While the objective of protecting personal data is to be lauded, the current setup in the US is one of the most complex in the world. Twenty states. Twenty different thresholds and definitions. ‘Sale’ means one thing in California, another in Virginia. Tracking 275 daily website visitors puts you in scope for CCPA/CPRA, but not Tennessee’s law. 274 keeps you out of both.
Just determining if a law even applies has become a legitimate challenge for businesses. Yet, there’s a signal in the noise.
Despite different thresholds, the actual obligations are largely similar. So with a clear understanding of thresholds and where requirements converge across states, businesses can build a defensible compliance posture without reinventing the wheel for each jurisdiction. (For a detailed comparison of specific requirements across major state laws, see our CCPA, VCDPA, CPA, and CTDPA requirements breakdown.)
This guide walks through the applicability thresholds for every major state privacy law, shows you how to calculate your scope, and lays out some approaches businesses are using to manage multi-state compliance.
State privacy laws: Overview
As of January 2026, twenty states have comprehensive consumer privacy laws in effect, with Indiana, Kentucky, and Rhode Island having just joined that list on January 1
The good news is that the core obligations across these laws are remarkably similar. Consumers get rights to access their data, request deletion, and opt out of certain processing activities.
And all state privacy laws mandate businesses to publish privacy notices, implement reasonable security measures, and, in many cases, conduct data protection assessments for high-risk processing.
Even enforcement sits with state attorneys general across all laws. No state provides a private right of action, which means compliance violations trigger regulatory action, not class-action lawsuits.
But despite those similarities, meaningful differences exist when it comes to thresholds. Let’s look at where each state draws its lines.
| Law (State) | Scope | Thresholds | Notes |
|---|---|---|---|
| CCPA/CPRA (CA) | For-profit in CA | Rev >$26.6M OR 100k+ OR 50% sales | “Sharing” = selling (adtech counts) |
| VCDPA (VA) | Target VA | 100k OR 25k + 50% sales | B2B & employees excluded |
| CPA (CO) | Target CO | 100k OR 25k + sales | Discounts = sales; UOOM (Jul 2024) |
| CTDPA (CT) | Target CT | 35k (2026) OR any sensitive | Payment-only excluded |
| UCPA (UT) | Target UT | $25M rev + 100k OR 25k + 50% sales | Only law requiring rev + volume |
| TDPSA (TX) | Target TX | No numeric threshold | Small biz exempt |
| OCPA (OR) | Target OR | 100k OR 25k + 25% sales | No payment exclusion; UOOM 2026 |
| MCDPA (MT) | Target MT | 25k OR 15k + 25% sales | Lowest thresholds nationwide |
| ICDPA (IA) | Target IA | 100k OR 25k + 50% sales | 90-day cure; no correction right |
| PIPA (DE) | Target DE | 100k OR 25k + 50% sales | Narrow nonprofit exemption |
| NDPA (NE) | Target NE | 100k OR 25k + 50% sales | Broad nonprofit exemption |
| NHPA (NH) | Target NH | 100k OR 25k + 50% sales | Broad nonprofit exemption |
| DPA (NJ) | Target NJ | 100k OR 25k + 50% sales | No nonprofit exemption |
| TIPA (TN) | Target TN | $25M + 175k OR 25k + 50% sales | Highest consumer threshold |
| MCDPA (MN) | Target MN | 100k OR 25k + 50% sales | Stronger minimization rules |
| MODPA (MD) | Target MD | 100k OR 25k + 50% sales | Bans sale of sensitive data |
| DPPSA (FL) | Target FL | 100k OR 25k + 50% sales | Standard VA-model |
| ICDPA (IN) | Target IN | 100k OR 25k + 50% sales | Non-expiring cure |
| KCDPA (KY) | Target KY | 100k OR 25k + 50% sales | Limited guidance |
| RIDPA (RI) | Target RI | 100k OR 25k + 50% sales | Effective 2026 |
Texas stands out for having no specific numerical thresholds, instead relying on a small business exception to determine scope. If you’re operating in Texas and need clarity on what website-level controls TDPSA requires, see our detailed guide to Texas Data Privacy and Security Act website requirements.
