Certified Information Privacy Professional (CIPP): US - Other State Comprehensive Laws, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA

What This Is

State?level comprehensive privacy statutes are “mini?GDPRs” that apply to businesses that collect, use, or share personal data of residents in a particular U.S. state. Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, and Utah’s UCPA each create new consumer?rights, data?governance, and breach?notification duties. For a multinational retailer that sells to customers in all 50 states, ignoring these laws can mean multiple, overlapping compliance programs and costly penalties.

Key Terms & Provisions

• Virginia Consumer Data Protection Act (VCDPA) – Virginia law (effective Jan?1?2023). Requires a data protection assessment for processing that is “likely to present a heightened risk of harm,” provides rights to access, correction, deletion, and opt?out of processing, and mandates a reasonable security program.

• Colorado Privacy Act (CPA) – Colorado law (effective July?1?2023). Mirrors many VCDPA provisions but adds a “right to data portability” and a “right to limit use of sensitive data.”

• Connecticut Data Privacy Act (CTDPA) – Connecticut law (effective July?1?2023). Similar to VCDPA/CPA but includes a “right to opt?out of profiling” and a “reasonable purpose” exception for targeted advertising.

• Utah Consumer Privacy Act (UCPA) – Utah law (effective Dec?31?2023). The most permissive of the four; it does not create a data?portability right and allows opt?out of “sale” (defined narrowly) rather than broader processing.

• Sensitive Personal Data – Under CPA, CTDPA, and UCPA, this includes SSN, driver’s license, precise geolocation, biometric data, health information, and “racial or ethnic origin.” VCDPA does not have a separate “sensitive” category.

• Data Protection Assessment (DPA) – A risk?based review (VCDPA) or Data Protection Impact Assessment (DPIA) (CPA/CTDPA) required when processing is likely to present a heightened risk of harm to consumers. Example: using AI to predict creditworthiness for Virginia residents.

• Opt?Out of Processing – Consumers may direct a controller to stop “targeted advertising, profiling, or the sale of personal data.” VCDPA, CPA, and CTDPA all require a clear, conspicuous mechanism (e.g., a web?page link).

• Data Portability – Only the CPA (Colorado) gives consumers a right to receive a copy of their data in a structured, commonly used, machine?readable format and to transmit it to another controller.

• Reasonable Security Program – All four statutes demand administrative, technical, and physical safeguards that are “reasonable” given the nature of the data and the size of the business. No prescriptive controls, but courts will look at encryption, access controls, and incident?response plans.

• Exemptions – Small?business exemption ($25?million annual gross revenue, 100?000 consumers, and 25?employees in the state) applies to all four laws. HIPAA, GLBA, and other sector?specific statutes are also exempt, but only to the extent the data is already covered by those laws.

• Breach Notification Deadline – VCDPA, CPA, CTDPA: 60?days after discovery. UCPA: 60?days (same as the others) but requires notice to the Attorney General if the breach affects more than 5,000 Utah residents.

Step?by?Step Process Flow (Applying a State?Law Compliance Program)

1. Map State Coverage – Use a data?inventory tool to identify which of your customers, employees, or vendors are residents of VA, CO, CT, or UT.
2. Determine Applicability – Check the three “threshold” tests (revenue, consumer count, employee count) and sector?specific exemptions (HIPAA, GLBA, etc.).
3. Conduct a Data Protection Assessment – For each jurisdiction, evaluate whether the processing “presents a heightened risk of harm.” If yes, complete a DPA/DPIA, document mitigation steps, and obtain senior sign?off.
4. Implement Consumer?Rights Mechanisms – Build a single “privacy portal” that:
5. Displays a clear opt?out link for each state (different wording for “sale” vs “processing”).
6. Provides access, correction, deletion, and (where required) portability request forms.
7. Update Security & Incident?Response – Verify that encryption, access logs, and breach?notification procedures meet the 60?day deadline and state?specific notice requirements.
8. Train & Document – Conduct quarterly training for all staff handling personal data, keep records of DPAs, opt?out logs, and breach notifications for at least three years (the longest statutory retention period among the four states).

Common Mistakes

CIPP Exam Insights

1. Scope vs. Threshold – Exams love to ask whether a company that processes <?100?000 state residents but has $30?M revenue is covered. Remember: any one of the three thresholds (revenue, consumer count, or employee count) triggers coverage.
2. Opt?Out vs. Opt?In – VCDPA, CPA, and CTDPA require opt?out mechanisms; UCPA only requires opt?out for “sale.” The CIPP often tests you on which law uses the “right to limit use of sensitive data” (answer: Colorado CPA).
3. Exemptions – The HIPAA exemption applies only to the data that is already protected by HIPAA. If a hospital also collects marketing data not covered by HIPAA, that portion is not exempt.
4. Breach Notification Timing – All four statutes have a 60?day deadline, but the UCPA adds a “5,000?resident” trigger for AG notice. A classic exam trap is to think the VCDPA has a 30?day deadline (it does not).

Quick Check Questions

1. Scenario: A SaaS vendor processes the personal data of 80,000 Colorado residents and earns $22?M annually. The vendor uses AI to predict churn.
   Answer: The vendor must comply with the CPA because the consumer?count threshold (100?000) is not met, but the revenue threshold (25?M) is not met either; however, the “processing that presents a heightened risk of harm” (AI churn prediction) triggers a DPIA under CPA.

2. Scenario: A Utah?based e?commerce site sells products nationwide and shares customer email addresses with a third?party advertising network for $0.01 per record.
   Answer: The sharing constitutes a “sale” under UCPA (monetary consideration), so Utah consumers have a right to opt?out; the site must provide a clear opt?out mechanism and honor requests within 45?days.

3. Scenario: A Virginia health?care provider (HIPAA?covered) also runs a wellness?program app that collects fitness data not covered by HIPAA.
   Answer: The HIPAA exemption applies only to the protected health information; the fitness data is subject to VCDPA and must be handled accordingly (access, correction, deletion rights).

Last?Minute Cram Sheet (10 One?Liners)

1. VCDPA, CPA, CTDPA, UCPA all have a 60?day breach?notification deadline – no “30?day” shortcut.
2. Small?Business Exemption: $25?M revenue AND 100?000 state consumers AND 25 employees in the state.
3. Sensitive Data Definition (CPA/CTDPA/UCPA) – includes SSN, precise geolocation, biometric, health, and “racial or ethnic origin.”
4. Data Portability – Only Colorado CPA provides a statutory right to data portability.
5. Opt?Out Language: VA – “targeted advertising, profiling, or sale”; CO – “sale of personal data”; CT – “sale, targeted advertising, or profiling”; UT – “sale of personal data.”
6. DPA vs. DPIA: VCDPA calls it a Data Protection Assessment; CPA/CTDPA call it a Data Protection Impact Assessment.
7. UCPA AG Notice Trigger: Breach affecting 5,000 Utah residents must be reported to the Attorney General.
8. Exemptions: HIPAA, GLBA, FERPA, and other sector?specific statutes only to the extent the data is already covered.
9. Retention Requirement: Keep records of DPAs, opt?out logs, and breach notices for at least three years.
10. “Reasonable Security Program” – No prescriptive controls; courts will look for encryption at rest, role?based access, and documented incident response.

Use this guide to walk through each state’s obligations, spot the exam traps, and build a single, repeatable compliance workflow that satisfies Virginia, Colorado, Connecticut, and Utah.