Most businesses think they're too small for state privacy laws. They're wrong — and the misunderstanding is costing them.
Every state privacy law has a different set of thresholds that trigger compliance obligations. These thresholds exist on two dimensions: how many consumer records you hold, and how much revenue you generate. But the math is more complex than most business owners realize.
The Threshold Misconception
When business owners hear "100,000 consumers," they immediately think of their customer count. If they have 8,000 customers, they assume they're safe. That assumption is wrong for two reasons.
First, "consumers" under most state privacy laws doesn't mean customers. It means any individual whose personal data you hold — including website visitors, email subscribers, job applicants, and newsletter signups. That e-commerce site getting 10,000 monthly visitors? They likely cross California's threshold inside 10 days at that traffic rate.
Second, most state laws have an alternative threshold based on revenue from data sales. If 25% or more of your annual revenue comes from selling or sharing personal data for advertising purposes, thresholds as low as 25,000 consumers can trigger compliance obligations under Virginia, Colorado, and Connecticut law.
The State-by-State Picture
As of 2026, 20 states have comprehensive consumer privacy laws in effect. Here are the threshold structures for the most commonly relevant ones:
- California (CCPA/CPRA): $25M annual revenue, OR 100,000 consumers, OR 50%+ revenue from data sales.
- Texas (TDPSA): Processes personal data of Texas residents and is not a small business under SBA definitions. No consumer count threshold.
- Virginia (VCDPA): 100,000 Virginia consumers, OR 25,000 consumers with 50%+ revenue from data sales.
- Colorado (CPA): Same as Virginia.
- Delaware (DPDPA): 35,000 consumers, OR 10,000 consumers with 20%+ revenue from data sales. Lower bar than most.
- Vermont (VPA): 25,000 consumers. No revenue threshold at all.
Watch list: Oklahoma and several other states have comprehensive privacy bills moving through their legislatures in 2026. The total number of covered states will continue to expand.
How to Calculate Your Exposure
The most reliable way to assess your threshold exposure is to count all of the following:
- Active customers in your CRM
- Email subscribers (even unsubscribed — you still hold the data)
- Website visitors captured via cookies or analytics
- Job applicants whose data you retained
- Leads who never converted
Add those up, and segment by state when possible. If you're close to a threshold in any state where you operate, assume you've crossed it. The cost of a brief compliance review is always lower than the cost of discovering after the fact that you've been operating in violation for months.
What to Do If You've Crossed a Threshold
Crossing a threshold doesn't mean you're in violation today — it means you have compliance obligations that need to be in place. The most common requirements triggered include a compliant privacy policy, a consumer rights intake process, vendor data processing agreements, and in some states, opt-out mechanisms for data sales.
None of these are insurmountable. Most SMBs can get to a defensible compliance posture within 60 to 90 days with the right guidance. The key is knowing you've crossed the line before a regulator points it out.