US State Data Privacy Laws – a comparison
July 12, 2023
As more US states introduce privacy laws, companies must be aware of and be able to manage the varying provisions of each, which can make cross-state privacy compliance a very complex undertaking. Waystone Compliance Solutions can guide you through these nuances and help you to navigate the privacy laws that apply to your business.
We have put together a guide below to help you to learn more about the differences between the CCPA, CPRA, CDPA, CTDPA, CPA and UCPA, where they take territorial effect, the application threshold, and whether privacy impact assessments fall in scope or not.
US State Data Privacy Laws comparison chart
| Law | Effective | Enforcment Agency |
|---|---|---|
| California Consumer Privacy Act of 2018
CCPA |
January 1, 2020 | California Attorney General |
| California Privacy Rights Act of 2020
CPRA |
January 1, 2023 | California Privacy Protection Agency |
| Colorado Privacy Act
CPA |
July 1, 2023 | Colorado Attorney General or District Attorney |
| Connecticut Data Protection Act
CTDPA |
July 1, 2023 | Connecticut Attorney General |
| Utah Consumer Privacy Act
UCPA |
December 31, 2023 | Utah Attorney General |
| Virginia Consumer Data Protection Act
CDPA |
January 1, 2023 | Virginia Attorney General |
| Territorial Scope | Application Threshold | |
|---|---|---|
| CCPA | For-profit business that collect personal information from Californian residents | Gross annual revenue of over USD 25 million or buying, receiving, or selling the personal information of 50,000 or more Californian residents, households, or devices or deriving 50% or more of their annual revenue from selling California residents’ personal information. |
| CPRA | For-profit business that collect personal information from Californian residents | Gross annual revenue of over USD 25 million or buying, receiving, or selling or sharing the personal information of 100,000 or more California residents or households or deriving 50% or more of their annual revenue from selling or sharing California residents’ personal information. |
| CPA | Any data controller that conducts businesses in Colorado or data controllers that produce or deliver commercial products or services intentionally targeted to residents of Colorado. | Controlling or processing the personal data of at least 100,000 consumers in a calendar year or processing or controlling the personal data of 25,000 consumers or more and deriving revenue or receive discount on the price of goods or services from the sale of personal data. |
| CTDPA | Persons that conduct business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut. | Controlling or processing the personal data of not less than 100,000 consumers (excluding processing for the purposes of completing a payment transaction) or controlling or processing the personal data of not less than 25,000 Connecticut residents and deriving more than 25% of gross revenue from the sale of personal data. |
| UCPA | Any controller or processor who conducts business in Utah or produces a product or service that is targeted to consumers who are residents of Utah. | Annual revenue of USD 25,000,000 or more and during a calendar year, controls or processes personal data of 100,000 or more consumers or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. |
| CDPA | Persons that do business in the Commonwealth of Virginia or persons who produce products or services that are targeted to residents of the Commonwealth of Virginia. | Processing or controlling personal data of at least 100,000 consumers in a calendar year or processing or controlling the personal data of at least 25,000 consumers and deriving over 50% of gross revenue from selling that data. |
| Does a Privacy Impact Assessment (PIA) need to be conducted? | What should be included in a Privacy Impact Assessment? | |
|---|---|---|
| CCPA | N/A | N/A |
| CPRA | Businesses whose processing presents a significant risk to consumer privacy or security must submit regular assessments to the CPPA. | Businesses conducting a PIA under the CPRA should identify and weigh the benefits resulting form the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing. |
| CPA | Data controllers are required to carry out a PIA, for activities including:
|
A PIA should weigh the risks and benefits of the processing activity and should include several factors such as:
|
| CTDPA | Controllers shall conduct a data protection assessment for activities that present a heightened risk of harm to a consumer, including, but not limited to, the processing of personal data for the purposes of targeted advertising, profiling, and the sale of personal data. | Data protection assessments should identify and weigh the benefits against the potential risks to the rights of the consumer.
The controller should factor the following into a data protection assessment:
|
| UCPA | N/A | N/A |
| CDPA | Data controllers are required to carry out a PIA, for activities including:
|
A PIA must also consider the balance between the risks and benefits of the processing activity and should also include:
|
If you have any questions about US Privacy Laws as they come into effect, please reach out to our Cyber and Data Protection team today.