RoutineMetric

US State Privacy Law Applicability Checker

Navigate the fragmented 2026 US state-level regulatory patchwork. Compare and evaluate entity status, thresholds, and triggers against statutory frameworks like CCPA, VCDPA, and TDPSA.

1. Company Global Metrics

$5.0M

Triggers California ($25M+), Utah ($25M+), Florida ($1B+), and SBA parameters.

0%

Affects threshold metrics across CA (50%), VA (50%), CT (25%), and UT (50%).

Is your entity recognized as an SBA Small Business?

Operates app store with >100k apps, voice assistant, or derives >50% from online ads.

2. Regulatory & Entity Exemptions

Broad carveouts (except CO)
Financial services
Healthcare/Medtech
Colleges & Universities

3. Geographic Footprints & Volume

Select jurisdictions where you process consumer data, then input approximate annual volume of distinct records.

Active
Annual Consumer Records:
Active
Annual Consumer Records:
Active (Non-profit update July 2025)
Annual Consumer Records:
Active
Active
Active
Annual Consumer Records:
Active
APPLICABLE LAWS0
EXEMPTIONS ACTIVATED1
NOT TRIGGERED3

Jurisdictional Threshold Evaluation Matrix (2026)

CaliforniaCCPA / CPRA

Not Met

Analysis: Does not meet the $25M revenue, 100k consumer volume, or 50% data monetization triggers.

VirginiaVCDPA

Not Met

Analysis: Does not process 100k consumers, or 25k consumers with 50%+ data monetization.

ColoradoCPA

Not Met

Analysis: Does not meet the 100k consumer threshold, or 25k consumer threshold + revenue from sales.

TexasTDPSA

Exempt

Analysis: SBA Small Business exemption protects from general TDPSA obligations.

Action & Capability Obligations:
  • Critical Carve-out: Under TDPSA, even SBA Small Businesses are prohibited from selling sensitive personal data without prior opt-in consent.

Key Strategic Action Items

With multiple states having operational comprehensive privacy laws by 2026, privacy teams should transition away from custom one-off disclosures toward a unified compliance roadmap.

Universal Opt-Out Support

States like California, Colorado, Texas, and Connecticut mandate honoring Global Privacy Control (GPC) signals at the browser level. Integrate a compliant Consent Management Platform (CMP).

Unified DPIAs

Virginia, Colorado, Connecticut, and Texas require formal Data Protection Impact Assessments (DPIAs) before conducting profiling or targeted advertising campaigns.

Understanding US State Privacy Law Applicability & Thresholds (2026 Edition)

The landscape of consumer privacy in the United States is represented by a highly dynamic, complex patchwork of state-level statutory regulations. Rather than a singular federal baseline like the European Union's GDPR, US companies must navigate individual frameworks passed by individual state assemblies. Because these laws overlap in terms of consumer protections, yet diverge on structural elements like entity-level exemptions and statutory thresholds, determining compliance applicability is an ongoing operational challenge for modern organizations.

Key Diagnostic Drivers

To evaluate whether your enterprise falls within the jurisdictional boundaries of these distinct laws, compliance practitioners assess three key metrics:

  • Global Gross Annual Revenue: Statutory thresholds often leverage flat-rate global gross revenues (e.g., California’s $25,000,000 trigger, or Florida’s $1,000,000,000 gatekeeper definition). Note that these limits refer to global corporate turnover, not merely revenue sourced within the state.
  • Data Processing and Monetization Volume: Most statutes apply rules when a firm processes records belonging to a target volume of resident consumers. A typical threshold is 100,000 residents. However, this count frequently drops down to 25,000 records if a substantial portion (usually 25% to 50%) of revenue is derived from transactional sales or monetization of that consumer information.
  • Entity-level Exemptions: Laws in Virginia (VCDPA), Connecticut (CTDPA), and Utah (UCPA) grant broad, comprehensive entity-level exemptions to organizations subject to Gramm-Leach-Bliley Act (GLBA) frameworks or HIPAA regulations. Conversely, California (CCPA) primarily applies only narrow, data-level exemptions, meaning financial institutions or healthcare firms might still need to comply with CCPA for standard consumer marketing data.

The SBA Conundrum & Texas Exception

One of the most notable exceptions is the Texas Data Privacy and Security Act (TDPSA). Unlike other states that deploy flat financial thresholds to exempt smaller companies, Texas applies to any commercial entity doing business in the state unless they qualify as a Small Business Administration (SBA) Small Business. However, TDPSA outlines an important operational carve-out: even small businesses are strictly prohibited from selling sensitive consumer data without acquiring explicit, prior opt-in consent.

Implementing a Defense-in-Depth Privacy Program

As additional states continuously join the regulatory fray (including Colorado's updated oversight for non-profit entities), building distinct privacy routines for individual states is becoming untenable. Best practices dictate adopting unified privacy notices, deploying universal opt-out processing mechanisms (such as the Global Privacy Control signal), and maintaining active registers of processing activities (ROPA) to quickly scale as new thresholds are met.