/>iMany organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup.
(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)
The New CPLs
During the second half of 2025, three CPLs come into effect (Q3-Q4 CPLs) and another three are effective as of January 1, 2026 (2026 CLPs):
- Tennessee Information Protection Act – effective July 1, 2025
- Minnesota Consumer Data Privacy Act – effective July 31, 2025
- Maryland Online Data Privacy Act – effective October 1, 2025
- Kentucky Consumer Data Protection Act – effective January 1, 2026
- Rhode Island Data Transparency and Privacy Protection Act – effective January 1, 2026
- Indiana Consumer Data Protection Act – effective January 1, 2026
If a business has not already built the new CPLs into prior updates to its privacy notice and compliance program, then, assuming the applicability thresholds are met and no exemptions apply, addressing the Q3-Q4 CPLs and 2026 CPLs, as well as CPL amendments effective between now and January 1, 2026, can help create efficiencies by mitigating the need to make multiple rolling updates. This also can reset the California notice 12-month lookback, thereby helping avoid a year-end rush to address the lookback and the 2026 CLPs. A business may, however, wish to reserve the right to honor new or changed consumer privacy rights only as and when the rights are in effect.
The Amended CPLs
Three of the CPLs already in effect have significant amendments effective during the second half of 2025: Colorado, Montana and Oregon. Six more amendments are effective during 2026: Connecticut, Indiana, Kentucky, Oregon, Utah and Virginia.
Also New
An amendment to the Texas Data Broker Law, effective September 1, 2025, expands the definition of, and thresholds of coverage for, data brokers and also increases transparency obligations. In addition, two states enacted new minor-focused privacy laws, and two states enacted age-appropriate design laws, joining the enjoined California Age-Appropriate Design Code Act and the Maryland Age-Appropriate Design Code Act.
Key Compliance Considerations
- Consumer Privacy Rights and Privacy Notice Requirements
While the new CPLs include consumer privacy rights similar to current CPLs, they also include noteworthy deviations. One key area of deviation relates to the information rights of consumers about third-party recipients of personal data sales and certain other disclosures.
The Minnesota CPL requires that a controller provide a consumer with the right to obtain a list of specific“third parties” to which the controller has disclosed personal data. (Note that processors and their affiliates are not third parties). If the controller does not maintain the list in a format specific to the consumer making the request, then the controller may provide a list of specific third parties to whom the controller has disclosed any consumers’ personal data. This is a significant burden but should be a familiar obligation to controllers subject to the Oregon CPL.
We recommend that controllers subject to the Minnesota CPL and the Oregon CPL view this requirement as applicable to disclosures to “third parties,” which includes “sales” resulting from third-party cookies. Like the majority of the CPLs, the Minnesota CPL and Oregon CPL define “sale” as an exchange of personal data for any valuable consideration. (Only Indiana, Iowa, Kentucky, Tennessee, Utah, and Virginia define “sale” as an exchange for monetary consideration only.) Also, this disclosure obligation is retrospective, not a snapshot in time, but is subject to exemptions.
The Maryland CPL – like the Delaware CPL – requires a list of categories of third-party recipients as to the specific consumer or, if the controller does not maintain the recipient categories list in a format specific to the consumer, a list of the categories of recipients of all consumers’ personal data will suffice. Requiring categories of recipients, rather than specific recipients, is much less burdensome.
An amendment to the Montana CPL (effective October 1, 2025) requires that a controller’s privacy notice include an “explanation” of consumer rights, in addition to the currently-effective requirement for a description of how consumers may exercise their consumer rights. This explanation requirement is consistent with other CPL requirements; i.e., privacy notices must clearly explain the privacy rights available to consumers and how consumers can exercise them. We have seen enforcement inquiries by state regulators taking issue with unclear explanations of which privacy rights apply to residents of which state.
However, the most significant new privacy notice requirements are in the Rhode Island CPL. Effective January 1, 2026, the Rhode Island CPL’s first operative section applies to a “website or internet service online service provider” that is subject to Rhode Island jurisdiction (Online Service). This definition of Online Service provider is both broader (because no thresholds apply) and narrower (because it applies online only) than “controller.” An Online Service provider must, however, designate a controller if the provider collects, stores and sells “personally identifiable information” of “customers” (which is defined similarly to “consumers” in the other CPLs). The term “personally identifiable information” is not defined, (§ 6-48.1-4(a)), and whether this term is intended as narrower than “personal data,” which is used in all other sections of the Rhode Island CPL is unclear.
