Four U.S. states, California, Virginia, Colorado, and Texas: have enacted comprehensive consumer data privacy laws with distinct coverage thresholds, consumer rights, and enforcement mechanisms. The gaps between them determine compliance exposure for businesses operating across state lines.
Why State Privacy Laws Matter for Device Manufacturers and Retailers
Consumer electronics companies collect purchase histories, device usage metrics, account credentials, precise geolocation from GPS-enabled products, and behavioral data from smart home ecosystems. Every state law analyzed here applies to that data. As of mid-2025, 20 U.S. states have enacted comprehensive privacy legislation, with eight additional laws taking effect during 2025 alone. The four frameworks below, CCPA/CPRA, VCDPA, CPA, and TDPSA, are the most mature and most-cited in current compliance practice.
For a broader overview of federal efforts, see the guide to U.S. federal data privacy law and the ADPPA.
California: CCPA and CPRA, The Benchmark Framework
California’s Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) took effect January 1, 2020 and was substantially amended by the California Privacy Rights Act (Proposition 24), with CPRA provisions enforceable from January 1, 2023. The CPRA created the California Privacy Protection Agency (CPPA): the only state-level body in the U.S. dedicated exclusively to privacy enforcement, with independent authority to investigate, audit, and fine.
Penalties reach $2,500 per unintentional violation and $7,500 per intentional violation with no aggregate cap. The CPPA’s enforcement record through mid-2025 includes a $632,500 fine against American Honda Motor Co., a $345,178 fine against Todd Snyder Inc., and a $1.35 million fine against Tractor Supply Company, the largest single CPPA action to date. Coverage thresholds require exceeding at least one condition: annual gross revenue above $25 million, processing data of 100,000 or more consumers per year, or deriving 50 percent or more of revenue from selling or sharing personal information.
The CPRA added a “sensitive personal information” (SPI) category, covering precise geolocation, biometric data, health data, racial or ethnic origin, and union membership, with a consumer right to limit its use. It also added the right to correct inaccurate data, absent from the original CCPA. A private right of action exists, but only for data breaches; consumers cannot sue for general CCPA violations.
Virginia: VCDPA: Opt-Out Without a Dedicated Agency
The Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) took effect January 1, 2023. It follows an opt-out model, but enforcement architecture differs sharply from California’s. Virginia has no dedicated privacy agency. The Attorney General holds exclusive enforcement authority. Consumers have no private right of action under any circumstances, including data breaches under the VCDPA.
Coverage thresholds: the VCDPA applies to controllers processing personal data of 100,000 or more Virginia consumers per year, or 25,000 or more consumers while deriving more than 50 percent of gross revenue from selling personal data. There is no gross revenue floor, a small, data-dependent business can fall within scope regardless of total revenue. Consumer rights include access, correction, deletion, portability, and opt-out of targeted advertising, data sales, and profiling with significant effects. Sensitive data, biometric, precise geolocation, health, racial or ethnic origin, sexual orientation, data from known children: requires opt-in consent. Penalties reach $7,500 per violation; the AG must provide a 30-day cure notice before initiating civil action.
Colorado: CPA, The Universal Opt-Out Leader
The Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) took effect July 1, 2023. Coverage thresholds mirror Virginia’s 100,000-consumer figure, with the 25,000-consumer/50-percent-revenue variant also included. Colorado’s defining technical requirement is the mandate for Universal Opt-Out Mechanisms. Beginning July 1, 2024, businesses subject to the CPA must honor the Global Privacy Control (GPC) signal, a browser-based opt-out that transmits consumer preferences automatically. The Colorado AG recognized GPC as the first valid UOOM in January 2024. No other state in this comparison mandates GPC recognition with equivalent specificity.
Colorado’s 60-day cure period expired January 1, 2025; the AG may now pursue enforcement directly without cure notice. On September 9, 2025, the Attorneys General of Colorado, California, and Connecticut, coordinating with the CPPA: launched a joint enforcement initiative targeting businesses that had not honored GPC signals. Penalties are $20,000 per violation with a $500,000 cap per related set of violations. No private right of action exists.
