Which State Privacy Laws Apply to My Business?
2026-03-11 · Privio Team
With 20 states now enforcing comprehensive privacy laws — and more on the way — the first question every business needs to answer is simple: which laws apply to me?
The answer depends on a handful of factors. This guide walks you through them.
The Key Factors
1. Where Are Your Customers?
State privacy laws generally apply if you do business in the state or process personal data of residents in the state. You don't need a physical office there. If you run an e-commerce store that ships to Texas, the Texas Data Privacy and Security Act (TDPSA) may apply.
Key takeaway: If you serve customers nationwide, you could be subject to laws in every state that has one.
2. How Much Revenue Does Your Business Generate?
Some states have revenue thresholds:
| State | Revenue Threshold |
|---|---|
| California (CCPA) | $25M+ annual revenue |
| Utah (UCPA) | $25M+ annual revenue |
| Tennessee (TIPA) | $25M+ annual revenue |
Most other states — Virginia, Colorado, Connecticut, Texas, Oregon, and others — have no revenue threshold. Revenue alone doesn't exempt you.
3. How Many Consumers' Data Do You Process?
This is the most common trigger. Most states use a consumer count threshold:
| Threshold | States |
|---|---|
| No threshold | Texas, Nebraska |
| 25,000 consumers | Tennessee, Vermont |
| 35,000 consumers | Delaware, New Hampshire, Maryland, Rhode Island |
| 50,000 consumers | California*, Montana |
| 100,000 consumers | Virginia, Colorado, Connecticut, Iowa, Indiana, New Jersey, Minnesota, Kentucky, Oregon |
*California's 100K threshold was updated from 50K households under CPRA amendments.
Important: "Consumers" means residents of that state, not your total customer base. If you have 500,000 customers nationwide, a fraction of them in any given state might cross the threshold.
4. Do You Sell or Share Personal Data?
Several states have a lower consumer threshold if you derive revenue from selling personal data:
| State | Lower Threshold (with data sales) |
|---|---|
| Virginia (VCDPA) | 25,000 consumers + 50% revenue from data |
| Colorado (CPA) | 25,000 consumers + revenue from data |
| Connecticut (CTDPA) | 25,000 consumers + 25% revenue from data |
| Oregon (OCPA) | 25,000 consumers + 25% revenue from data |
| Minnesota (MNCDPA) | 25,000 consumers + 25% revenue from data |
| Indiana (INCDPA) | 25,000 consumers + 50% revenue from data |
| Kentucky (KCDPA) | 25,000 consumers + 50% revenue from data |
If you sell data, you're more likely to trigger applicability — even with a smaller customer base.
5. What Type of Data Do You Collect?
Processing sensitive data doesn't usually change whether a law applies, but it significantly affects your obligations. Under most state laws, sensitive data includes:
- Health and medical information
- Biometric data (fingerprints, facial recognition)
- Precise geolocation
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Children's data (under 13 or under 16, depending on the state)
- Genetic data
Most states require opt-in consent before processing sensitive data, while California allows processing with an option for consumers to limit its use.
6. Are You a Nonprofit?
Almost all state privacy laws exempt nonprofits. The major exception:
- Oregon (OCPA) — Applies to nonprofits that meet the consumer threshold
If you're a nonprofit, you're likely exempt from most state privacy laws, but check Oregon specifically.
Quick Decision Flowchart
Here's a simplified way to think about it:
Step 1: Do you collect personal data from US consumers?
- No → You're likely not subject to any state privacy law
- Yes → Continue
Step 2: Do you do business nationwide (or in multiple states)?
- Yes → Assume you need to check every state with a privacy law
- No → Check only the states where you operate or have customers
Step 3: Check the thresholds for each applicable state:
- Revenue over $25M? → California, Utah, Tennessee likely apply
- Process data of 100K+ consumers in a state? → Most states apply
- Process data of 25K-35K+ consumers? → Delaware, NH, Maryland, RI, VT, TN, MT may apply
- No thresholds at all? → Texas, Nebraska apply to almost any business
Step 4: Do you sell personal data?
- Yes → Check the lower-threshold data sale triggers
- No → Standard thresholds apply
Common Scenarios
"We're a small SaaS company with $2M ARR and 10,000 users"
You're likely below most thresholds. But if you operate in Texas or Nebraska (no thresholds), those laws may still apply. And if your user base grows in specific states like Delaware or Vermont (35K and 25K thresholds), you'll need to pay attention.
"We're a mid-size e-commerce company with $30M revenue and 200,000 customers"
You almost certainly need to comply with California (CCPA), and likely 10+ other state laws depending on where your customers are located. This is exactly the scenario where a tool like Privio saves significant time.
"We're a data broker"
Nearly every state privacy law applies to you. Many states have additional data broker registration requirements beyond their general privacy laws.
"We only have B2B customers, not consumers"
Be careful — most state privacy laws define "consumer" as any natural person, not just retail customers. B2B contact data (name, email, phone of business contacts) is personal information under most state laws. California explicitly includes B2B data.
Stay on Top of Changes
New state privacy laws are being enacted every year. States that may pass laws in the near future include Pennsylvania, Massachusetts, New York, and others.