IN BRIEF
Data Privacy Laws by State: Comparison Charts
February 2, 2022
[Privacy and data security compliance challenges are real. So are our solutions. Request a demo to learn more.]
The newest U.S. data privacy laws have much in common—both with each other and with the laws from which they took their inspiration—but subtle differences may trip up even the most seasoned compliance professionals. Here, Bloomberg Law provides an easy-to-read comparison of U.S. data privacy laws by state, as well as comparing GDPR against the new U.S. data privacy laws in California, Virginia, and Colorado.
What are the basics?
| GDPR | CCPA | CPRA | VCDPA | CPA | |
| Name | General Data Protection Regulation | California Consumer Privacy Act | California Privacy Rights Act | Consumer Data Protection Act | Colorado Privacy Act |
| Citation | EU/2016/679 | Cal. Civ. Code § 1798.100 et seq. | Cal. Civ. Code § 1798.100 et seq. | Va. Code § 59.1-571 et seq. | Colo. Rev. Stat. § 6-1-1301 et seq. |
| Jurisdiction | European Union | California | California | Virginia | Colorado |
| Model | Opt-in | Opt-out | Opt-out | Opt-out | Opt-out |
| Sector | Non-sectoral | Non-sectoral | Non-sectoral | Non-sectoral | Non-sectoral |
| Effective date(s) | May 25, 2018 | Jan. 1, 2020 | Dec. 16, 2020; Jan. 1, 2023 | Jan. 1, 2023 | Jul. 1, 2023 |
[Download the full chart for all the critical information at-a-glance.]
U.S. data protection laws vs. GDPR
| GDPR | CCPA | CPRA | VCDPA | CPA | |
| Whose data is protected? | |||||
| Statutory term | Data subject | Consumer | Consumer | Consumer | Consumer |
| Defined | Natural person in the EU | Natural person who is a CA resident | Natural person who is a CA resident | Natural person who is a VA resident | Individual who is a CO resident |
| What types of data are protected? | |||||
| Statutory term | Personal data | Personal information | Personal information | Personal data | Personal data |
| Defined as | Any information relating to an identified or identifiable natural person | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household | Any information that is linked or reasonably linkable to an identified or identifiable natural person | Information that is linked or reasonably linkable to an identified or identifiable individual |
| Definition excludes de-identified data | GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization-which could be attributed to a natural person by the use of additional information-should be considered personal data. | Yes, but see provisions regarding reidentification of deidentified information. Cal. Civ. Code §1798.148. | Yes, but see provisions regarding reidentification of deidentified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “deidentifed.” Cal. Civ. Code §l798.l85(a). | Yes, but special requirements apply to de-identified data. See Va. Code§ 59.1-581. | Yes, but special requirements apply to de-identified data. See Colo. Rev. Stat.§ 6-1-1307. |
| Definition excludes publicly available info | No | Yes | Yes | Yes | Yes |
| Definition excludes aggregrate info | Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes. | Yes | Yes | Not specified | Not specified |
[Download the full chart for all the critical information at-a-glance.]
GDPR
The General Data Protection Regulation, or GDPR, defines the data subject as a natural person in the European Union (EU). The personal data covered by the law is defined as any information relating to an identified or identifiable natural person. It excludes ‘pseudonymised’ data, but does not exclude publicly available data. Recital 162 indicates that GDPR applies to the processing of personal data for statistical purposes.
CCPA
The California Consumer Privacy Act (CCPA) protects the consumer, which is defined as a natural person who is a California resident. CCPA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA excludes de-identified data, publicly available information, and aggregate information.
CPRA
The California Privacy Rights Act (CPRA) protects the consumer, which is defined as a natural person who is a California resident. CPRA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It excludes de-identified data, publicly available information, and aggregate information.
[Learn about biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), and how other state biometric privacy statutes compare.]
VCDPA
The Virginia Consumer Data Protection Act, or VCDPA, protects the consumer, which is defined as a natural person who is a Virginia resident. It protects personal information, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. The VCDPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.
