Which Privacy Laws Apply to Your Business?

Data privacy is on everyone’s minds lately, including lawmakers. The result is an increasing number of new privacy legislation going on the books every year. While the adoption of privacy protections and safeguards is a good thing for consumers overall, it can be quite a headache for businesses to figure out which of the laws even apply to them, let alone how to navigate multi-jurisdiction compliance.

Here is a rundown on the five privacy laws that are most likely to be on your radar: the EEA/UK’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), and Utah Consumer Privacy Act.

The General Data Protection Regulation

There are two primary ways the GDPR could apply to a business. These are:

1. You have an establishment located in the EEA/UK.
   Unlike the U.S. state laws discussed below, this is based on a physical presence within the territory where the GDPR applies. An establishment means “effective and real exercise of activity through stable arrangements.” Obviously this applies if your business is based in the European Economic Area or UK, but also if you have a branch office, fulfillment center, or other similar, ongoing operations there.
2. You are located outside the EEA/UK, but offer goods or services to those territories.
   This is the way that many small businesses can be pulled into the GDPR. However, “offering” your goods or services in the EEA/UK doesn’t mean that people there can simply view your site or even just that they can purchase your products. There has to be an intentional quality to it. For example, a retailer that shows prices in Euros and translates its site into German would likely be considered to be offering its goods in Germany.

If the GDPR applies to your business, compliance will be very different depending on which of these two options describes your situation. If you have an establishment in the EEA/UK, then the GDPR applies to all the data processing activities of that establishment, not just those that relate to EEA/UK residents. If your business just offers its goods or services in GDPR territory, the law only applies to the processing of the data of EEA/UK data subjects.

California Consumer Privacy Act

The California law takes quite a different approach to defining which businesses must comply with it. Most importantly, it does not matter where your business is located. Whether you are based in Sacramento or Tokyo, the CCPA applies to your business if it meets the following criteria:

1. You do business in California
   This is a low bar to meet. If you regularly sell your products or offer your services in California, even if only online, then you are “doing business” there.
2. You also meet at least one of these thresholds
   1. $25 million or more in annual gross revenue
      This refers to the total revenue of your business, not just revenue earned in California
   2. Process the personal information of at least 50,000 California residents per year
      For many small and medium-sized businesses, this threshold is the one that will apply to them. It’s important not to underestimate how much personal information your business processes. If you have a website, it is almost certainly processing the data of every one of your site visitors in the form of IP addresses and other information. This threshold increases to 100,000 in 2023.
   3. Derive 50% or more of revenue from selling or sharing consumers’ personal information.
      Many businesses dismiss this threshold as not applying to them, but it’s more complicated than it appears. Using targeted or interest-based advertising is considered “sharing” information, so any sales connected to such advertising would therefore be derived from sharing personal information.

The CCPA has been enforceable since 2020, so if your business meets these criteria then you should get compliant as soon as possible to avoid large fines.

Virginia Consumer Data Protection Act

As more U.S. states pass their own privacy laws, it’s likely that many of them will be based on the “Virginia model,” and thus a similar analysis will apply. Your business will have to comply with the CDPA if it meets these requirements:

1. You do business within the state
   Similar to the CCPA, this is a low bar. Regularly selling goods or offering services in Virginia, or otherwise targeting state residents, meets this requirement.
2. You also meet at least one of these thresholds
   1. Process the personal data of at least 100,000 state residents per year
      This is similar to the the CCPA, and as with the CCPA it’s important to count all of your unique website visitors
   2. Process the personal data of at least 25,000 state residents annually and derive over 50% of revenue from the sale of data
      Similar to the CCPA’s third threshold but also adds a 25,000-consumer requirement as well. As with the CCPA, any sales connected to targeted or interest-based advertising are derived from the sale of personal data.

Notice that, unlike the CCPA, there is no annual revenue threshold. The Consumer Data Protection Act goes into effect on January 1, 2023.

Colorado Privacy Act

Colorado’s data privacy law borrows a lot of its wording and structure from the CDPA, but it’s not always a 1:1 match. Regarding which businesses must comply with the CPA, it’s actually significantly broader than the Virginia law. 

1. You do business in Colorado
   As with the CCPA and CDPA, regularly selling goods or offering services in Colorado, or otherwise targeting state residents, meets this requirement.
2. You also meet at least one of these thresholds
   1. Process the personal data of at least 100,000 state residents per year
      This includes each unique Colorado visitor to your website
   2. Process the personal data at least 25,000 state residents per year and derives from revenue or receives a discount on goods/services from the sale of personal data
      The use of targeted advertising is considered the sale of personal data, and any online purchase that results from that advertising could be considered as “derived” from that sale.  

One more key factor to consider is that, unlike the California and Virginia laws, nonprofits are not exempt from the Colorado Privacy Act. There are other exemptions that may apply, such as for state institutions of higher education, but nonprofit organizations should look carefully at the CPA.

Utah Consumer Privacy Act

Utah’s privacy law was passed in 2022, and goes into effect on December 31, 2023. It bears a strong similarity to Virginia’s law, with slight differences that make it less stringent overall.

 Here are the criteria to determine if the UCPA applies to your business:

1.  At least $25 million in annual revenue
   If your business does not meet this minimum revenue threshold, the UCPA does not apply.
2. You do business in Utah
   Regularly selling goods or offering services in Utah, or otherwise targeting state residents, meets this requirement.
3. You meet at least one of the following thresholds
   1. You control or process the personal data of at least 100,000 Utah residents in a year
   2. You control or process the personal data of at least 25,000 Utah residents in a year and derive 50% or more of their gross annual revenue from the sale of personal data

 The UCPA also contains a long list of categories of organizations that are exempt, so that it is largely restricted to for-profit entities. The exemptions include governmental entities, nonprofit corporations, institutes of higher education, and more.

Simplified Compliance for SMBs

Do one or more of these data privacy regulations apply to your business? There’s no need to put off compliance and run the risk of incurring large fines. TrueVault Polaris brings privacy compliance within reach for businesses that don’t have the same legal resources as larger companies. Designed by attorneys, Polaris is an automated software that allows you to get compliant on your own in as little as a few hours, without expensive law firms or consultants. Schedule a demo to see how it works.