A guide to US data privacy laws and who must comply
When Europe enacted the GDPR (General Data Protection Regulation) in 2018, calls for the United States to enact a similar data privacy law have grown. Unfortunately, attempts to create a federal law have all failed to pass thus far. So, rather than wait for the federal government to pass a national law, individual states took it upon themselves to establish state data privacy laws.
As of September 2024, 20 states have passed data privacy laws. 10 more have bills that have not yet passed. This complicates things significantly for any US business that targets customers in multiple states. That would be just about any business that operates online. Unless their goods and/or services are strictly regional. Each state has their own thresholds for which businesses are impacted and their own set of requirements and penalties.
This article will distill these down so you can get a faster picture of whether your business is required to comply with any state’s data privacy laws. There are frequently three key categories to determine who must comply: gross revenue/business size, the number of consumer records your business processes, and the amount of revenue generated from the sale/sharing of personal data. If your business meets any one of these criteria, then you will be required to comply.
Business size / revenue
To determine which businesses must comply with data privacy laws, some states use the size of a business (number of employees), while others use gross revenue.
Gross Revenue
There are only a few states that have the gross revenue threshold in their data privacy law – California, Utah, Tennessee, and Florida. California, Utah and Tennessee have a gross annual revenue threshold of $25 million, while Florida is $1 billion. But the big distinction here that makes California stricter than the others is California is the only state where gross revenue is an automatic threshold. In other words, if your business has an annual gross revenue exceeding $25 million, you must comply with the data privacy law. The other states have the revenue stipulation and a certain number of records processed or sold.
Business size
Instead of a revenue provision, a couple states have instead created a provision for business size. In Texas, for example, any business that qualifies as a small business (according to the SBA) is exempt. Nebraska is another state with such a provision.
Control and processing of personal information
This is a provision that every state data privacy law features. For most states, the magic number is 100,000. If your business processed the personal information of 100,000 consumers, you are must comply. However, some smaller states have a lower bar than that. Montana is 50k, while Delaware, New Hampshire, Maryland and Rhode Island are all at 35k.
Colorado, however, includes a provision that if you collect any revenue from the sale of personal data, this number drops from 100k to 25k.
Residents vs. total records
One important thing to note is that some data privacy laws do state that this number applies to residents of that state. But most do not include this specific statement. So, you are better off assuming that the number applies to total records processed. In short, if you process the personal information of more than 35k consumers, you must comply.
Sale of personal data
This area is where state laws vary quite a bit. Most cite the percentage of gross revenue coming from the sale of personal data. However, some states (Colorado, New Jersey, and Texas) do not establish such a qualifier. As noted above, Colorado’s law is applicable if you process or control 100k records. But if you sell that data, the number drops to 25k. New Jersey has the same stipulation. In the case of Texas, if you do not qualify as a small business and sell personal data, you must comply with state data privacy laws.
State data privacy law threshold breakdown
If your business operates online and isn’t exclusively regional, you are potentially targeting consumers of every state. Looking at the key areas noted above, below is a list of the lowest thresholds across all state data privacy laws. If your business meets any one of these, you should make the necessary adjustments to make sure your website and your business are compliant.
Baseline US data privacy law thresholds
- Revenue – $25 million
- Business size – If you do not qualify as a small business according to SBA guidelines
- Records controlled or processed (but do not sell) – 25,000
- Records controlled/processed (and do sell) – Any
Summary
Until a federal data privacy law is established in the United States, the waters will only get further muddied as new states continue to create their own laws. It’s unlikely that the United States will adopt a law as strict as Europe’s GDPR that affects any business. But we always prefer to err on the side of caution. As such, we would recommend that any business that controls or processes personal information complies with data privacy law requirements. And since it remains the strictest law in the country thus far, we recommend following CPRA regulations. And if your business potentially markets to a European audience, you should strongly consider adhering to GDPR standards. It’s important to have a clear understanding of where your business stands when it comes to data privacy compliance.
If you have questions about data privacy, and what changes you might need to make to your website, please feel free to get in touch with us.