Understanding which thresholds you meet is the starting point for compliance planning. You can’t build privacy notices, implement consent mechanisms, or establish consumer request workflows until you know which states’ laws apply to your business.
Now that we have a high-level view of all state privacy laws and their thresholds, let’s look at them individually.
California CCPA/CPRA: The broadest applicability
California’s state privacy laws are so broad that there’s a working assumption in the field that if you build to meet California’s standard, you’ll meet the requirements of other states with minimal additional effort.
CCPA, the first privacy law in California, came into effect on January 1, 2020. Then, it evolved into CPRA, which took effect on January 1, 2023. And so far, it’s the only state that has an independent revenue threshold.
So, who must comply?
Any for-profit entity falls within the CCPA scope if it does business in California and meets any one of the following thresholds:
If the annual gross revenue exceeds: $26,625,000
Originally, the revenue threshold was around $25 million, but in 2025, it was revised to reflect the inflation adjustments to the Consumer Price Index.
All other state laws tie the revenue component to the volume of traffic or data they receive. California doesn’t. If your business hits $26.6 million in annual revenue and does business in California, you’re in scope. That single distinction makes California’s reach broader than any other state, capturing businesses regardless of consumer data volume or sales practices.
So a consulting firm, software vendor, or services business with $30 million in annual global revenue meets this threshold even if it collects minimal consumer data.
If your business buys, sells, or shares data of more than 100,000 CA residents
If your business buys, sells, or shares data of more than 100,000 California residents, households, or devices annually, it’s in scope. This threshold includes website visitors, registered users, customers, and even transient users tracked via cookies and device identifiers.
However, one thing that catches businesses off guard is how California defines a sale. It’s not just selling data for money. The definition includes renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information in exchange for monetary or other valuable consideration.
That means you don’t need payment for something to qualify as a sale. So this brings standard business operations like sharing data with advertising networks, analytics vendors, or third-party marketing services under scope. Managing these third-party scripts and tracking technologies is often the hardest part of CCPA compliance, our guide to CCPA client-side compliance walks through how to handle cookies, pixels, and tag managers in a compliant way.
If you’re monetizing consumer data
If your business makes more than 50% of its revenue from selling or sharing personal information of California residents, then it’s under scope.
However, there’s nuance to these thresholds. Your business can still be in scope without having a physical front in California. The business just needs to sell to California residents for the thresholds to be applicable. Even if it’s online or via other virtual channels.
So an online-only retailer with no California office still falls under CCPA if it processes any California resident data and meets threshold criteria.
Virginia CDPA applicability thresholds
Virginia’s CDPA became effective on January 1, 2023, and went on to set a template for other states, now known as the “Virginia model.” In spirit, it’s a simpler and narrower framework designed to regulate businesses that actually traffic in consumer data, not just businesses that happen to be large.
Where California casts a wide net with its revenue threshold, Virginia aims for precision, focusing on data volume and monetization. And the difference is notable. There’s no independent revenue threshold. So a business could have over $150 million in annual revenue and still not come under scope.
So, who must comply?
A business falls within the CDPA scope if it conducts business in Virginia or offers products or services targeted to Virginia residents and meets thresholds set around data volume and revenue from data sales.
Like CCPA, physical presence doesn’t matter. Selling to Virginia residents, targeting them with marketing, or processing their data is sufficient. An out-of-state e-commerce site qualifies if it serves Virginia customers and meets the thresholds.
Let’s look at these thresholds:
If you process a high volume of personal data
Businesses that process personal information of more than 100,000 Virginia residents annually come under the scope. However, there’s a catch. Business contacts and employees don’t count. It has to be in an individual or household context.
So if you’re processing data for 150,000 Virginia residents, but 100,000 of them are business contacts at client companies, you’re under the threshold.
If you monetize data by selling
For this threshold to be triggered, your business needs to process data of at least 25,000 Virginia residents and derive more than 50% of its gross revenue from selling that data.