Texas: TDPSA, No Revenue Floor, Active AG Enforcement
The Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541 et seq.) took effect July 1, 2024. Its coverage structure is the most notable differentiator: Texas imposes no gross revenue floor. Any non-SBA-small business that processes data of 100,000 or more Texas consumers per year falls within scope, regardless of revenue size. Consumer rights track the standard framework, access, correction, deletion, portability, opt-out of targeted advertising, data sales, and profiling. Sensitive data requires opt-in consent. A 30-day cure period applies before AG enforcement.
Texas AG enforcement moved quickly after July 2024. The first TDPSA lawsuit was filed January 13, 2025 against Allstate and its subsidiary Arity for alleged unlawful collection and sale of geolocation data from Texas residents’ cellphones. Before that action, the AG had sent cure notices to more than 100 companies for Texas Data Broker Act violations, foreshadowing broader TDPSA scrutiny. In May 2025, the Texas AG reached a $1.375 billion settlement with Google resolving separate privacy claims. Penalties under the TDPSA reach $7,500 per violation; no private right of action exists.
Side-by-Side Comparison: The Four State Laws
| Dimension | California (CCPA/CPRA) | Virginia (VCDPA) | Colorado (CPA) | Texas (TDPSA) |
|---|---|---|---|---|
| Effective Date | Jan 1, 2020 (CCPA); Jan 1, 2023 (CPRA) | Jan 1, 2023 | Jul 1, 2023 | Jul 1, 2024 |
| Citation | Cal. Civ. Code § 1798.100 | Va. Code § 59.1-575 | C.R.S. § 6-1-1301 | Tex. Bus. & Com. Code § 541 |
| Coverage Threshold | >$25M revenue OR 100,000+ consumers OR 50%+ revenue from data sales | 100,000+ consumers OR 25,000+ & 50%+ revenue from data sales | 100,000+ consumers OR 25,000+ & 50%+ revenue from data sales | 100,000+ consumers; no revenue floor; SBA small-business exemption |
| Revenue Floor | Yes ($25M) | No | No | No (SBA exemption only) |
| Default Model | Opt-out; opt-in for SPI and minors under 16 | Opt-out; opt-in for sensitive data | Opt-out; opt-in for sensitive data | Opt-out; opt-in for sensitive data |
| GPC/Universal Opt-Out Required | Yes | No | Yes (from Jul 1, 2024) | No |
| Right to Correct | Yes (CPRA) | Yes | Yes | Yes |
| Private Right of Action | Data breach only | None | None | None |
| Dedicated Enforcement Agency | Yes — CPPA | No — AG only | No — AG only | No — AG only |
| Cure Period | None | 30 days | None (expired Jan 1, 2025) | 30 days |
| Max Penalty | $7,500 per intentional violation | $7,500 per violation | $20,000 per violation; $500K cap per related set | $7,500 per violation |
Key Compliance Gaps for Multi-State Operations
Three structural differences drive the most compliance complexity for businesses subject to all four laws simultaneously.
GPC implementation. California and Colorado mandate that businesses honor browser-based opt-out signals. Virginia and Texas do not. A company that implements GPC compliance for California and Colorado satisfies that obligation across its entire U.S. user base at no additional cost. The September 2025 multi-state joint enforcement sweep targeting GPC non-compliance signals that regulators now treat this as a baseline expectation.
Cure periods. California and Colorado allow no cure period before enforcement action. Virginia and Texas each provide 30 days. Compliance programs that rely on cure-period remediation as a risk buffer carry real exposure in California and Colorado from the first identified violation. That risk is not theoretical: the CPPA has demonstrated it will act quickly.
Private litigation. Only California creates civil liability for consumers, and only in the data breach context under Cal. Civ. Code § 1798.150. Class actions under that provision have produced settlements in the hundreds of millions of dollars. No equivalent litigation exposure exists in Virginia, Colorado, or Texas. Companies processing California resident data carry a breach-related litigation risk that no other state in this comparison imposes.