Like the majority of the CPLs, the Rhode Island CPL defines “sale” as an exchange of personal data for any valuable consideration. But, unlike the other CPLs, an Online Service provider must include in its privacy notice details about “all third parties” to which the controller “has sold or may sell” [emphasis added] its customers’ personally identifiable information. For some Online Service providers, the inclusion of “may sell” will require ongoing privacy notice updates, such as for sales to new third parties. As with the Oregon and Minnesota CPLs, complying retrospectively with the disclosure obligations is a challenge, especially as to cookies, which can frequently change. A “controller” also must clearly and conspicuously disclose sales of personal data for targeted advertising (§ 6-48.1-3(b)). No specific posting requirements apply in the subsection that requires this targeted advertising disclosure but, presumably, the “conspicuous location on its website or online service platform where similar notices are customarily posted” from the prior subsection (§ 6-48.1-4(a)) applies.
Also noteworthy: effective July 1, 2026, an amendment to the Connecticut CPL adds new disclosure requirements in § 42-520, such as a statement in the privacy notice disclosing “whether the controller collects, uses or sells personal data for the purpose of training large language models” (among other new requirements).
- Profiling/ADM
Given Congress’ failed attempt to impose a preemptive moratorium on state laws regulating artificial intelligence (AI) and profiling and automated decision-making (ADM) that use AI, the addition of new CPLs regulating profiling and ADM is especially notable.
Except for the CPLs of Iowa and Utah, the CPLs regulate profiling and/or ADM that uses personal data, but the details vary. Rulemaking under the California Consumer Privacy Act (CCPA) detailing what rights and obligations apply to profiling and ADM remains ongoing, but the most recent version of the CCPA regulations lessens impact on business. New Jersey is also working on rulemaking, and Colorado has promulgated complex regulations regarding profiling, including information and appeal rights, subject to exceptions.
The Maryland and Tennessee CPLs allow a consumer to opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. The CPLs of Delaware, Maryland, Montana, New Hampshire and Rhode Island also include the “solely” modifier, as do the draft CCPA regulations. An amendment to the Montana CPL (effective October 1, 2025) removes the “solely” modifier. An amendment to the Connecticut CPL also removes the “solely” modifier (effective July 1, 2026). All other CPLs do not limit the opt-out right to profiling based on solely automated decisions.
The Minnesota CPL offers consumers the distinct rights to question the result of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; to be informed of the rationale behind each decision; and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. A Minnesota consumer also has the right to review his or her personal data used in the profiling. If the decision is based upon inaccurate personal data (considering the nature of the personal data and the purposes of the processing of the personal data), the consumer has the right to correct the personal data and to have the profiling decision reevaluated based upon the corrected personal data (§ 325O.05(1)(g)). While the other Q3-Q4 CPLs and 2026 CPLs offer profiling opt-out rights, none of them include rights like those in the Minnesota CPL.
The obligations regarding use of personal data for profiling based on automated decisions, together with the in-process CCPA regulations, have created a complex patchwork. Given the operational impact to businesses, especially those operating in the “not solely” states, a high-water mark approach may not function as well as in other areas of CPL compliance. (Our state CPL comparison charts discussed below include CPL profiling and ADM requirements.)
- Sensitive Personal Data, Sensitive Processing and Purpose Limitations
The Minnesota CPL prohibits personal data processing for targeted advertising and personal data sales without the consumer’s consent when a controller knows that a consumer is between age 13 and age 16 (§ 325M.16(2)(f)).
The Maryland CPL’s approach to sensitive data processing is stricter than other CPLs: a controller cannot collect, process or share sensitive data unless the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer, (§ 14-607(A)(1)), or sell sensitive personal data (§ 14-607(A)(2)). Even the Maryland CPL’s purpose limitation for non-sensitive personal data is limited to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer” (§ 14–4607 (B)). Prior to the end of the legislative session, the Maryland House considered (but did not pass) an amendment that would adjust this limitation to “adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer.” This change would better align with other CPLs. How Maryland’s purpose limitations will impact digital advertising to adults is unclear, but sales of personal data and processing for the purposes of targeted advertising are prohibited if the controller knows or should have known that the consumer is under age 18, (§ 14-607(A)(4),(5)) – the highest age of any of the currently effective CPLs. The Maryland CPL also includes provisions specific to “consumer health data.”
