ARTICLE
20 August 2021

Comprehensive State Consumer Data Protection Acts: Part 1 – Do I Need To Comply?

LB
Levine, Blaszak, Block & Boothby

Contributor

Levine, Blaszak, Block & Boothby logo
Levine, Blaszak, Block & Boothby, LLP (“LB3”) and its affiliated consulting firm, TechCaliber Consulting (“TC2”), represent companies in their procurement of Information and Communication Technology (“ICT”) services, equipment, and software used to enable digital transformation strategies and business operations, including related regulatory advice, dispute resolution, and compliance counseling.
Explore
Every company doing business in California, Colorado, and Virginia needs to determine whether the states' new privacy laws impact their businesses and if so, what steps they need to take to comply with these new laws.
United States Privacy
Photo of D.E. Boehling
Photo of Laura F. H. McDonald
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Every company doing business in California, Colorado, and Virginia needs to determine whether the states' new privacy laws impact their businesses and if so, what steps they need to take to comply with these new laws. In this part one of our series on the comprehensive state consumer data protection acts, we walk you through the thresholds for determining the applicability of the new laws.

There are specific thresholds for determining whether each state's law applies to your company. In Virginia and Colorado, business and commercial information is expressly excluded. Consumers are defined as individuals acting only in an individual or household context. In California, business information is presently exempt, but the exemption expires January 1, 2023. Generally, each state's law will apply to any entity that:

1139058a.jpg

California's CCPA applies to a broader range of businesses - any with $25M in annual revenue. Virginia and Colorado have fairly high thresholds, but do not have a separate revenue only threshold like the CCPA. All three are meant to capture medium to big businesses, or those in the business of selling personal data, not small, Mom-and-Pop operations.

The analysis of whether the laws impact your business doesn't end after the above factors are considered. Even if the criteria are met, the Virginia and Colorado Acts expressly exclude application to:

1139058b.jpg

What's Next?

If your business meets the criteria outlined in the first chart and does not meet one of the carve-outs set out in the second chart, you need to start planning for the 2023 mandates; and in the case of California, take immediate steps to ensure you comply. We walk though those requirements and steps to comply in the second and third articles in our series, but if you have any questions about the applicability of the laws to your business, please reach out to us or our colleagues here at LB3.

Learn more:

  • Part 2 - Your obligations under the Acts, and how to comply.
  • Part 3 - Enforcement regimes under the Acts, and how the Acts affect business agreements with IT and telecom providers.

You may also enjoy Deb and Laura's related two-part podcast on this subject:

  • Part 1 - Contracting obligations enterprises must follow to comply with these Acts.
  • Part 2 - What these Acts mean for enterprise buyers of technology.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of D.E. Boehling
D.E. Boehling
Photo of Laura F. H. McDonald
Laura F. H. McDonald
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More