CPA
The Colorado Privacy Act (CPA) protects the consumer, which is defined as an individual who is a Colorado resident. It protects personal data, which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The CPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.
[Bloomberg Law’s 2022 In-House Forum focused on solutions to ensure your board and workforce are aligned on key cybersecurity and privacy issues that impact your business. Watch now.]
Download the full chart
All the critical information and frequently asked questions about data privacy laws in the U.S. are available at-a-glance in our downloadable chart.
Who must comply with each data privacy law?
| GDPR | CCPA | CPRA | VCDPA | CPA | |
| Jurisdictional threshold | Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior | “Does business” in California | “Does business” in California | “Conduct business” in Virginia or produce products or services “targeted” to Virginia residents | “Conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents |
| Revenue threshold | None | Annual gross revenues greater than $25 million | Annual gross revenues greater than $25 million in preceding calendar year | None | None |
| Processing threshold | None | Data of 50,000 or more consumers | Data of 100,000 or more consumers | Data of 100,000 or more consumers | Data of 100,000 or more consumers |
| Broker threshold | None | At least 50% of revenue from selling of data | At least 50% of revenue from selling or sharing of data | Data of 25,000 or more consumers + at least 50% of revenue from sale of data | Data of 25,000 or more consumers + derives revenue or receives discount from sale of data |
[Download the full chart for all the critical information at-a-glance.]
GDPR
GDPR requires compliance by any entity that processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior. There is no revenue threshold, processing threshold, or broker threshold.
CCPA
CCPA applies to entities that “do business” in California that meet the following thresholds:
- annual gross revenues greater than $25 million,
- process the data of 50,000 or more consumers,
- at least 50% of revenue comes from selling of data.
CPRA
CPRA applies to entities that “do business” in California that meet the following thresholds:
- annual gross revenues greater than $25 million in preceding calendar year,
- process data of 100,000 or more consumers,
- at least 50% of revenue comes from selling or sharing data.
[Click here for a full glossary of terms within CCPA/CPRA.]
VCDPA
VCDPA applies to entities that “conduct business” in Virginia or produce products or services “targeted” to Virginia residents. There is no revenue threshold, but the law only applies to entities that process the data of 100,000 or more consumers or companies that process the data or at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
CPA
CPA applies to any entity that “conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents. Entities must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers, or (ii) the personal data of at least 25,000 consumers, while deriving revenue or receiving a discount from the sale of that data.
Mitigate Risk in Privacy and Data Security
On the frontier of privacy and data security, change happens. Map your strategy with Bloomberg Law’s essential privacy and data security news, expert analysis, and practice tools.
What are the consequences for non-compliance?
| GDPR | CCPA | CPRA | VCDPA | CPA | |
| Non-compliance | Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. | In actions brought by AG, civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. Inactions brought by consumers for security breach violations, statutory damages not less than$100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. | Administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. | If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation. | For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice. |
[Download the full chart for all the critical information at-a-glance.]
GDPR
The consequences of non-compliance of GDPR are administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.
CCPA
In actions brought by the Attorney General, CCPA violators face civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the consequences are statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
CPRA
The consequences of non-compliance of CPRA are administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the penalty is statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
[What’s the Difference? Learn more about how CCPA and CPRA compare.]
VCDPA
If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.
CPA
For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice.
With evolving technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools will help you stay ahead of privacy and data security developments and protect your business.
Reference Shelf
- What to Write When Rewriting a California Privacy Policy
- Five Subtle Ambiguities in Virginia’s New Privacy Law
- Tracking Privacy Legislation by State
- What Is the VCDPA?
- Webinar: In-House Forum – Managing Data Privacy
- The Evolution of Biometric Data Privacy Laws
- CCPA vs. CPRA: What’s the Difference?
- A Glossary of Terms for Decoding CCPA/CPRA