Episode 78 — Applicability Tests: Resident Thresholds, Revenue, and Exemptions
State privacy laws do not apply to every organization equally. Instead, they establish applicability tests that define which businesses fall within scope. These tests are essential because they balance the goal of protecting consumer privacy with the recognition that small entities may lack the resources to implement complex compliance programs. Applicability criteria typically include thresholds based on resident counts, revenue, or the volume of personal data processed. They also account for the nature of activities, such as selling data or engaging in targeted advertising. By setting these parameters, legislatures focus regulation on larger players in the digital economy and entities whose business models depend heavily on personal information. For compliance teams, the first step in any privacy program is to determine whether their organization crosses these thresholds, since scope defines the entire set of duties that follow.
Resident count thresholds are one of the most common criteria for determining applicability. State statutes often apply to businesses that process the personal data of a specified number of state residents within a given measurement period, usually one year. For example, a law might cover entities that handle the data of 100,000 or more residents annually. These thresholds aim to capture organizations with significant consumer reach while exempting very small operators. Businesses must monitor their consumer databases to determine whether they cross such thresholds, recognizing that growth, mergers, or seasonal activity can push them over the line. Resident-based tests ensure that applicability reflects real-world impact on people rather than abstract corporate size.
Revenue thresholds create another pathway into coverage. Some state laws apply to businesses that generate annual revenue above a set figure, such as $25 million, or that derive a certain percentage of revenue from selling or sharing personal data. These provisions recognize that even if a business does not serve a massive consumer base, its financial scale or reliance on data monetization justifies regulatory obligations. For instance, a smaller company earning most of its income through targeted advertising may fall within scope despite serving fewer residents overall. Revenue tests thus capture high-impact players in the data economy, regardless of headcount or market share.
Data volume thresholds are also used to measure applicability. Instead of focusing on revenue or resident counts, some laws look to the number of records processed or the volume of consumers affected by data practices. For example, an organization that processes the data of 25,000 residents and derives half of its revenue from data sales may be covered. These tests create flexibility, capturing entities whose core activities involve data even if their total consumer base is modest. By combining volume and revenue metrics, legislatures avoid loopholes that would otherwise exempt data-driven companies simply because they do not fit conventional business models.
Doing business nexus tests further clarify scope. A company need not be physically located within a state to fall under its law; engaging with state residents through websites, apps, or services may be sufficient. Multi-state presence amplifies this challenge, as businesses must assess whether their practices create jurisdictional ties in multiple states simultaneously. For example, an online retailer headquartered in New York but serving customers in Colorado may be subject to Colorado’s privacy law if it meets thresholds. These nexus rules prevent businesses from evading obligations by avoiding physical offices in a state while still profiting from its residents’ data.
Definitions of business roles—such as controllers, processors, and service providers—also shape applicability. A controller determines the purposes and means of processing, while a processor handles data on behalf of a controller. Service providers may be defined with narrower contractual obligations. Each role carries distinct responsibilities, and determining which category an organization falls into affects scope. For instance, a cloud provider may avoid some obligations if it acts purely as a processor under contract, while the controller client bears primary responsibility. These definitions align state laws with international frameworks like the GDPR, fostering global consistency in privacy governance.
The scope of protected individuals further clarifies applicability. State privacy laws typically extend rights to residents, but definitions may include households or even device-linked data when tied to identifiable users. This broader framing captures smart home devices, shared family accounts, or other collective use cases. Businesses must consider whether their systems collect information linked to households or devices, even if individual names are not gathered. By broadening the consumer scope, states ensure protections cover the realities of modern digital ecosystems where multiple people may interact with shared platforms.
Personal information boundaries play a critical role in determining scope. Most laws define personal data broadly as information that identifies, relates to, or could reasonably be linked to a resident. Sensitive categories often include health data, biometric identifiers, racial or ethnic origin, precise geolocation, and children’s data. These categories may trigger heightened duties or assessments. Businesses must map their data assets to determine whether they process sensitive information that expands their obligations. Scope tests are not only about whether the law applies at all, but also about which provisions apply once an organization falls within coverage.
Financial services carve-outs reference the Gramm-Leach-Bliley Act, exempting entities or data already covered by federal financial regulations. Similarly, health-sector carve-outs reference HIPAA, excluding protected health information managed by covered entities or business associates. These exemptions prevent duplicative regulation and reduce burdens on industries already governed by strict sectoral frameworks. However, exemptions are not always total; for example, data outside the scope of HIPAA may still fall under state laws. Businesses in these sectors must carefully assess where federal and state obligations overlap and where state law still applies.
