumer right, not an optional step in the interface.
California treats GPC as a valid opt-out request under the CPRA and expects businesses to act on it. Virginia doesn’t require signal recognition, but most teams still honor GPC because maintaining different logic per state creates more operational drag than it solves.
In short, here’s how different states fare across consent and opt-out options:
| Theme | California CCPA/CPRA | Virginia VCDPA | Colorado CPA | Connecticut CTDPA |
| Opt-out vs opt-in models | ✓ Opt-out for standard processing | ✓ Opt-out | ✓ Opt-out | ✓ Opt-out |
| Sensitive data consent | Limit-use model (not opt-in) | ✓ Opt-in required | ✓ Opt-in required | ✓ Opt-in required |
| Universal opt-out signals (GPC) | ✓ Must honor GPC | No mandate | ✓ Must honor GPC | ✓ Must honor GPC |
How should websites implement it?
For websites, the real challenge is that the consent and opt-out logic has to run before any tracking scripts load. That’s why it has to react instantly to browser-level signals where required.
Take Global Privacy Control as an example. When a visitor from Colorado arrives with GPC turned on, the site has to treat that signal as an opt-out the moment the page loads. So targeted advertising and any sale or sharing flows must stay off by default.
However, a visitor from Virginia won’t trigger that requirement. Yet, most teams still apply the Colorado standard everywhere because running different rules by state creates mistakes faster than it creates efficiencies.
In the end, as the parameters of decision multiply, the risk does too. That is why many organizations choose to enforce GPC for all visitors, regardless of location. A single standard is easier to manage, harder to break, and already aligned with the states that expect automatic browser-level opt-outs.
How AlphaPrivacy AI enables multi-state compliance
As states continue to push more privacy control into the browser, compliance only becomes harder. Every update means new rules for signals, new limits on data use, and new expectations for what a site must do on the client side.
The real strain comes from the pace of change. The laws evolve faster than most teams can rewrite their consent logic, which means even well-designed controls drift out of alignment over time.
AlphaPrivacy AI automatically adapts to new privacy requirements and seamlessly manages compliance programs across all U.S. states, as well as jurisdictions in Europe, the UK, Canada, Australia, and Brazil.
It gives you complete visibility
AlphaPrivacy AI gives you a complete view of every client-side data flow across your website. It identifies what each script, tag, or SDK collects and where that data goes, even when vendors update their code. That visibility becomes the foundation for accurate notices, correct classification of data uses, and reliable consent behavior across every jurisdiction.
In short, it removes the guesswork so your team isn’t chasing down hidden trackers or outdated configurations.
It enforces the correct consent model based on user location
Different states expect different behaviors from your site, and AlphaPrivacy AI applies those rules automatically. It interprets where a visitor is coming from and enforces the consent model that applies in that jurisdiction.
It detects and enforces universal opt-out signals
Universal signals like Global Privacy Control now carry legal weight in multiple states. AlphaPrivacy AI detects those signals the moment a page loads and blocks sale, sharing, and targeted advertising flows at the point of collection.
It centralizes consumer rights responses
When a consumer requests access, deletion, or correction, AlphaPrivacy AI surfaces the full record of what was collected and why. That includes client-side data that is traditionally hard to track or link back to an individual.
The result is a cleaner rights workflow, faster responses, fewer gaps, and a consistent experience regardless of which state’s rules govern the request.
It scales automatically with new laws
State laws shift often, and new jurisdictions come online every year. AlphaPrivacy AI absorbs those policy changes into the platform, so you don’t rebuild consent logic, re-tag pages, or rewrite notices every time a rule changes.
Want to keep your consent and opt-out logic consistent across all jurisdictions with one unified system. Schedule a demo to see how AlphaPrivacy AI can help.
FAQ
If my business operates in multiple states, which privacy law applies?
All applicable state laws apply simultaneously based on where your consumers are located. If you process data from California, Virginia, Colorado, and Connecticut residents, you need to comply with all four laws for the respective residents. You cannot choose one state’s framework and apply it universally, though many organizations adopt the strictest requirements (typically California’s) across all states to simplify operations. The key is identifying where your users are located and ensuring your systems can apply the correct rules per jurisdiction. Most compliance platforms handle this geo-detection automatically, but the underlying obligation remains: meet each state’s requirements for residents covered by that state’s law.
Do I need to honor Global Privacy Control (GPC) for visitors from all states?
