ARTICLE
17 June 2025

Insights On U.S. State Consumer Privacy Laws

OG
Outside GC

Contributor

OGC is a unique law firm that offers the relationship and experience of a traditional law firm with the cost savings and speed of an ALSP. By combining top-notch legal talent and significant business acumen, we deliver the value and efficiency of an in-house lawyer, without adding to our client’s headcount or sacrificing quality.
Over the past few years, 20 U.S. states have passed or implemented new consumer privacy laws—a rapidly growing patchwork of state laws that deserves close attention from legal and compliance teams.
United States California Colorado Indiana Oregon Privacy

Over the past few years, 20 U.S. states have passed or implemented new consumer privacy laws—a rapidly growing patchwork of state laws that deserves close attention from legal and compliance teams. While some of these laws align with the California Consumer Privacy Act (CCPA), others differ in meaningful ways, particularly with respect to how and when they apply.

This article highlights key differences and similarities of current U.S. state consumer privacy laws.

Thresholds

Revenue Thresholds

A common assumption about consumer privacy laws is that they only apply to companies which meet or exceed a certain revenue threshold. However, currently only three states include a minimum threshold for applicability:

  • California1 ($26.25 million in annual gross revenue);
  • Florida2 ($1 billion in global annual revenue); and
  • Tennessee3 ($25 million in annual revenue).

Processing or Sale Thresholds

Although those states with revenue thresholds also have processing thresholds, other states focus on processing thresholds rather than revenue-based ones.

The most common processing threshold (adopted by Indiana, Iowa, Kentucky, Oregon, Utah and Virginia) are as follows:

  • Controls or processes the personal data of at least 100,000 state residents; or
  • Controls or processes the personal data of at least 25,000 state residents and derives over 50% of gross revenue from the sale of personal data.

Other states have adopted a similar approach, focusing only on processing and/or sales thresholds, but with varying threshold amounts.

No revenue or processing/sale threshold

Interestingly, 2 states¾Nebraska and Texas¾have no revenue or processing/sale thresholds. Instead, these consumer privacy laws apply more broadly to companies that:

  • Conduct business or produce a product or service consumed by their residents;
  • Process or engage in the sale of personal data; and
  • Are not considered a "small business" under the federal Small Business Act.4

Texas has been actively enforcing its new privacy law, having launched investigations starting in January 2025.

Exemptions

In addition to thresholds that help determine the applicability of these US state consumer privacy laws, many of the state consumer privacy laws include broad exemptions, as some of which are noted below:

B2B data

  • At present, California is the only state that does not exempt B2B data from its consumer privacy law, the CCPA.

Employee data

  • Similarly, California does not exempt employment data. While other states provide this exemption, Colorado's employee data exemption does not apply to the "processing of biometric identifiers of employees/prospective employees and when employers may require consent to process as a condition of employment." 5

De-identified and Aggregate data

  • Currently, all state consumer privacy laws exempt de-identified data.
  • Only California, Florida, Indiana, Iowa, Rhode Island, Tennessee and Utah exempt aggregate data from their consumer privacy laws.

Nonprofit Organizations

  • Colorado and New Jersey's consumer privacy laws do not exempt any nonprofits.
  • Other states, such as Delaware6, Maryland7, Minnesota8 and Oregon9 only exempt those nonprofit organizations that are focused on insurance fraud prevention, or nonprofits with specific missions.
  • Indiana's nonprofit exemption extends only to organizations that are exempt under Internal Revenue Code sections 501(c)(3), 501(c)(6) or 501(c)(19).

Higher Educational Institutions

  • California, Delaware, Maryland, Minnesota, New Jersey and Oregon do not specifically exempt higher-education institutions. Colorado's exemption is limited to information maintained by postsecondary institutions.
  • Higher educational institutions may be exempt from these state consumer privacy laws if they are also government instrumentality or a nonprofit organization (depending on the state).

Amendments

It is worth noting that some states have already amended their new consumer privacy laws. For example. amendments to Oregon's consumer privacy law were signed by the governor on June 3, 2025. This amendment "prohibit[s] controllers from processing personal data for the purposes of targeted advertising, or selling personal data that pertains to a consumer, if the controller has actual knowledge, or disregards knowledge of whether, a consumer is under 16 years of age or if the personal data accurately identifies within a radius of 1,750 feet a consumer's present or past location or the present or past location of a device that links or is linkable to the consumer."

Connecticut is also in the process of amending its consumer privacy law. Companies may want to keep an eye on these pending amendments.

What This Means for You

With the expanding number of state consumer privacy laws (20 and counting), it is important to understand how the applicability, exemptions, and thresholds vary considerably from state to state. In doing so, you can determine how to best comply with the various requirements.

Footnotes

1 See updated CCPA thresholds.

2 See definition of Controller in the Florida Digital Bill of Rights.

3 https://www.tn.gov/attorneygeneral/news/2025/4/30/pr25-25.html

4 Although small businesses as defined by the federal Small Business Administration are generally exempt from TX and NE, if a small business sells the sensitive data of a consumer, it must first obtain the consumer's consent.

5 See Colo. Rev. Stat. § 6-1-1314

6 Nonprofit organizations "dedicated exclusively to preventing and addressing insurance crime" and nonprofit organizations that provide services to victims of child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking. See Del. HB 154 § 12D-103(b)(3) & (c)(13).

7 Nonprofit controller that "processes or shares personal data solely for the purposes of assisting: law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or first responders in responding to catastrophic events." See Md. SB 541 § 14-4603(A)(4).

8 Nonprofit organization that is "established to detect and prevent fraudulent acts in connection with insurance." See Minnesota Consumer Data Privacy Act, § 235O.03(2)(a)(20).

9 Nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance or that provides programming to radio or television services. See Ore. SB 619 § 2(r) and (s)(C). Oregon's law goes into effect for nonprofit organizations on July 1, 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More