Effective January 1, 2026, an amendment to the Oregon CPL prohibits (i) sales of personal data when the controller has actual knowledge that, or willfully disregards whether, that consumer is under 16 years of age, and (ii) sales of data that accurately identify past or present precise geo-location (within a radius of 1,750 feet) that links or is linkable to a consumer, but excluding the “content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility” (§ 646A.578 (2)(d)). As noted above, the Maryland CPL prohibits sensitive data sales and precise geolocation data is a type of sensitive data.
An amendment to the Colorado CPL adds new requirements for processing of a minor’s personal data when the processing presets “heightened risk of harm to minors,” effective October 1, 2025. An amendment to the Virginia CPL related to minors and social media is effective January 1, 2026, and an amendment to the Connecticut CPL adds new requirements as to minors.
As of July 1, 2025, obligations related to biometric data were added to the Colorado Privacy Act (Biometric Data Amendment). The monetary and processing thresholds that apply to the rest of the Colorado Privacy Act do not apply to a controller that processes biometric data under the Biometric Data Amendment. A controller is in scope “regardless of the amount of biometric identifiers or biometric data controlled or processed annually” (§ 6-1-1304(1)(b)). If a controller does not meet the processing threshold with respect to other categories of personal data, then the controller must comply only with the Biometric Data Amendment. Employers also are in scope of the Biometric Data Amendment. Employers may require, “as a condition of employment,” employees’ or prospective employees’ consent to collect and process biometric identifiers for certain enumerated purposes (§ 6-1-1314(6)(a));processing biometric identifiers for other purposes requires consent, but the employer may not require consent “as a condition of employment or retaliate against an employee or prospective employee who does not consent to such collection or processing” (§ 6-1-1314(6)(b)).
The Biometric Data Amendment also adds some new written policy and privacy notice requirements for controllers, as well as the obligation to allow a broader right of access for biometric data than for other personal data. A processorof biometric data also has a new requirement for a protocol for responding to a data security incident that may compromise the security of the biometric data entrusted to the processor by the controller (§ 6-1-1314(3)). Neural data was added as a new sensitive data category, reflecting the special sensitivity of the data collected from increasing use of mental health apps and so-called “brain wearables” outside of traditional healthcare settings.
The amendment to the Connecticut CPL effective July 1, 2026, adds new sensitive data categories (including neural data and government issued IDs) (§ 42-515) and prohibits sales of sensitive data without consent (§ 42-520(a)(1)(H)).
Our CPL comparison charts include regulation of sensitive personal data, including processing purpose limitations.
- Opt-Out Preference Signal (OOPS)
The CPLs of Maryland and Minnesota require a controller to make available an OOPS (also known as global privacy control or universal opt-out mechanism) for consumers to exercise their rights to opt out of use of their personal data for targeted advertising and to opt out of the sale of their personal data. In both laws, a consumer may designate an agent using an OOPS (Maryland, § 14-4606; Minnesota, § 325M.14(2)(d)).
Of the CPLs already in effect, California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas also have OOPS requirements. With twelve CPLs requiring them, many businesses are considering whether to honor OOPS nationally.
- Risk Assessment and Other Information Governance
Documented risk assessments for processing deemed high risk are required in Q3-Q4 CPLs (Tennessee, Minnesota and Maryland), as well as the 2026 CPLs (Kentucky, Rhode Island and Indiana). Regulations that include assessment requirements are pending under the CCPA (read more), leaving the CPLs of Iowa and Utah as the only ones that do not, or do not plan to, require assessments. Many believe the lack of enforcement on assessment requirements already in effect, even with respect to businesses under investigation for other issues, relates to the still-ongoing CCPA rulemaking, which seems to be nearing completion.
The Minnesota CPL requires documentation of data inventories (§ 325M.16(2)(c)), as does the current draft of the CCPA regulations. The Minnesota CPL also requires a controller to document and maintain a description of the policies and procedures specific to compliance with the Minnesota CPL, including the name of the chief privacy officer (CPO) or other individual with oversight responsibility. The Tennessee CPL provides a limited affirmative defense for violations if the controller’s privacy program “reasonably conforms” to the National Institute of Standards and Technology Privacy Framework or comparable privacy framework (§ 47-18-3213).
As noted above. the Biometric Data Amendment to the Colorado CPL added some new written policy requirements for biometric identifiers and biometric data that supplement the current “Documentation Concerning Duties of Controllers” in the Colorado Privacy Act Rule 6.11 and also new security incident response policy requirements for processors.
Next Steps
The increasingly complex patchwork of CPLs and potential for more robust enforcement mean that organizations that have not kept up with the CPLs’ nuanced differences should examine their consumer privacy notices, and related policies and procedures, to help ensure that their compliance approaches are up to date and working as intended and required.
