Quick answer
If your business collects personal data from customers in more than one state, earns over $25 million annually, processes data on more than 35,000 to 100,000 consumers depending on the state, or shares customer data with third-party vendors, you are likely already subject to at least one state privacy law. As of 2026, more than 20 states have comprehensive consumer data privacy laws in effect. The thresholds are lower than most small business owners expect.
| Sign | What It Means | States Most Likely to Apply |
|---|---|---|
| #1 Customers in multiple states | Multi-state reach triggers multiple laws simultaneously | CA, VA, CO, TX, and others |
| #2 Collects email or basic contact data | Even basic data collection counts toward consumer thresholds | All 20+ states with active laws |
| #3 Uses website analytics or marketing tools | Analytics and ad pixels often constitute data processing under state law | CA, CO, CT, VA, TX |
| #4 Revenue exceeds state thresholds | Thresholds range from $25M (CA) to no revenue floor in some states | CA (CCPA), TX (TDPSA) |
| #5 Shares data with third parties | Vendor sharing triggers disclosure and contract obligations | All states with active laws |
As a small business owner in the United States, you might think comprehensive privacy laws only affect tech giants and Fortune 500 companies. However, with 20 US states now having comprehensive privacy laws and thresholds as low as 35,000 consumers in some states , your business may already be subject to strict compliance requirements with penalties reaching $20,000 per violation.
The multi-state privacy law landscape has evolved rapidly, creating a complex web of regulations that catch many small business owners off guard. Understanding whether your business falls under these laws is crucial for avoiding substantial penalties and maintaining customer trust.
Sign #1: Your Customer Base Crosses State Lines
If your business serves customers across multiple states, you’re likely subject to various state privacy laws. Each state with comprehensive privacy legislation applies its rules to businesses that collect personal information from its residents, regardless of where your business is physically located.
For example, if you’re based in Ohio but sell products to customers in California, Colorado, or Virginia, you must comply with those states’ privacy laws. This multi-state compliance requirement means that even a small e-commerce business with a few thousand customers could be subject to multiple privacy regulations simultaneously.
The threshold numbers are lower than most realize. While some states require businesses to process data from 100,000 consumers annually, others set the bar at just 35,000 consumers. When you factor in website visitors, email subscribers, and customers across all the states where you do business, you might already exceed these thresholds. Our state privacy law thresholds reference breaks down the trigger levels for every active state law.
Sign #2: You Collect Email Addresses and Basic Customer Information
Many small business owners assume privacy laws only apply to companies collecting sensitive data. The reality is that basic customer information like email addresses, names, phone numbers, and mailing addresses all qualify as personal information under state privacy laws.
Common business activities that trigger compliance requirements include:
- Email newsletter subscriptions
- Customer account creation
- Online purchase forms
- Contact form submissions
- Loyalty program enrollment
If your business maintains a customer database, uses email marketing, or operates an online store, you’re processing personal information that falls under state privacy law protections. The multi-state nature of these laws means you need to consider the most restrictive requirements among all states where you have customers.
Sign #3: You Use Website Analytics and Marketing Tools
Website analytics, social media pixels, and marketing automation tools significantly expand the scope of personal information your business processes. These tools often collect data like IP addresses, browsing behavior, device information, and location data. All considered personal information under state privacy laws.
Popular business tools that may trigger compliance requirements include:
- Google Analytics
- Facebook advertising pixels
- Email marketing platforms
- Customer relationship management (CRM) systems
- Live chat widgets
The data collected by these tools, combined with your direct customer interactions, can quickly push your business over the threshold requirements. With penalties as high as $20,000 per violation , the cost of non-compliance far exceeds the investment in proper privacy compliance. A website and marketing compliance review catches the cookies, pixels, and consent banner gaps that most often draw regulator attention.
Sign #4: Your Annual Revenue Exceeds State Thresholds
Many state privacy laws include revenue thresholds alongside consumer data thresholds. If your business generates significant annual revenue, you may be subject to privacy laws even if your customer numbers seem small.
These revenue thresholds vary by state, but successful small businesses often cross these lines without realizing the compliance implications. For example, Colorado’s CPA now carries the costliest enforcement structure in the country, while Delaware’s DPDPA has no revenue floor at all for its primary threshold. The multi-state privacy law landscape means you need to track both your revenue and your customer base across all jurisdictions where you operate.
Combined Threshold Impact
Most state privacy laws use “OR” logic for their thresholds, meaning you only need to meet one criterion to be covered. For example, if a state requires either 50,000 consumers OR $10 million in revenue, meeting either threshold subjects your business to that state’s privacy law requirements.
Sign #5: You Share Customer Data with Third Parties
If your business shares, sells, or provides customer data to third parties, you’re likely subject to additional privacy law requirements. This includes common business practices like:
- Using third-party payment processors
- Sharing data with shipping companies
- Working with marketing agencies
- Utilizing cloud storage services
- Partnering with other businesses for referrals
State privacy laws often have specific requirements for businesses that share personal information, including disclosure requirements and consumer rights provisions. A structured vendor risk program puts the data processing agreements and ongoing monitoring in place that regulators expect to see.
The Multi-State Compliance Challenge
With 20 states now having comprehensive privacy laws and more passing legislation every year, small businesses face an increasingly complex compliance landscape. Each state has its own requirements, cure periods, and penalty structures, making it challenging to maintain compliance across multiple jurisdictions.
The enforcement landscape is also evolving, with state attorneys general actively investigating businesses of all sizes. The days when privacy laws were only enforced against major corporations are over. Small businesses are now in the crosshairs, and the penalties can be business-threatening.
Take Action Before It’s Too Late
If any of these signs apply to your business, it’s time to take action. The multi-state privacy law landscape requires expert guidance to navigate successfully. Waiting until you receive an enforcement notice could result in penalties that threaten your business’s survival.
Don’t let privacy law compliance overwhelm your business operations. Get a comprehensive assessment of your privacy law obligations and develop a practical compliance strategy that protects your business while respecting customer privacy rights.
Ready to protect your business? Get your personalized privacy compliance assessment today at northprivacyadvisors.com/assessment.html and ensure your small business stays compliant across all applicable state privacy laws.