State-by-State Consumer Privacy Law Map: Which Regulations Apply to Your Business in 2025

Thirteen US states currently enforce comprehensive consumer privacy statutes, and no two use identical jurisdictional thresholds. California's CPRA applies to businesses grossing $25 million annually or handling data on 100,000+ California residents (Cal. Civ. Code § 1798.140(d)). Virginia's CDPA sets the bar at 100,000 consumers or 25,000 sold consumer records (Va. Code § 59.1-575). Colorado's CPA triggers at 100,000 consumers or 25,000 sold records (C.R.S. § 6-1-1303(11)). The result is a compliance matrix where a Delaware-based SaaS company with 8,000 users might fall under zero laws, three laws, or six laws depending on revenue mix and data-sale activity.

This post maps the jurisdictional triggers for the six most commonly cited state privacy frameworks, identifies the structural differences that create compliance gaps, and outlines the minimum viable posture for an SMB operating across state lines.

California: CCPA and CPRA

The California Consumer Privacy Act took effect January 1, 2020. The California Privacy Rights Act (Proposition 24) amended CCPA in November 2020 and began enforcement on January 1, 2023. Both statutes apply to for-profit entities doing business in California that meet one of three thresholds:

1. Annual gross revenue exceeding $25 million.
2. Annual buying, selling, or sharing of personal information of 100,000 or more California residents or households.
3. Deriving 50% or more of annual revenue from selling or sharing California residents' personal information.

(Cal. Civ. Code § 1798.140(d)). "Doing business in California" has no statutory definition under CPRA. The California Attorney General's 2020 guidance interprets the phrase broadly to include any entity with a physical presence, employees, or regular commercial activity targeting California consumers. A Delaware LLC with no California office but 12,000 California SaaS subscribers likely meets the second threshold.

CPRA added a fourth category: service providers and contractors that process California consumer data on behalf of a covered business. If your company processes data under a written contract with a CPRA-covered entity, you inherit certain obligations even if you don't independently meet the revenue or volume thresholds (Cal. Civ. Code § 1798.140(bg)).

Key compliance obligations include:

• Honoring consumer requests to know, delete, correct, and opt out of sale/sharing.
• Providing a "Do Not Sell or Share My Personal Information" link on the homepage if you sell or share data.
• Conducting and documenting risk assessments for high-risk processing activities (effective March 29, 2023, per Cal. Civ. Code § 1798.185(a)(15)).

Per the California Privacy Protection Agency's 2024 enforcement report, 63% of investigated businesses failed to respond to consumer deletion requests within the 45-day statutory window.

Virginia: CDPA

The Virginia Consumer Data Protection Act became enforceable January 1, 2023. It applies to entities that conduct business in Virginia and during a calendar year either:

1. Control or process the personal data of at least 100,000 Virginia residents, or
2. Control or process the personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

(Va. Code § 59.1-575). "Conducting business in Virginia" mirrors California's broad interpretation. A Florida-based e-commerce platform shipping to 110,000 unique Virginia addresses annually meets the first threshold regardless of revenue.

Virginia's definition of "sale" excludes disclosures to processors or third parties for limited specified purposes (Va. Code § 59.1-571). This creates a narrower sale definition than California's. Sharing customer email addresses with a marketing automation platform under a data processing agreement does not constitute a sale under CDPA, but may constitute "sharing" under CPRA depending on whether the platform uses the data for cross-context behavioral advertising.

CDPA requires controllers to:

• Honor consumer requests for access, deletion, correction, and portability.
• Obtain opt-in consent for processing sensitive data (defined to include precise geolocation, health data, and biometric data for unique identification).
• Provide a clear and conspicuous method to opt out of sales and targeted advertising.

Virginia grants a 30-day right to cure for first violations, provided the Attorney General issues written notice (Va. Code § 59.1-578(A)). The cure period sunsets January 1, 2025. After that date, the AG can file enforcement actions without prior notice.

Colorado: CPA

The Colorado Privacy Act took effect July 1, 2023. It applies to entities that conduct business in Colorado or produce products or services targeted to Colorado residents and that:

1. Control or process the personal data of 100,000 or more Colorado residents per year, or
2. Control or process the personal data of 25,000 or more Colorado residents and derive revenue from the sale of personal data.

(C.R.S. § 6-1-1303(11)). Unlike Virginia, Colorado does not require that sale-based revenue exceed 50% of total revenue. A SaaS company earning $200,000 annually from data sales and $8 million from subscription fees meets the second threshold if it handles data on 25,001 Colorado users.

Colorado's enforcement structure includes a mandatory 60-day cure period for all violations until January 1, 2025 (C.R.S. § 6-1-1313(1)(a)). Post-cure-sunset, the AG may seek civil penalties up to $20,000 per violation. The Colorado Department of Law issued its first Notice of Violation in September 2024, citing a Denver-based data broker for failure to honor 140 consumer deletion requests over an eight-month period.