Appendix: The 20 State Consumer Privacy Laws: Effective Dates and Applicability Thresholds
| State | Effective Date | General Applicability Thresholds |
|---|---|---|
| Indiana | January 1, 2026 Amendment: January 1, 2026 |
A natural or legal person conducting business in Indiana or producing a product or service that is targeted to Indiana residents, and that during a calendar year: controls or processes the personal data of at least 100,000 Indiana residents, or controls or processes the personal data of at least 25,000 Indiana residents and derives more than 50% of its gross revenue from the sale of personal data. (§ 24-15-1-1(a)) |
| Kentucky | January 1, 2026 Amendment: January 1, 2026 |
A “person” conducting business in Kentucky or producing a product or service that is targeted to Kentucky residents, and that during a calendar year: controls or processes personal data of at least 100,000 consumers, orcontrols or processes the personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data. (§ 367.3613(1)) |
| Rhode Island | January 1, 2026 | Section 6-48.1-3(a) [Information Sharing Practices] applies only to a “website or internet service provider” that is conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction that collects, stores and sells customers’ “personally identifiable information.” – No threshold Sections §§ 6-48.1-4 to 6-48.1-7 apply to a for-profit entity that conducts business in Rhode Island or produces a product or service targeted to Rhode Island residents and that during the preceding calendar year: controlled or processed the personal data of not less than 35,000 customers (excluding personal data processed solely for the purpose of completing a payment transaction), or controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of its gross revenue from the sale of personal data. |
| Maryland | October 1, 2025 | A natural or legal person conducting business in Maryland or providing a product or service that is targeted to residents of Maryland and that, during the preceding calendar year,: controlled or processed personal data of at least 35,000 consumers (excluding data controlled or processed solely for the purpose of completing payment transactions) orcontrolled or processed personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data. (§ 14–4602) |
| Minnesota | July 31, 2025 | A legal entity that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, and satisfies one or more of the following thresholds: during a calendar year: controls or processes personal data of 100,000 consumers or more (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), orderives more than 25% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more. (§ 325M.12(1)) |
| Tennessee | July 1, 2025 | A natural or legal person conducting business in Tennessee or producing a product or service that is targeted to Tennessee residents, and that exceeds US $25 million in revenue and: controls or processes the personal information of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal information, orduring a calendar year, controls or processes the personal information of at least 175,000 consumers. (§ 47-18-3202) |
| New Jersey | January 15, 2025 | A controller (i.e., an individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data), that conducts business in New Jersey or produces a product or service that is targeted to New Jersey residents and during a calendar year: controls or processes the personal data of at least 100,000 consumers (excluding personal data processed solely for the purpose of completing a payment transaction), or controls or processes the personal data of at least 25,000 consumers and derives revenue or receives a discount on the price of any goods or services, from the sale of personal data. (§ 56:8-166.5) |
| Delaware | January 1, 2025 | A legal or natural person conducting business in Delaware or producing a product or service that is targeted to Delaware residents, and that in the preceding calendar year: controlled or processed the personal data of at least 35,000 consumers (excluding for the purpose of completing a payment transaction), or controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from selling personal data. (§ 12D-103(a)) |
| Iowa | January 1, 2025 | A “person” conducting business in Iowa or producing a product or service that is targeted to consumers who are Iowa residents, and that during a calendar year: controls or processes the personal data of at least 100,000 consumers, or controls or processes the personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data. (§ 715D.2(1)) |
| Nebraska | January 1, 2025 | A natural or legal person* conducting business in Nebraska or producing a product or service consumed by Nebraska residents, and: processes or engages in the sale of personal data, and is not a small business, as defined by the SBA (n.b., per the Nebraska Attorney General: “A small business may still be liable for penalties if it sells sensitive data without receiving consent from the consumer.”) (§ 87-1103(1)) |
| New Hampshire | January 1, 2025 | A natural or legal person conducting business in New Hampshire or producing a product or service that is targeted to New Hampshire residents, and that, during a one-year period: controlled or processed the personal data of at least 35,000 unique consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), orcontrolled or processed the personal data of at least 10,000 unique consumers and derived more than 25% of its gross revenue from the sale of personal data. (§ 507-H:2) |
| Montana | October 1, 2024 Amendment: October 1, 2025 |
