State Privacy Law Applicability Assessment

Overview

Determining which US state privacy laws apply to an organization requires evaluating multiple criteria: revenue thresholds, consumer/data volume thresholds, industry-specific exemptions, entity-type exemptions, and data-type exemptions. This skill provides a systematic assessment framework and Python automation tool for evaluating applicability across all major enacted state privacy laws.

Assessment Framework

Step 1: Geographic Nexus

For each state, determine if the organization has nexus through:

• Conducting business in the state (physical presence, employees, registered entity)
• Targeting residents of the state (marketing, advertising, or providing products/services specifically to state residents)
• Producing products/services consumed by state residents

Most state laws use "conducts business in [state] OR produces products or services targeted to [state] residents" as the nexus requirement.

Step 2: Threshold Assessment