PrivacyCache

CCPA/CPRA vs VCDPA vs CPA

California, Virginia, and Colorado lead US state privacy regulation. Each law has different thresholds, rights, and enforcement mechanisms that affect mid-market companies differently.

At a Glance

Key differences between CCPA/CPRA vs VCDPA vs CPA for mid-market companies (<200 employees).

DSAR Deadline
CCPA/CPRA45 days
VCDPA45 days
CPA45 days
Maximum Fine
CCPA/CPRA$7,988 per intentional violation
VCDPA$7,500 per violation
CPA$20,000 per violation
Jurisdiction
CCPA/CPRACalifornia
VCDPAVirginia
CPAColorado
Consent Model
CCPA/CPRAN/A
VCDPAN/A
CPAN/A

Detailed Comparison

Comparison PointCCPA/CPRAVCDPACPA
JurisdictionCaliforniaVirginiaColorado
Effective DateJan 1, 2020 (CPRA: Jan 1, 2023)January 1, 2023July 1, 2023
DSAR Deadline45 days45 days45 days
DSAR Extension+45 days+45 days+45 days
Revenue Threshold$26.625M annual revenueNoneNone
Consumer Threshold100,000+ consumers100,000+ consumers100,000+ consumers
Alternative Threshold50%+ revenue from data sales25,000+ consumers + 50% revenue from data sales25,000+ consumers + revenue from data sales
Maximum Penalty$7,988 per intentional violation$7,500 per violation$20,000 per violation
Private Right of ActionYes (data breaches only)NoNo
Universal Opt-OutRequired (Global Privacy Control)Not requiredRequired (since July 2024)
Cure PeriodNo cure period (CPRA)60-day cure period60-day cure period (expired January 2025)
Right to DeleteYesYesYes
Right to CorrectYes (CPRA)YesYes
Right to Opt-Out of SaleYesYesYes
Right to Opt-Out of ProfilingYes (CPRA)YesYes
Enforcement BodyCPPA + AGAttorney General onlyAttorney General + District Attorneys

The US State Privacy Patchwork

The United States lacks a comprehensive federal privacy law, leaving individual states to create their own frameworks. California (CCPA/CPRA), Virginia (VCDPA), and Colorado (CPA) represent the three most influential state privacy laws and serve as models for the growing number of states enacting similar legislation.

Threshold Differences Matter for Mid-Market Companies

CCPA has the broadest reach because it includes a revenue threshold ($26.625M) as an alternative trigger. A company can fall under CCPA solely based on revenue, even if it processes relatively little California consumer data. VCDPA and CPA have no revenue threshold — they focus purely on data processing volume.

For mid-market companies with under 200 employees, the consumer threshold (100,000+) is the most common trigger across all three laws. If you operate a B2C service with customers in these states, you likely hit this threshold.

Penalties: Colorado Leads

Colorado's CPA has the highest per-violation penalty at $20,000, compared to $7,988 (CCPA) and $7,500 (VCDPA). However, CCPA is the only one with a private right of action for data breaches, which means individual consumers can sue for $100-$750 per person per incident — potentially resulting in far higher total liability for data breach events.

Universal Opt-Out: A Key Differentiator

Both CCPA and CPA require businesses to honor universal opt-out mechanisms like the Global Privacy Control (GPC) browser signal. VCDPA does not require this. For companies building opt-out infrastructure, this means you need technical implementations that detect and honor GPC signals for California and Colorado visitors.

Cure Periods Are Disappearing

Initially, all three laws offered cure periods — time to fix a violation before enforcement action. CCPA eliminated its cure period with the CPRA amendments. Colorado's cure period expired in January 2025. Only VCDPA retains a 60-day cure period, but this is expected to be shortened in future amendments. The trend is clear: businesses should proactively comply rather than relying on cure periods.

Building Multi-State Compliance

For mid-market companies operating across multiple US states: (1) implement a universal opt-out mechanism (covers CCPA and CPA), (2) build DSAR workflows to meet the 45-day deadline consistently, (3) create state-specific privacy notices where required, (4) implement cookie consent and tracking preference controls, and (5) monitor new state laws — over 15 US states have now enacted comprehensive privacy legislation.

Which Law Applies to You?

CCPA applies if: You are a for-profit business meeting any threshold: $26.6M+ revenue, 100K+ California consumers, or 50%+ revenue from data sales.

VCDPA applies if: You process data of 100K+ Virginia consumers, or 25K+ consumers while deriving 50%+ revenue from data sales.

CPA applies if: You process data of 100K+ Colorado consumers, or 25K+ consumers while deriving revenue from data sales.

All three apply if: You operate a B2C business serving customers across these states. Build a unified compliance program with the strictest requirements from each law (Colorado's universal opt-out + California's no-cure-period approach).

Related Resources

CCPA/CPRA Compliance Guide

Full compliance guide for California Consumer Privacy Act

VCDPA Compliance Guide

Full compliance guide for Virginia Consumer Data Protection Act

CPA Compliance Guide

Full compliance guide for Colorado Privacy Act

DSAR Deadline Calculator

Calculate exact response deadlines for 69 jurisdictions

Enforcement Actions

Real fines and enforcement cases from privacy authorities

Privacy Blog

Practical guides and analysis for mid-market companies

Frequently Asked Questions

Which US state has the highest privacy law penalties?
Colorado's CPA has the highest per-violation penalty at $20,000, compared to CCPA's $7,988 and VCDPA's $7,500. However, CCPA is the only one allowing private lawsuits for data breaches ($100-$750 per consumer).
Do all US state privacy laws have the same DSAR deadline?
CCPA, VCDPA, and CPA all use a 45-day DSAR response deadline with a 45-day extension. This consistency makes multi-state compliance easier for DSAR workflows.
What is the Global Privacy Control requirement?
Both CCPA and Colorado's CPA require businesses to honor universal opt-out signals like Global Privacy Control (GPC). Virginia's VCDPA does not require this.
Do US state privacy laws have revenue thresholds?
Only CCPA has a revenue threshold ($26.625M annual revenue). VCDPA and CPA focus on consumer data volume thresholds (100,000+ consumers) without revenue triggers.
Do cure periods still exist under US state privacy laws?
Only VCDPA retains a 60-day cure period. CCPA eliminated its cure period with CPRA, and Colorado's expired in January 2025. The trend is toward immediate enforcement.

Get the full CCPA/CPRA vs VCDPA vs CPA comparison checklist

A printable checklist covering every compliance requirement from both laws, organized by priority for mid-market companies.

See how these laws are enforced in practice

Browse real enforcement actions and fines from privacy authorities worldwide. Learn what violations cost companies like yours.

Browse Enforcement Actions

Disclaimer: This comparison is maintained independently by PrivacyCache for informational purposes. We strive for accuracy but laws evolve and specific requirements may change. This is not legal advice. Consult qualified legal counsel for compliance decisions. Last updated: 4/2/2026.