Who Needs to Comply with CCPA, CDPA, CPA, and GDPR?Download Infographic
California Consumer Privacy Act (CCPA)
Effective January 1, 2020*
is privacy legislation passed by the state of California and in some respects modeled after GDPR.
Virginia Consumer Data Protection Act (CDPA)
Effective July 31, 2022
is privacy legislation passed by the state of Virginia and in some respects modeled after GDPR and CCPA.
Colorado Privacy Act (CPA)
Effective January 1, 2023
is privacy legislation passed by the state of Colorado and in some respects modeled after GDPR, CDPA, and CCPA.
General Data Protection Regulation (GDPR)
Effective May 25, 2018
is the governing privacy law in the European Union. It is based on the premise of notice, choice and consent, privacy rights, 3rd party accountability, auditing and security.
Who does CCPA apply to?
For-profit entities that collect personal information from California residents and meet any of the following thresholds:
At least $25 million in gross annual revenue;
Buys, sells or receives personal information about at least 50,000
CA consumers, householders or devices for commercial purposes or*;
Derives more than 50% of its annual revenue from the sale of personal information.*
*When CPRA goes into affect in January 1, 2023:
(ii) above is replaced with “buys, sells or shares personal information of 100,000 or more California residents or households”
(iii) above is replaced with “derives 50% or more of annual revenue from selling or sharing California personal information.
Who does CDPA apply to?
For-profit entities that conduct business in Virginia or offer products or services targeted to residents in Virginia and:
Control or process the data of at least 100,000 consumers or;
Control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.
Who does CPA apply to?
Legal entities that:
Conduct business or produce products or services that are intentionally targeted to Colorado residents and;
Either control or process personal data of more than 100,000 consumers per calendar year or;
Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Who does GDPR apply to?
Data controllers and data processors:
Established in the EU that process personal data in the context of activities of the EU establishment, regardless of whether the data processing takes place within the EU.
Not established in the EU that process EU data subjects’ personal data in connection with offering goods or services in the EU or monitoring their behavior.