Other exemptions apply to nonprofit organizations, small businesses, and higher education institutions. Legislatures often exclude these entities to avoid imposing compliance burdens on organizations with limited resources or different missions. For example, nonprofits may be excluded unless they engage in commercial data sales. Small business exemptions vary but often rely on revenue or consumer thresholds. Higher education carve-outs reflect the existence of federal student privacy law under FERPA. These exclusions narrow applicability but require careful interpretation, as organizations with mixed roles or funding sources may fall partly inside and partly outside the exemption boundaries.
Employment and business-to-business data are frequently excluded, though some laws treat these exclusions as temporary sunsets. For example, early versions of California’s law excluded employee and B2B data but later narrowed those exemptions. These carve-outs reflect recognition that privacy laws were initially designed for consumer contexts but may expand to cover employment data in the future. Businesses must monitor whether sunset provisions expire, changing their scope of obligations. The shifting nature of these exclusions highlights the dynamic evolution of state privacy frameworks.
Government entities are generally excluded from state privacy laws, though public records statutes may intersect with data practices. For example, public agencies may not be subject to consumer rights requests under privacy acts but may still be bound by transparency obligations under open records laws. This creates a different but equally significant compliance environment. Private businesses interacting with government agencies must also be aware of these boundaries, ensuring that contractual relationships account for differing regulatory regimes.
Applicability can also be triggered by specific activities, such as selling or sharing personal data, engaging in profiling, or conducting targeted advertising. Even businesses that do not meet general thresholds may be covered if they engage in these high-risk practices. For example, a company with a modest consumer base that sells personal data to brokers may be subject to regulation despite small scale. These activity-based triggers ensure that coverage extends to entities most likely to affect consumer privacy, regardless of traditional business metrics.
Affiliate and corporate group considerations complicate applicability further. Some laws aggregate thresholds across affiliated entities, treating them as a single organization if they share branding or operational control. For example, a parent company and its subsidiaries may be treated as a consolidated business if they jointly determine processing purposes. This prevents companies from artificially dividing operations to avoid thresholds. Corporate structuring must therefore be evaluated carefully when determining scope. Applicability is not simply a matter of entity size but also of organizational relationships and shared practices.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Pseudonymous data sits at the margins of applicability. States often recognize pseudonymization as a safeguard, reducing the likelihood of reidentification by separating identifiers from datasets. However, pseudonymous data is not fully exempt—if the controller retains the means to reidentify individuals, obligations still apply. For example, a company may analyze browsing patterns tied to randomized IDs, but if it can link those IDs back to consumers, privacy rights still attach. For organizations, pseudonymization may reduce risk and obligations in certain contexts but does not eliminate them altogether. The practical implication is that companies must carefully document whether data is truly deidentified, pseudonymous, or fully identifiable, as these distinctions drive compliance.
Deidentified and publicly available data receive broader exclusions. Deidentified information, when subject to technical and contractual controls that prevent reidentification, is generally outside scope. Publicly available data, such as information lawfully made public in government records, is also excluded. However, exclusions require documentation to prove that safeguards are in place. Regulators expect organizations to demonstrate how data was deidentified, how contractual restrictions bind recipients, and how monitoring prevents backsliding into identifiability. Similarly, publicly available data exclusions do not cover scraped or aggregated information from online platforms if its use exceeds original expectations. These nuances remind businesses that exclusions are not loopholes—they require ongoing diligence.
Research and clinical trial exemptions reflect policy goals of promoting science while respecting privacy. Many state laws exempt data used for scientific or medical research, provided that certain safeguards are in place, such as ethics review, deidentification, or compliance with human subject protections. For example, clinical trial data may fall outside general consumer privacy laws if it is collected under federal research rules. These exemptions enable innovation while still requiring accountability. Organizations conducting research must ensure that consent, minimization, and oversight processes are documented, demonstrating that exemptions are applied responsibly.
Security, incident, and privilege-related records also receive exemptions in consumer rights workflows. For instance, an organization may deny a deletion request if retaining the data is necessary to detect fraud, investigate incidents, or protect legal privilege. These exemptions balance consumer rights with organizational and societal needs. They ensure that privacy frameworks do not undermine security monitoring or litigation defenses. Organizations must track which exemptions apply to particular datasets and explain denials clearly in response workflows. This reinforces transparency while ensuring that compliance does not compromise security or legal duties.