This threshold is specifically designed to catch data brokers and lead generation businesses that might not hit the 100,000-consumer bar but are clearly monetizing consumer information.
Colorado CPA applicability thresholds
The Colorado Privacy Act became effective July 7, 2023, and builds on the foundations of Virginia’s privacy act, but with one meaningful tweak. Like Virginia, it focuses on consumer data volume rather than enterprise revenue. But Colorado added a broader interpretation of what counts as revenue from data sales that catches businesses that Virginia might miss.
Who must comply
A business falls within CPA scope if it conducts business in Colorado or produces products or services targeted to Colorado residents and meets either threshold.
Processing data for 100,000+ Colorado consumers
If your business processes, controls, or stores personal data of more than 100k Colorado residents annually, it applies to you. For online businesses, these thresholds apply when your web traffic, customer base, and data processing operations surpass 100k residents.
You have significant revenue from data sales, even with lower customer volume
The key threshold is set at deriving monetary gains, discounts, or other benefits from selling data of at least 25k Colorado residents. Phrasing is key here, because the law applies to you even without direct payments. It just recognizes receiving valuable advantage in any form, whether that’s discounted cloud services, free analytics tools, or other benefits in exchange for data.
This is broader than Virginia’s approach. Virginia requires that you derive more than 50% of gross revenue from data sales. Colorado just requires that you derive revenue or benefits from sales, without specifying a percentage.
So a business making 10% of its revenue from data sales with 30,000 Colorado consumers would be exempt under Virginia’s law but covered under Colorado’s.
Thresholds for Connecticut CTDPA and Utah UCPA
Connecticut and Utah both enacted laws in 2023, but they took opposite approaches to applicability. Connecticut set a lower revenue percentage threshold than Virginia, making it easier for mid-sized data businesses to fall into scope. Utah went the other direction and built one of the most restrictive threshold structures in the country by requiring both revenue and consumer volume.
Connecticut CTDPA
Connecticut’s Data Privacy Act became effective July 1, 2023. The original thresholds followed Virginia’s model with one adjustment. Where Virginia requires 50% of revenue from data sales to trigger the lower consumer threshold, Connecticut sets it at 25%.
So it applied to businesses that:
- Control or process data for 100k or more residents of Connecticut.
- Control or process data for over 25k Connecticut consumers, but derive more than 25% of annual gross revenue from selling data.
- Makes atleast 30% of its revenue fromdata sales with 30k Connecticut residents.
However, there’s an exclusion for e-commerce businesses. The law excludes the data that’s solely used for payment transactions. This means that if an e-commerce business only processes customer data to complete purchases, then that won’t be counted towards the threshold.
Connecticut is set to lower thresholds significantly in 2026
Connecticut will substantially lower its thresholds via SB 1295, which will take effect on July 1, 2026. The new thresholds will be among the lowest in the country.
It will drop the threshold from 100k to 35k consumers. So mid-market businesses and SMEs that were previously out of scope would be under the threshold.
The upcoming amendments also eliminate volume thresholds for two specific activities. If you process any amount of sensitive data, excluding payment processing purposes, you’re covered regardless of the volume. And if you offer consumer data for sale at any scale, you’re covered regardless of volume or revenue percentage.
This 2026 change reshapes Connecticut’s position in the landscape. It moves from mid-tier applicability to one of the broadest state laws after California.
Thresholds for Utah UCPA
Utah takes a radically different approach with its data protection laws. Having come into effect on December 31, 2023, it’s the only state that requires both a revenue threshold and consumer volume thresholds. You must meet all conditions, not just one.
The first requirement for the threshold is a $25 million revenue floor. If you meet that, you then need to meet one of two volume thresholds, which is either processing data of over 100k Utah residents, or processing data for 25,000+ Utah customers while deriving 50% or more of revenue from data sales.
The ‘and’ requirement functions more like an intersection, not a union operator. Meaning you need to hit both revenue and data volume thresholds. Other states use OR logic, which means that if you meet any one of the thresholds, you’re in scope. Utah requires you to be in both sets simultaneously, which narrows the scope significantly. That makes Utah’s law the most business-friendly in terms of scope.