CPA obligations largely mirror CDPA: access, deletion, correction, portability, opt-out of sales and targeted advertising, and opt-in consent for sensitive data. Colorado defines "sensitive data" to include data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data (C.R.S. § 6-1-1303(26)).

Connecticut: CTDPA

The Connecticut Data Privacy Act went into effect July 1, 2023. It applies to persons that conduct business in Connecticut and during a calendar year:

1. Control or process the personal data of at least 100,000 Connecticut residents (excluding data controlled or processed solely to complete a payment transaction), or
2. Control or process the personal data of at least 25,000 Connecticut residents and derive over 25% of gross revenue from the sale of personal data.

(Conn. Gen. Stat. § 42-515(7)). Connecticut's 25% revenue threshold is the lowest among comprehensive state privacy laws. A business earning $100,000 annually, with $26,000 derived from selling consumer lists, meets the second threshold if it processes data on 25,001 Connecticut residents.

CTDPA grants the Connecticut Attorney General exclusive enforcement authority, with civil penalties up to $5,000 per violation (Conn. Gen. Stat. § 42-517(a)). Like Colorado and Virginia, Connecticut included a cure period through December 31, 2024. The cure provision has now expired.

Connecticut's consumer rights include access, deletion, correction, portability, and opt-out of sales, targeted advertising, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. The profiling opt-out is broader than most state laws (Conn. Gen. Stat. § 42-513(a)(5)).

Utah: UCPA

The Utah Consumer Privacy Act became enforceable December 31, 2023. It applies to persons that conduct business in Utah and that:

1. Have annual revenue of $25 million or more, and
2. Either (a) control or process the personal data of 100,000 or more Utah residents, or (b) derive over 50% of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah residents.

(Utah Code § 13-61-101(4)). Utah is the only state requiring a minimum revenue threshold in addition to a data-volume threshold. A bootstrapped startup processing data on 120,000 Utah consumers but generating $18 million in annual revenue does not meet UCPA's jurisdictional test.

UCPA's consumer rights are more limited than peer statutes. Consumers may request access, deletion, and opt-out of sales and targeted advertising, but Utah does not mandate portability or correction rights (Utah Code § 13-61-201). Utah also does not require opt-in consent for sensitive data processing. The Division of Consumer Protection enforces UCPA, with civil penalties up to $7,500 per violation (Utah Code § 13-61-302(1)(b)).

Utah's cure period remains in effect until March 31, 2025, after which the Division may file enforcement actions without prior notice.

Montana, Oregon, Texas, and the 2024 Wave

Montana's Consumer Data Privacy Act (MCDPA), Oregon's Consumer Privacy Act (OCPA), and Texas's Data Privacy and Security Act (TDPSA) all took effect in 2024. Each adopts jurisdictional thresholds similar to Colorado and Virginia:

• Montana and Oregon: 100,000 residents, or 25,000 residents plus over 25% revenue from data sales.
• Texas: 100,000 residents, or 25,000 residents plus over 50% revenue from data sales.

Delaware, Iowa, Nebraska, New Hampshire, and New Jersey enacted comprehensive privacy laws in 2024 with effective dates ranging from January 2025 to January 2026. All five track the 100,000/25,000 consumer threshold model, with revenue-from-sales percentages between 25% and 50%.

By January 2026, at least 18 states will enforce comprehensive privacy statutes. No federal preemption legislation has advanced past committee since the American Data Privacy and Protection Act stalled in September 2022.

Determining Your Compliance Footprint

A seven-person SaaS company with 180,000 total users and $4 million in ARR should perform the following analysis:

1. Segment active users by state of residence (use billing address, account registration data, or IP geolocation as a fallback).
2. Identify states where user count exceeds 25,000 or 100,000 depending on applicable thresholds.
3. Calculate the percentage of revenue derived from selling, sharing, or licensing customer data to third parties for their own commercial purposes.
4. Determine whether the company meets each state's revenue floor (if applicable).
5. Review contracts with data processors and subprocessors to identify whether you inherit obligations as a service provider under CPRA or similar provisions.

If your Utah user count is 97,000 and annual revenue is $4 million, you do not meet UCPA's $25 million revenue floor. If your California user count is 105,000, you meet CPRA's second threshold regardless of revenue. If you sell anonymized usage data to a market research firm for $80,000 annually (2% of revenue), you likely do not trigger the sale-based thresholds in any state, but you still meet the 100,000-consumer threshold in California and any other state where your user base exceeds that mark.

Per a 2024 survey by the International Association of Privacy Professionals, 41% of companies subject to multiple state privacy laws maintain separate compliance programs for each statute rather than adopting the most stringent standard across the board. This approach reduces over-compliance costs but increases operational complexity and audit risk. A unified privacy posture aligned with CPRA (the most demanding framework) simplifies vendor contracts, employee training, and third-party risk assessments.

State privacy laws continue to diverge on sensitive data definitions, cure provisions, private rights of action, and regulatory authority. Mapping your jurisdictional footprint is not a one-time project. When your Texas user base crosses 100,000 or your revenue mix shifts, your compliance obligations change. Review user-state distribution and revenue composition quarterly, not annually.