Defining Business - Applicability Thresholds
Which companies are covered turns on the definition of business (called controller in the four non-California states). California is broadest ($25M revenue alone triggers coverage); the threshold structures differ sharply by state, with Utah requiring $25M revenue PLUS a processing threshold.
California uses the term ; the other four states use controller. California is broadest: a company doing business in California with $25 million in total annual gross revenue is subject to the law regardless of type.
| State | Consumer-count trigger | Revenue-from-data trigger | Standalone revenue trigger |
|---|---|---|---|
| California | 100,000 consumers | Derives at least 50% of gross revenue from selling OR sharing data | $25M annual gross revenue alone |
| Colorado | 25,000 consumers AND any revenue or discount from selling data | (coupled with consumer count) | None |
| Connecticut | 25,000 consumers (excludes payment transactions) AND at least 25% of gross revenue from selling data | (coupled with consumer count) | None |
| Virginia | 25,000 consumers AND at least 50% of gross revenue from selling data | (coupled with consumer count) | None |
| Utah | $25M revenue AND (100,000 consumers OR 25,000 consumers + 50% of gross revenue from selling data) | (coupled, see consumer column) | None - revenue alone is never enough |
1) California includes both selling AND sharing in its 50% revenue test; Colorado, Connecticut, Virginia look only at selling. 2) Connecticut excludes payment transactions from its 100,000-consumer count. 3) Utah is the only state where revenue alone ($25M) is never sufficient - it must be combined with a processing threshold.
California, Colorado, Connecticut, and Virginia share a 100,000-consumer standalone-style processing trigger; Colorado, Connecticut, and Virginia each use 25,000 consumers when coupled with a selling-revenue test.