How to determine if state laws apply to your business
Thresholds come with fine print. They have qualifiers and nuances that change who’s actually covered. For example, you could process data for 120,000 Virginia residents, but only 80,000 of them count towards the threshold because the privacy law excludes B2B contacts. Your business could have $30 million in revenue, but fall outside California’s data privacy laws if you’re not serving residents from California. You could hit Montana’s 25,000-consumer threshold, but be exempt because you already come under HIPAA or GLBA.
Here’s a step-by-step guide to help you figure out where your business falls
Step 1: Map your geographic footprint
Start by understanding your audience base. Where do your customers come from, in what volume, and how much do they contribute to the revenue? It’s not about your physical store or the location of your servers, but the domicile of your customers.
If you’re running a website with Google Analytics, you’re collecting data from every state when visitors land on your website. If you’re running Facebook ads targeted to specific regions, you’re marketing to those states. If you’re shipping products or delivering services, you’re doing business there.
List every state where you have customers, users, website traffic, or marketing activity. More often than not, online businesses find out that they’re operating across multiple states
Step 2: Identify your business model
Your business model determines how state laws view your data practices, which exemptions apply, and what counts toward your consumer volume calculations.
If you’re an e-commerce or consumer SaaS, you’re processing consumer data as part of delivering a service. So, thresholds focus on volume. But if you’re a data broker or a lead generation business, the data becomes your revenue stream. So now you look at what percentage of your business comes from selling information, and that decides your threshold.
An e-commerce platform with 150,000 customers likely meets volume thresholds in multiple states but might not meet revenue-from-sales thresholds because its business model is selling products, not data.
On the other hand, a lead generation company with 30,000 consumers might not meet volume thresholds but could meet the 50% revenue-from-sales threshold because its entire business model is data monetization.
Step 3: Triage against the revenue thresholds first
States like California, Utah, and Tennessee have a revenue threshold. Which means if your revenue exceeds $26.6 million, you come under California’s privacy law if you serve residents of California. If you’re above $25 million in gross revenue, you come under Utah and Tennessee’s privacy law.
However, there’s one key distinction. California’s revenue threshold is standalone. If you hit $26.6 million in annual gross revenue and do business in California, you’re in scope. Utah and Tennessee require revenue and consumer volume, so hitting the revenue threshold alone doesn’t bring you under the scope, and you also need to meet consumer count thresholds.
If you’re under these revenue levels, consumer volume becomes the determining factor.
Step 4: Count consumers by state
Consumer volume thresholds are one of the most confusing ones. For some states, B2B contacts aren’t counted. For some, your business model determines what threshold they get counted towards. And for some, data processed for payment processing is excluded from the count.
Website visitors tracked with cookies or device identifiers count. Logged-in users count. Newsletter subscribers count. Anyone whose data flows through your systems in an identifiable way adds to the counts, and these are measured on an annual basis.
Step 5: Calculate Revenue from Data Sales
If your business monetizes consumer data, you need to calculate what percentage of revenue comes from selling or sharing it. This matters for the lower consumer thresholds in states like Virginia, Colorado, Connecticut, and Montana.
You can calculate it by using this formula: (Revenue from data sales / by total annual revenue)* 100.
However, the challenging part is correctly determining the revenue from sales. The definition of ‘sales’ varies from state to state. And some states, like California, consider sharing data for any kind of gains, even non-monetary, as a sale. So data shared with Google Analytics and other marketing platforms gets counted.
Even if you’re providing data to partners who offer discounted cloud services in return, that counts. The threshold is broad by design, so you need to document what you’re counting and why.
Step 6: Compare against state thresholds
Once you clearly understand your business model, your revenue percentages, and the demographics of your customers, just compare them with state thresholds to determine your scope.
The cleanest way to do this is a spreadsheet with columns for each state and rows for your metrics. Revenue threshold met? Yes or no. Consumer count? Your calculated number. Meets 100,000 consumer tests? Yes or no. Meets the lower consumer threshold with revenue percentage? Yes or no. Applicable? Yes or no.