Legally, you must honor GPC for visitors from Colorado, Connecticut, and California. Virginia does not mandate GPC recognition, though most businesses honor it anyway to avoid maintaining state-specific logic. The practical challenge is that GPC must be detected and enforced before any tracking scripts load, which requires client-side implementation. Many organizations choose to honor GPC for all visitors regardless of location because building separate consent flows for different states creates more operational complexity and risk than it solves. A single standard that meets the strictest requirement (Colorado and Connecticut’s GPC mandate) is typically easier to maintain and less prone to compliance gaps.
What counts as “sensitive data” and why does it matter?
Sensitive data typically includes health information, financial account details, precise geolocation, social security numbers, racial or ethnic origin, religious beliefs, and sexual orientation. It matters because Virginia, Colorado, and Connecticut require opt-in consent before processing sensitive data, while California uses a “limit use” framework that restricts how sensitive data can be used without requiring explicit consent upfront. The distinction affects your consent interface design and data collection flows. If you’re collecting health data for a wellness app or precise location for store finders, you need explicit opt-in consent in most states. The challenge for websites is that some tracking technologies may inadvertently collect data that qualifies as sensitive, requiring consent mechanisms you might not have anticipated.
How do the “sale” definitions differ and why does it impact website compliance?
Each state defines “sale” slightly differently, which changes what activities require opt-out mechanisms. California treats “sharing” for cross-context behavioral advertising as equivalent to selling, meaning standard adtech partnerships often trigger sale obligations. Colorado includes discounts or other benefits as consideration for a sale, catching loyalty programs and incentive-driven data flows. Virginia and Connecticut use more traditional definitions but still cover most data broker and advertising partnerships. For websites, this means your “Do Not Sell” mechanisms need to block different activities depending on state rules. Most organizations opt out of all data sharing when a consumer exercises sale opt-out rights, rather than trying to distinguish which specific data flows count as sales in which states.
Can I use the same privacy notice for all states?
You can create one unified privacy notice that covers all state requirements, but it must include all disclosures required by the strictest state (typically California). Your notice needs to explain what personal data you collect, how you use it, which categories of third parties receive it, consumer rights in each applicable state, and how to exercise those rights. The challenge is making it comprehensive without becoming overwhelming. Many organizations create a master notice with state-specific addendums or use dynamic notices that show relevant sections based on visitor location. The key is ensuring residents of each state can find the information their state law requires, even if other states don’t mandate the same disclosures.
Do employees and B2B contacts count toward the consumer thresholds?
It depends on the state. Virginia explicitly excludes employees and B2B contacts from its consumer count, which can significantly narrow whether a business meets the 100,000 consumer threshold. California, Colorado, and Connecticut do not provide the same exclusion, meaning employee data and B2B contacts may count toward thresholds in those states. This creates a compliance edge case: a business with 90,000 California consumers and 20,000 employees might be in scope for CCPA but not VCDPA if most of those individuals are Virginia residents. For threshold calculations, count conservatively and include all individuals unless the specific state law explicitly excludes that category. When in doubt, assume broader applicability rather than risk non-compliance.
What happens if I can’t technically delete data a consumer requests?
All four states recognize that complete deletion isn’t always technically feasible, but they handle it differently. Most states allow you to retain data when necessary for specific purposes like completing transactions, detecting security incidents, complying with legal obligations, or exercising free speech rights. Connecticut offers additional flexibility by allowing controllers to restrict data to a limited-use list instead of full deletion when technical deletion is impractical. The key is documenting why deletion isn’t possible and ensuring retained data is used only for the justified purpose. For web analytics and tracking data, the challenge is often that raw logs are immutable, so “deletion” means removing identifiers or ensuring the data cannot be linked back to the individual. Your deletion process should identify what can be deleted, what must be retained with justification, and how retained data is protected from unauthorized use.
How do state laws handle cookies and tracking technologies?
State privacy laws treat cookies and tracking technologies as mechanisms that collect personal information, which means they’re subject to the same rules as any other data collection method. If your cookies enable targeted advertising, that typically triggers opt-out requirements (or opt-in for sensitive data). If they enable “sale” or “sharing” under any state’s definition, they require specific disclosures and opt-out mechanisms. The technical challenge is that consent or opt-out preferences must be enforced before cookies load, not after. This is why many organizations use consent management platforms that block cookie deployment until appropriate consent is obtained or confirmed. California requires that cookie-based tracking respect the user’s browser-level opt-out signals (like GPC), while Colorado and Connecticut mandate GPC recognition explicitly. Most compliance strategies now block all non-essential cookies by default and load them only after confirming the user’s consent preferences align with their state’s requirements.
