Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.

The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:

• The laws in Texas and Nebraska apply to entities that are not small businesses (although small businesses cannot sell sensitive data without consumer consent).
• Starting in July 2026, Connecticut’s applicability standard will reduce the consumer threshold from 100,000 to 35,000, and add new applicability standards for the processing of sensitive data and the sale of data.
• The children’s privacy provisions in Colorado, Connecticut, and Montana’s laws apply to certain types of controllers that process any amount of children’s personal data.
• Colorado’s biometric privacy requirements apply to entities that process any amount of biometric identifiers or data.
• This year, Montana lowered its consumer threshold standard from 50,000 to 25,000.
• Rhode Island’s privacy notice provision applies more generally than the law’s other provisions.

In our new chart, we identify and analyze these varying and changing applicability standards. Click here to access the chart.

This is the fourth installment of a multipart blog series comparing key provisions in state privacy laws. Our prior installments provided charts with key dates in privacy and AI laws, risk assessment requirements, and categories of sensitive data. Future posts will examine consumer rights, among other topics.