Over the past few years, 20 U.S. states have passed or implemented new consumer privacy laws—a rapidly growing patchwork of state laws that deserves close attention from legal and compliance teams. While some of these laws align with the California Consumer Privacy Act (CCPA), others differ in meaningful ways, particularly with respect to how and when they apply.
This article highlights key differences and similarities of current U.S. state consumer privacy laws.
Thresholds
Revenue Thresholds
A common assumption about consumer privacy laws is that they only apply to companies which meet or exceed a certain revenue threshold. However, currently only three states include a minimum threshold for applicability:
- California1 ($26.25 million in annual gross revenue);
- Florida2 ($1 billion in global annual revenue); and
- Tennessee3 ($25 million in annual revenue).
Processing or Sale Thresholds
Although those states with revenue thresholds also have processing thresholds, other states focus on processing thresholds rather than revenue-based ones.
The most common processing threshold (adopted by Indiana, Iowa, Kentucky, Oregon, Utah and Virginia) are as follows:
- Controls or processes the personal data of at least 100,000 state residents; or
- Controls or processes the personal data of at least 25,000 state residents and derives over 50% of gross revenue from the sale of personal data.
Other states have adopted a similar approach, focusing only on processing and/or sales thresholds, but with varying threshold amounts.
No revenue or processing/sale threshold
Interestingly, 2 states¾Nebraska and Texas¾have no revenue or processing/sale thresholds. Instead, these consumer privacy laws apply more broadly to companies that:
- Conduct business or produce a product or service consumed by their residents;
- Process or engage in the sale of personal data; and
- Are not considered a "small business" under the federal Small Business Act.4
Texas has been actively enforcing its new privacy law, having launched investigations starting in January 2025.
Exemptions
In addition to thresholds that help determine the applicability of these US state consumer privacy laws, many of the state consumer privacy laws include broad exemptions, as some of which are noted below:
B2B data
- At present, California is the only state that does not exempt B2B data from its consumer privacy law, the CCPA.
Employee data
- Similarly, California does not exempt employment data. While other states provide this exemption, Colorado's employee data exemption does not apply to the "processing of biometric identifiers of employees/prospective employees and when employers may require consent to process as a condition of employment." 5
De-identified and Aggregate data
- Currently, all state consumer privacy laws exempt de-identified data.
- Only California, Florida, Indiana, Iowa, Rhode Island, Tennessee and Utah exempt aggregate data from their consumer privacy laws.
Nonprofit Organizations
- Colorado and New Jersey's consumer privacy laws do not exempt any nonprofits.
- Other states, such as Delaware6, Maryland7, Minnesota8 and Oregon9 only exempt those nonprofit organizations that are focused on insurance fraud prevention, or nonprofits with specific missions.
- Indiana's nonprofit exemption extends only to organizations that are exempt under Internal Revenue Code sections 501(c)(3), 501(c)(6) or 501(c)(19).
Higher Educational Institutions
- California, Delaware, Maryland, Minnesota, New Jersey and Oregon do not specifically exempt higher-education institutions. Colorado's exemption is limited to information maintained by postsecondary institutions.
- Higher educational institutions may be exempt from these state consumer privacy laws if they are also government instrumentality or a nonprofit organization (depending on the state).
Amendments
It is worth noting that some states have already amended their
new consumer privacy laws. For example. amendments to Oregon's consumer privacy
law were signed by the governor on June 3, 2025. This amendment
"prohibit[s] controllers from processing personal data for
the purposes of targeted advertising, or selling personal data that
pertains to a consumer, if the controller has actual knowledge, or
disregards knowledge of whether, a consumer is under 16 years of
age or if the personal data accurately identifies within a radius
of 1,750 feet a consumer's present or past location or the
present or past location of a device that links or is linkable to
the consumer."
Connecticut is also in the process of amending its consumer privacy
law. Companies may want to keep an eye on these pending
amendments.
What This Means for You
With the expanding number of state consumer privacy laws (20 and counting), it is important to understand how the applicability, exemptions, and thresholds vary considerably from state to state. In doing so, you can determine how to best comply with the various requirements.
Footnotes
1 See updated CCPA thresholds.
2 See definition of Controller in the Florida Digital Bill of Rights.
3 https://www.tn.gov/attorneygeneral/news/2025/4/30/pr25-25.html
4 Although small businesses as defined by the federal Small Business Administration are generally exempt from TX and NE, if a small business sells the sensitive data of a consumer, it must first obtain the consumer's consent.
5 See Colo. Rev. Stat. § 6-1-1314
6 Nonprofit organizations "dedicated exclusively to preventing and addressing insurance crime" and nonprofit organizations that provide services to victims of child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking. See Del. HB 154 § 12D-103(b)(3) & (c)(13).
7 Nonprofit controller that "processes or shares personal data solely for the purposes of assisting: law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or first responders in responding to catastrophic events." See Md. SB 541 § 14-4603(A)(4).
8 Nonprofit organization that is "established to detect and prevent fraudulent acts in connection with insurance." See Minnesota Consumer Data Privacy Act, § 235O.03(2)(a)(20).
9 Nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance or that provides programming to radio or television services. See Ore. SB 619 § 2(r) and (s)(C). Oregon's law goes into effect for nonprofit organizations on July 1, 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.