June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

Understanding the Delta Among State Privacy Statutes: Jurisdictional Triggers

Modern state privacy laws have attempted to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. The specific thresholds used, however, differ between states. The following provides a comparison of the thresholds that each statute creates for organizations that are subject to regulatory compliance obligations:

 

Jurisdictional criteria

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Conn. 2023

CTDPA

Statute per se exempts organizations with revenue less than $25 million regardless of quantity of data if other eligibility thresholds are not met. ✔[1]
Statute per se applies to organizations with more than $25 million regardless of quantity of data. ✔[2] ✔[3]
Statute applies to organizations that control or process data of 50,000 state residents.

✔[4]

 

Statute applies to organizations that control or process data of 100,000 state residents.

✔[5]

 

✔[6] ✔[7] ✔[8] ✔[9] ✔[10]
Statute exempts from computation data subjects whose information was used solely for completing payment transactions. ✔[11]
Statute applies to organizations that derive any revenue from the sale of data (and process information from at least 25,000 state residents). ✔[12]
Statute applies to organizations that derive 25% of their revenue from the sale of data (and process information from at least 25,000 state residents). ✔[13] ✔[14]
Statute applies to organizations that derive 50% of their revenue from the sale of data (and process information from at least 25,000 state residents).

✔[15]

(note no requirement to process 25,000 state residents)

✔[16] ✔[17] ✔[18] ✔[19]

✔[20]

FOOTNOTES

[1] Utah Code Ann. § 13-61-102(1)(b) (2022).

[2] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020).

[3] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020).

[4] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[5] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[6] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).

[7] Va. Code 59.1-572(A) (2022).

[8] C.R.S. § 6-1-1304(b)(I).

[9] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).

[10] Connecticut Substitute Bill No. 6, § 2 (2022).

[11] Connecticut Substitute Bill No. 6, § 2 (2022).

[12] C.R.S. § 6-1-1304(b)(II) (2022).

[13] C.R.S. § 6-1-1304(b)(II) (2022).

[14] Connecticut Substitute Bill No. 6, § 2 (2022).

[15] Cal. Civ. Code § 1798.140(c)(1)(A) (West 2020) (note that scope is only triggered if the organization receives the quantity of data for business purpose, buys, sells, or shares, such data).

[16] Cal. Civ. Code § 1798.140(d)(1)(A) (West 2020) (note that scope is only triggered if the organization buys, sells, or shares, the referenced quantity of data).

[17] Va. Code 59.1-572(A) (2022).

[18] C.R.S. § 6-1-1304(b)(II) (2022).

[19] Utah Code Ann. § 13-61-102(1)(c)(i) (2022).

[20] Connecticut Substitute Bill No. 6, § 2 (2022).

 

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 143
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement