Blog
ifrah on igaming
image description

A Blog About FTC regulations and happenings

◂ back
Ready, Set, Go: More States Adopt Privacy Laws
July 18, 2023

Ready, Set, Go: More States Adopt Privacy Laws

By: Nicole Kardell

If you blinked over the past couple of months, you may have missed it: the number of U.S. states that have adopted privacy laws has more than doubled. We are now up to 11 states (not including Nevada, which has a narrow privacy law on the books) with privacy frameworks. Fortunately, there seems to be quite a bit of cross over, at least when it comes to thresholds that companies must meet in order to trigger compliance requirements. We provide below a chart that summarizes those thresholds, including whether non-profits are exempted from compliance (a fairly common question we are asked).

We also encourage you to review periodically the IAPPs useful tracker on state-by-state developments. 

  State  Bill Title/Effective Date  Thresholds  Application to Non-Profits 
1  California  California Consumer Privacy Act / Effective Jan. 1, 2020 

 

California Privacy Rights Act / Effective Jan. 1, 2023

  1. If as of January 1 of the calendar year, you had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
  2. If you alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households.
  3. If you derive 50 percent or more of your annual revenues from selling or sharing consumers’ personal information.

NOTE: California has several privacy laws, including their “Shine the Light” law, which applies if you have more than 20 employees.

 

Does NOT apply to nonprofit organizations.
2  Colorado 

Colorado Privacy Act / Effective July 1, 2023

  1. If, during a calendar year, you control or process personal data of 100,000 or more Colorado residents; or
  2. If you both derive revenue or receive discounts from selling personal data and process or control the personal data of 25,000 or more Colorado residents.
DOES apply to nonprofit organizations.
3  Connecticut 

Connecticut Data Privacy Act / Effective July 1, 2023

If you conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:

  1. 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or
  2. 25,000 or more Connecticut residents, where you derive more than 25% of your gross revenue from the sale of personal data.

 

Does NOT apply to nonprofit organizations.
4  Indiana 

Indiana Consumer Data Protection Act / Effective Jan. 1, 2026

If you conduct business in Indiana or produce products or services targeted to residents of Indiana and that during a calendar year you:

  1. Control or process personal data of at least 100,000 consumers or
  2. Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Does NOT apply to nonprofit organizations.
5  Iowa 

Iowa Consumer Data Protection Act / Effective Jan. 1, 2025

If you conduct business in Iowa or produce products or services targeted to residents of Iowa and that during a calendar year you:

  1. Control or process personal data of at least 100,000 consumers or
  2. Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Does NOT apply to nonprofit organizations.
6  Montana 

Montana Consumer Data Privacy Act / Effective Oct. 1, 2024

If you conduct business in Montana or produce products or services targeted to residents of Montana and that during a calendar year you:

  1. Control or process personal data of not less than 50,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction, or
  1. Control or process personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Does NOT apply to nonprofit organizations.
7  Oregon

Oregon Consumer Privacy Act / Effective July 1, 2024

If you conduct business in Oregon or provide products or services to residents of Oregon and that during a calendar year you control or process:

  1. The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices; or
  2. The personal data of 25,000 or more consumers, while deriving 25 percent or more annual gross revenue from selling personal data.
Only exempts certain nonprofit organizations (see below); WILL apply to most nonprofit organizations after July 1, 2025

Exemption applies ONLY to:

  1. nonprofit established to detect and prevent fraudulent acts in connection with insurance, and
  2. the non-commercial activity of a nonprofit organization that provides programming to radio or television networks
8  Tennessee  Tennessee Information Protection Act / Effective July 1, 2025  If you conduct business in Tennessee or produce products or services targeted to residents of Tennessee and that during a calendar year you: 

  1. Control or process personal data of at least 100,000 consumers or 
  2. Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data. 
Does NOT apply to nonprofit organizations.
9  Texas 

Texas Data Privacy and Security Act / Effective July 1, 2024

  1. If you conduct business in Texas or produce products or services consumed by residents of Texas;
  2. Process or engage in the sale of personal data; and
  3. Are not a small business, as defined by the U.S. Small Business Administration, except to the extent Section 541.07 applies. (See SBA size standards at https://www.sba.gov/document/support-table-size-standards). 
Does NOT apply to nonprofit organizations.
10  Utah  Utah Consumer Privacy Act / Effective Dec. 31, 2023
  1. If you have annual revenues of at least $25 million, and meet one of two threshold requirements:
  2. Annually control or process the personal data of 100,000 or more Utah residents (“consumers”); or
  3. Derive over 50 percent of gross revenue from the “sale” of personal data and control or process personal data of 25,000 or more consumers.

 

Does NOT apply to nonprofit corporations.
11  Virginia 

Virginia Consumer Data Protection Act / Effective Jan. 1, 2023

  1. if you control or process the personal data of at least 100,000 consumers during a calendar year or
  2. control or process the personal data of at least 25,000 consumers and derive at least 50% of your gross revenue from the sale of personal data.
Does NOT apply to nonprofit organizations.

Nicole Kardell

Nicole is a certified privacy professional with expertise in European privacy law (CIPP/E), in particular the GDPR. She helps companies to navigate the changing face of privacy regulations and to keep their business practices and partnerships in compliance with the law both domestically and abroad.