A “person” that conducts business in Montana or produces a product or service that is targeted to Montana residents, and: controls or processes the personal data of at least 50,000 (excluding personal data processed solely for completing a payment transaction), or controls or processes the personal data of at least 25,000 consumers and derives more than 25% of its gross revenue from the sale of personal data. (§ 30-14-2803) Effective October 1, 2025: Excluding Sections 9 through 11 of the amendment, a person that conducts business in Montana or that produces products or services that are targeted to Montana residents and: controls or processes the personal data of not less than |
| Florida | July 1, 2024 | A “controller” is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that meets the following requirements: is organized or operated for the profit or financial benefit of its shareholders or owners;conducts business in Florida;collects personal data about consumers, or is the entity on behalf of which such information is collected;determines the purposes and means of processing personal data about consumers alone or jointly with others;makes US $1 billion or more in global gross annual revenues, andsatisfies at least one of the following:derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; operates a consumer smart speaker and voice command component with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation but excluding a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; oroperates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. (§ 501.702(9)) For sensitive data sales: a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements: is organized or operated for the profit or financial benefit of its shareholders or owners;conducts business in Florida; andcollects personal data about consumers or is the entity on behalf of which such information is collected. (§ 501.715) |
| Oregon | July 1, 2024 Amendment: September 6, 2025 January 1, 2026 |
A natural or legal person conducting business in Oregon or providing a product or service to Oregon residents that, during a calendar year: controls or processes the personal data of 100,000 or more consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), orcontrols or processes the personal data of 25,000 or more consumers, while deriving 25% or more of its gross revenue from selling personal data. (§ 646A.572(1)) |
| Texas | July 1, 2024 | No thresholds; applies to a natural or legal person conducting business in Texas or producing a product or service that is consumed by Texas residents and that: processes or engages in the sale of personal data, and is not a small business as defined by the SBA (except that a small business must obtain consent to sell personal data (§ 541.107)). (§ 541.002(a)) |
| Utah | December 31, 2023 Amendment: July 1, 2026 |
Any controller or processor conducting business in Utah or produces a product or service that is targeted to consumers who are Utah residents, has an annual revenue of at least US $25 Million, and: during a calendar year, controls or processes the personal data of 100,000 or more consumers, or derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. (§ 13-61-102(1)) |
| Colorado | July 1, 2023 Amendments: October 1, 2024 July 1, 2025 October 1, 2025 |
A legal or natural person that, alone or jointly with others, determines the purposes for and means of processing personal data, and conducts business in Colorado or produces or delivers a commercial product or service that is intentionally targeted to consumers, andcontrols or processes the personal data of 100,000 or more consumers, or derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more consumers. (§ 6-1-1304(1)) Different thresholds apply to biometric identifiers or biometric data (see § 6-1-1304(1)(b) until October 1, 2025; effective October 1, 2025, see § 6-1-1304(1)(a)(II)). |
| Connecticut | July 1, 2023 Amendments: July 1, 2024 October 1, 2024 July 1, 2026 |
Prior to July 1, 2026: A person that conducts business in Connecticut or persons that produces products or services that are targeted to residents of Connecticut and that, during the preceding calendar year: controlled or processed the personal data of not less than 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data. (§ 42-516)(See also Connecticut Attorney General FAQs) Effective July 1, 2026: A natural or legal person that: conducts business in Connecticut or produce products or services that are targeted to residents of Connecticut, and during the preceding calendar year, controlled or processed the personal data of not fewer than 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), orcontrolled or processed consumers’ sensitive data (excluding personal data controlled or processed solely for the purposes of completing a payment transaction), oroffered consumers’ personal data for sale in trade or commerce. (§ 42-516) |
| Virginia | January 1, 2023 Amendments: January 1, 2025 January 1, 2026 |
A natural or legal person that conducts business in Virginia or produces a product or service that is targeted to Virginia residents, and that, during a calendar year: controls or processes the personal data of at least 100,000 consumers, or controls or processes the personal data of at least 25,000 consumers and derives over 50% of its gross revenue from the sale of personal data. (§ 59.1-576(A)) |
| California | January 1, 2020 CPRA Amendment Effective Date: January 1, 2023 Most Recent Amendment: January 2025 |
A for-profit legal entity doing business in California that collects or has collected personal information, and alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information and either: has a gross global revenue of more than US $25 million in the preceding calendar year, or annually buys, “sells,” or “shares” personal information of 100,000 or more consumers or households, or derives 50% or more of its annual revenue from “selling” or “sharing” personal information of consumers. (§ 1798.140(d)) |