How AlphaPrivacy AI manages multi-state compliance
Different states approach data protection differently. That means different scopes, thresholds, and definitions. For businesses operating across states, this sprawls into an operational challenge. They have to adapt their policies, consent flows, and controls on the same website to honour the jurisdiction-specific regulations in real-time.
AlphaPrivacy Guard AI by Feroot closes that gap. It automatically adapts to new privacy requirements and seamlessly manages compliance programs across all U.S. states, as well as jurisdictions in Europe, the UK, Canada, Australia, and Brazil.
It sits between different state laws and your actual website and data stack, helping your website adapt to each regulation in real time with location-specific consent management, data handling rules, and jurisdiction-specific privacy documentation, automatically.
Do I need to comply with a state law if I have zero customers there but get organic website traffic from that state?
Yes, if you meet the thresholds. State laws apply based on processing or targeting residents, not just having customers. If your website tracks 100,000+ visitors from Virginia annually via cookies or analytics, even if none convert to customers, you meet Virginia’s primary threshold. The law doesn’t distinguish between customers and tracked visitors.
If I’m right at a threshold (exactly 100,000 consumers), am I in or out of scope?
You’re in scope. Thresholds use “or more” language. Processing data for exactly 100,000 Virginia residents means you meet the 100,000+ requirement. However, if you’re hovering near a threshold, build in margin for error. Consumer counts fluctuate, and undercounting due to measurement gaps won’t shield you from enforcement.
Can I avoid compliance by geo-blocking certain states?
Technically yes, but it’s rarely practical. Geo-blocking Montana or Connecticut might seem easier than compliance, but you’d need to block at multiple levels, website access, ad targeting, data collection, and third-party integrations. Most businesses find it simpler to implement baseline privacy controls than maintain accurate geo-restrictions across their entire tech stack.
What happens if I meet thresholds in multiple states with conflicting requirements?
You comply with the strictest requirement that applies. If California requires opt-out for “sharing” and Virginia requires it for “sales,” and the definitions differ, you implement both. If Montana prohibits selling sensitive data outright while Colorado allows it with consent, you can’t sell that data to Montana residents at all. Multi-state compliance means layering controls, not choosing one framework.
How often do I need to recalculate whether I meet thresholds?
At minimum, annually. Most businesses calculate quarterly to avoid surprises. If you’re within 20% of any threshold, monitor monthly. Thresholds are measured on a rolling 12-month basis in most states, so a sudden traffic spike or successful marketing campaign can push you into scope mid-year.
If my revenue is $26 million, do I fall under California’s law since the threshold is $26.6 million?
No. The threshold is indexed to inflation and adjusts annually. In 2025, it’s $26,625,000. If your revenue is $26 million, you’re under the revenue threshold. But remember—California has two other pathways to applicability (100K consumers, or 50% revenue from sales), so check those as well.
Does “targeting” a state mean I need a specific marketing campaign, or does selling online count?
Courts haven’t fully defined “targeting” yet, but regulatory guidance suggests a low bar. If you ship to a state, accept payments from residents, run geo-targeted ads, or have state-specific landing pages, you’re likely targeting that state. Passive accessibility (a website anyone can visit) is a gray area, but if you’re transacting with residents, you’re almost certainly targeting them.
We’re a startup that just hit a threshold. How much time do we have to comply?
State laws don’t provide grace periods for newly covered businesses. Once you meet a threshold, obligations apply immediately. That said, enforcement typically focuses on egregious violations first, and most AGs offer cure periods for first-time violations. Realistically, you should achieve baseline compliance (privacy notice, opt-out mechanism, consumer request process) within 90 days of crossing a threshold.
Can I round down my consumer count if I’m close to a threshold?
Not defensibly. If your analytics show 102,000 Virginia visitors annually, you can’t claim you process “approximately 95,000” to stay under the threshold. State AGs expect businesses to use reasonable measurement methods and count conservatively. If anything, round up to account for measurement gaps in your tracking systems.
Want to keep your consent and opt-out logic compliant across all jurisdictions with one unified system. Schedule a demo to see how AlphaPrivacy AI can help.