Loyalty programs and financial incentives represent a unique carve-out. States allow businesses to offer price differences or rewards in exchange for data, but they impose transparency and proportionality requirements. For example, a retailer may provide discounts for joining a loyalty program but must disclose the data exchanged, explain how the incentive relates to its value, and honor opt-out requests. These rules prevent exploitative practices while preserving consumer choice. Companies must balance marketing goals with fairness, ensuring that incentives remain lawful and not coercive. Transparency in loyalty programs transforms a potential liability into a defensible engagement strategy.
Data broker registration intersects with applicability by drawing in entities that may not otherwise be covered by comprehensive privacy laws. States like California and Vermont require data brokers—businesses that sell personal information without direct consumer relationships—to register and provide transparency reports. Even if a broker does not meet resident or revenue thresholds, registration obligations create oversight. This ensures that secondary markets for personal data, often opaque to consumers, are subject to accountability. Organizations involved in data resale must monitor both general applicability tests and broker-specific obligations to ensure compliance.
Franchise models create special challenges for applicability. A franchisor may control brand standards while franchisees operate locally, raising questions about who qualifies as a controller or processor. State laws often allocate duties based on functional roles: the franchisor may be responsible for centralized marketing databases, while franchisees handle local transactions. Contracts must clarify these roles and allocate responsibilities for consumer requests, security, and notices. Without clarity, both franchisors and franchisees risk liability for each other’s practices. Careful structuring ensures that obligations are met without duplication or gaps.
Controller–processor contracting determines role-based outcomes. If a service provider is properly classified as a processor, its obligations are defined by contract rather than by direct applicability. However, if contracting is incomplete or ambiguous, regulators may treat processors as controllers, imposing broader obligations. Contracts must specify purposes, security measures, audit rights, and restrictions on secondary use. Similarly, joint controller arrangements require explicit allocation of duties, such as which party responds to consumer requests. These distinctions are central to scope, as they determine who bears legal responsibility for compliance under state laws.
Corporate transactions such as mergers, acquisitions, and divestitures trigger transitional scope changes. An acquisition may push a company over resident or revenue thresholds, suddenly bringing it within scope of multiple laws. Conversely, divestitures may reduce applicability but create obligations to transfer data responsibly. Transitional compliance requires careful planning: consumer notices must be updated, contracts must be amended, and data retention schedules must reflect new realities. Regulators scrutinize how companies manage consumer rights during transitions, emphasizing that compliance cannot lapse during corporate restructuring.
Evidence files supporting applicability determinations are critical for defensibility. Regulators expect businesses to demonstrate how they assessed thresholds, exemptions, and role definitions. Documentation may include consumer counts, revenue breakdowns, or data mapping reports. Without records, claims of exemption or non-applicability may be dismissed. Evidence files also support audits, providing a trail of reasoning that shows compliance decisions were deliberate and informed. For organizations, documenting applicability is as important as documenting compliance once in scope.
Re-evaluation cadence is necessary as businesses grow or change. An organization that was exempt one year may cross thresholds the next due to new products, market expansion, or data monetization strategies. Regular re-assessments ensure that applicability determinations remain accurate. Annual reviews are common, but more frequent checks may be necessary during rapid growth. Re-evaluation prevents organizations from inadvertently falling out of compliance by assuming old applicability conclusions still hold. Dynamic assessments align compliance posture with business reality.
Multi-state harmonization strategies help organizations manage complexity. Many adopt a most-restrictive baseline approach, implementing controls that satisfy the strictest state requirements and applying them broadly. This reduces the need for fragmented policies and simplifies operations. For example, if one state requires honoring browser-based opt-out signals, a company may adopt that standard nationwide. While this can increase compliance costs, it reduces risk and builds consumer trust. Harmonization transforms a patchwork into a unified framework, turning complexity into an opportunity for program maturity.
Once in-scope status is established, downstream impacts ripple across operations. Consumer request workflows must be built, vendor contracts must be updated, data minimization practices must be adopted, and security safeguards must be enhanced. Applicability decisions thus shape every facet of the privacy program. For businesses, recognizing this connection underscores the importance of accurate scope determinations. Misjudging applicability can result in under-preparation, while overestimating it may waste resources. Aligning thresholds, exemptions, and role definitions with downstream operational planning ensures that compliance is not only lawful but efficient.
Applicability tests serve as the foundation of state privacy law compliance. Thresholds determine whether obligations attach, exemptions define the boundaries, and role definitions allocate responsibilities. By documenting determinations, revisiting them regularly, and harmonizing across jurisdictions, organizations create clarity in an otherwise complex regulatory environment. These tests are not merely technical calculations but strategic decisions that shape the scope of compliance programs. Getting them right ensures that privacy obligations are met proportionately, fairly, and consistently across the evolving patchwork of state privacy laws.
