Comparing U.S. State Data Privacy Laws vs. the EU’s GDPR

U.S. consumer data privacy laws have much in common – both with each other and with the laws from which they took their inspiration – but subtle differences may trip up even the most seasoned compliance professionals. Here, Bloomberg Law provides an easy-to-read comparison of the EU’s General Data Protection Regulation (GDPR) against the first three data privacy laws in the U.S: California, Virginia, and Colorado.

[Download the full chart for all the critical information at a glance.]

What are the basics of each privacy law?

GDPR CCPA CPRA VCDPA CPA
Name General Data Protection Regulation California Consumer Privacy Act California Privacy Rights Act Consumer Data Protection Act Colorado Privacy Act
Citation EU/2016/679 Cal. Civ. Code § 1798.100 et seq. Cal. Civ. Code § 1798.100 et seq. Va. Code § 59.1-571 et seq. Colo. Rev. Stat. § 6-1-1301 et seq.
Jurisdiction European Union California California Virginia Colorado
Model Opt-in Opt-out Opt-out Opt-out Opt-out
Sector Non-sectoral Non-sectoral Non-sectoral Non-sectoral Non-sectoral
Effective date(s) May 25, 2018 Jan. 1, 2020 Dec. 16, 2020; Jan. 1, 2023 Jan. 1, 2023 Jul. 1, 2023

[Download the full chart for all the critical information at a glance.]

Whose data is protected by the GDPR vs. U.S. data protection laws? What types of data are protected?

GDPR CCPA CPRA VCDPA CPA
Whose data is protected?
Statutory term Data subject Consumer Consumer Consumer Consumer
Defined as Natural person in the EU Natural person who is a CA resident Natural person who is a CA resident Natural person who is a VA resident Individual who is a CO resident
What types of data are protected?
Statutory term Personal data Personal information Personal information Personal data Personal data
Defined as Any information relating to an identified or identifiable natural person Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household Any information that is linked or reasonably linkable to an identified or identifiable natural person Information that is linked or reasonably linkable to an identified or identifiable individual
Definition excludes de-identified data GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization – which could be attributed to a natural person by the use of additional information – should be considered personal data Yes, but see provisions regarding reidentification of de-identified information – Cal. Civ. Code §1798.148 Yes, but see provisions regarding reidentification of de-identified information. Cal. Civ. Code §1798.148. Moreover, the CPRA authorizes the attorney general to update the definition of “de-identified” – Cal. Civ. Code §l798.l85(a) Yes, but special requirements apply to de-identified data. See Va. Code§ 59.1-581. Yes, but special requirements apply to de-identified data. See Colo. Rev. Stat.§ 6-1-1307.
Definition excludes publicly available info No Yes Yes Yes Yes
Definition excludes aggregate info Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes Yes Yes Not specified Not specified

[Download the full chart for all the critical information at a glance.]

GDPR data protection

The General Data Protection Regulation, or GDPR, defines the data subject as a natural person in the EU. The personal data covered by the law is defined as any information relating to an identified or identifiable natural person. It excludes “pseudonymised” data, but does not exclude publicly available data. Recital 162 indicates that GDPR applies to the processing of personal data for statistical purposes.

CCPA and CPRA data protection

The California Consumer Privacy Act (CCPA) protects the consumer, which is defined as a natural person who is a California resident. CCPA applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA excludes de-identified data, publicly available information, and aggregate information.

VCDPA data protection

The Virginia Consumer Data Protection Act, or VCDPA, protects the consumer, defined as a natural person who is a Virginia resident. It protects personal information, which is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person. The VCDPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.

CPA data protection

The Colorado Privacy Act (CPA) protects the consumer, defined as an individual who is a Colorado resident. It protects personal data, which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The CPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded.

Who must comply with the GDPR and U.S. state data privacy laws?

GDPR CCPA CPRA VCDPA CPA
Jurisdictional threshold Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior “Does business” in California “Does business” in California “Conduct business” in Virginia or produce products or services “targeted” to Virginia residents “Conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents
Revenue threshold None Annual gross revenues greater than $25 million Annual gross revenues greater than $25 million in preceding calendar year None None
Processing threshold None Data of 50,000 or more consumers Data of 100,000 or more consumers Data of 100,000 or more consumers Data of 100,000 or more consumers
Broker threshold None At least 50% of revenue from selling of data At least 50% of revenue from selling or sharing of data Data of 25,000 or more consumers + at least 50% of revenue from sale of data Data of 25,000 or more consumers + derives revenue or receives discount from sale of data

[Download the full chart for all the critical information at a glance.]

GDPR compliance requirements

The GDPR requires compliance by any entity that processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or monitoring their behavior. There is no revenue threshold, processing threshold, or broker threshold.

CCPA compliance requirements

The CCPA applies to entities that “do business” in California that meet the following thresholds:

CPRA compliance requirements

The CPRA applies to entities that “do business” in California that meet the following thresholds:

VCDPA compliance requirements

The VCDPA applies to entities that “conduct business” in Virginia or produce products or services “targeted” to Virginia residents. There is no revenue threshold, but the law applies only to entities that process the data of 100,000 or more consumers or companies that process the data of at least 25,000 consumers, while deriving more than 50 percent of gross revenue from the sale of that data.

CPA compliance requirements

The CPA applies to any entity that “conducts business” in Colorado or produces or delivers commercial products or services “intentionally targeted” to Colorado residents. Entities must satisfy one of two thresholds to fall within the statute’s scope, and both thresholds address a minimum number of affected consumers. Entities must control or process (i) the personal data of at least 100,000 consumers, or (ii) the personal data of at least 25,000 consumers, while deriving revenue or receiving a discount from the sale of that data.

What are the consequences for noncompliance with the GDPR or with U.S. state privacy laws?

GDPR CCPA CPRA VCDPA CPA
Noncompliance Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher In actions brought by AG, civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater Administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice

[Download the full chart for all the critical information at a glance.]

GDPR noncompliance fines

The consequences of noncompliance with GDPR are administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

CCPA civil penalties and damages

In actions brought by the attorney general, CCPA violators face civil penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the consequences are statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.

CPRA noncompliance fines and penalties

The consequences of noncompliance of CPRA are administrative fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. In actions brought by consumers for security breach violations, the penalty is statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.

VCDPA civil penalties

If a controller or processor continues to violate the VCDPA following the cure period or breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the commonwealth and may seek an injunction to restrain any violations of the VCDPA and civil penalties of up to $7,500 for each violation.

CPA enforcement actions

For purposes of an enforcement action brought by the attorney general or district attorney, a violation of the CPA constitutes a deceptive trade practice.

Mitigate risk in data privacy and security with Bloomberg Law

On the frontier of privacy and data security, change happens. And with evolving technologies come new risks and responsibilities. Map your consumer data privacy compliance strategy and stay ahead of GDPR developments with essential privacy and data security news, expert analysis, and practice tools from Bloomberg Law.

Watch the on-demand replay of our latest In-House Forum, Global Privacy Dynamics: Navigating Data Laws and AI Challenges, to hear important privacy issues facing in-house legal teams with legislative and regulatory updates and insights for evaluating new technology and consumer data policies.

Privacy and data security compliance challenges are real. So are our solutions. Request a demo to learn more.