IN BRIEF

Data Privacy Laws by State: Comparison Charts

February 2, 2022

[Learn more about Bloomberg Law’s essential privacy and data security news, expert analysis, and practice tools.]

The newest U.S. data privacy laws have much in common—both with each other and with the laws from which they took their inspiration—but subtle differences may trip up even the most seasoned compliance professionals. Here, Bloomberg Law provides an easy-to-read comparison of U.S. data privacy laws by state, as well as comparing GDPR against the new U.S. data privacy laws in California, Virginia, and Colorado.

Data privacy laws by state map
Caption: Map of data privacy laws by state

What are the basics?

GDPR CCPA CPRA VCDPA CPA
Name General Data Protection Regulation California Consumer Privacy Act California Privacy Rights Act Consumer Data Protection Act Colorado Privacy Act
Citation EU/2016/679 Cal. Civ. Code § 1798.100 et seq. Cal. Civ. Code § 1798.100 et seq. Va. Code § 59.1-571 et seq. Colo. Rev. Stat. § 6-1-1301 et seq.
Jurisdiction Europeon Union California California Virginia Colorado
Model Opt-in Opt-out Opt-out Opt-out Opt-out
Sector Non-sectoral Non-sectoral Non-sectoral Non-sectoral Non-sectoral
Effective date(s) May 25, 2018 Jan. 1, 2020 Dec. 16, 2020; Jan. 1, 2023 Jan. 1, 2023 Jul. 1, 2023

[Download the full chart for all the critical information at-a-glance.]

U.S. data protection laws vs. GDPR

GDPR CCPA CPRA VCDPA CPA
Whose data is protected?
Statutory term Data subject Consumer Consumer Consumer Consumer
Defined Natural person in the EU Natural person who is a CA resident Natural person who is a CA resident Natural person who is a VA resident Individual who is a CO resident
What types of data are protected?
Statutory term Personal data Personal information Personal information Personal data Personal data
Defined as Any information relating to an identified or identifiable natural person Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household Any information that is linked or reasonably linkable to an identified or identifiable natural person Information that is linked or reasonably linkable to an identified or identifiable individual
Definition excludes de-identified data GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization-which could be attributed to a natural person by the use of additional information-should be considered personal data. Yes, but see provisions regarding reidentification of deidentified information. Cal. Civ. Code §1798.148. Yes, but see provisions regarding reidentification of deidentified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “deidentifed.” Cal. Civ. Code §l798.l85(a). Yes, but special requirements apply to de-identified data. See Va. Code§ 59.1-581. Yes, but special requirements apply to de-identified data. See Colo. Rev. Stat.§ 6-1-1307.
Definition excludes publicly available info No Yes Yes Yes Yes
Definition excludes aggregrate info Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes. Yes Yes Not specified Not specified

[Download the full chart for all the critical information at-a-glance.]

GDPR

The General Data Protection Regulation, or GDPR, defines the data subject as a natural person in the European Union (EU). The personal data covered by the law is defined as any information relating to an identified or identifiable natural person. It excludes ‘pseudonymised’ data, but does not exclude publicly available data. Recital 162 indicates that GDPR applies to the processing of personal data for statistical purposes.

CCPA

The California Consumer Privacy Act (CCPA) protects the consumer, which is defined as a natural person who is a California resident. CCPA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA excludes de-identified data, publicly available information, and aggregate information.

CPRA

The California Privacy Rights Act (CPRA) protects the consumer, which is defined as a natural person who is a California resident. CPRA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It excludes de-identified data, publicly available information, and aggregate information.

VCDPA

The Virginia Consumer Data Protection Act, or VCDPA, protects the consumer, which is defined as a natural person who is a Virginia resident. It protects personal information, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. The VCDPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.

CPA

The Colorado Privacy Act (CPA) protects the consumer, which is defined as an individual who is a Colorado resident. It protects personal data, which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The CPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.


Download the full chart

All the critical information and frequently asked questions about data privacy laws in the U.S. are available at-a-glance in our downloadable chart.


Who must comply with each data privacy law?

GDPR CCPA CPRA VCDPA CPA
Jurisdictional threshold Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior “Does business” in California “Does business” in California “Conduct business” in Virginia or produce products or services “targeted” to Virginia residents “Conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents
Revenue threshold None Annual gross revenues greater than $25 million Annual gross revenues greater than $25 million in preceding calendar year None None
Processing threshold None Data of 50,000 or more consumers Data of 100,000 or more consumers Data of 100,000 or more consumers Data of 100,000 or more consumers
Broker threshold None At least 50% of revenue from selling of data At least 50% of revenue from selling or sharing of data Data of 25,000 or more consumers + at least 50% of revenue from sale of data Data of 25,000 or more consumers + derives revenue or receives discount from sale of data

[Download the full chart for all the critical information at-a-glance.]

GDPR

GDPR requires compliance by any entity that processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior. There is no revenue threshold, processing threshold, or broker threshold.

CCPA

CCPA applies to entities that “do business” in California that meet the following thresholds:

  • annual gross revenues greater than $25 million,
  • process the data of 50,000 or more consumers,
  • at least 50% of revenue comes from selling of data.

CPRA

CPRA applies to entities that “do business” in California that meet the following thresholds:

  • annual gross revenues greater than $25 million in preceding calendar year,
  • process data of 100,000 or more consumers,
  • at least 50% of revenue comes from selling or sharing data.

[Click here for a full glossary of terms within CCPA/CPRA.]

VCDPA

VCDPA applies to entities that “conduct business” in Virginia or produce products or services “targeted” to Virginia residents. There is no revenue threshold, but the law only applies to entities that process the data of 100,000 or more consumers or companies that process the data or at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

CPA

CPA applies to any entity that “conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents. Entities must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers, or (ii) the personal data of at least 25,000 consumers, while deriving revenue or receiving a discount from the sale of that data.



Mitigate Risk in Privacy and Data Security

On the frontier of privacy and data security, change happens. Map your strategy with Bloomberg Law’s essential privacy and data security news, expert analysis, and practice tools.



What are the consequences for non-compliance?

GDPR CCPA CPRA VCDPA CPA
Non-compliance Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. In actions brought by AG, civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. Inactions brought by consumers for security breach violations, statutory damages not less than$100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. Administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation. For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice.

[Download the full chart for all the critical information at-a-glance.]

GDPR

The consequences of non-compliance of GDPR are administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

CCPA

In actions brought by the Attorney General, CCPA violators face civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the consequences are statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.

CPRA

The consequences of non-compliance of CPRA are administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the penalty is statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.

[What’s the Difference? Learn more about how CCPA and CPRA compare.]

VCDPA

If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the Attorney General, the Attorney General may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.

CPA

For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice.



Privacy & Data Security

Top