As a business owner, many privacy laws will apply to the operation of your business. But what exactly is the scope of these laws, and what exactly do they mean by "business"..?

If you aren't sure whether or not your business is a "business" for purposes of specific laws, this article will help you determine if you fall under the scope of almost 80 global privacy laws.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



American Data Privacy and Protection Act (ADPPA)

Under the American Data Privacy and Protection Act (ADPPA), a business or "covered entity" will have customers located within the United States, and includes the following:

  • Data controllers: An entity that decides when, how and why to collect personal information.
  • Data processors/Service providers: An entity that does the actual collecting, storing, processing and/or transferring of personal information.

  • Large data holders: An entity that does at least one of the following:

    • Have a gross annual revenue of at least $250 million in the preceding calendar year
    • Collect, transfer or process personal data from 5 million or more individuals or devices
    • Collect, transfer or process sensitive personal data from 200,000 or more individuals or devices

The ADPPA has an exemption for "small businesses," which it defines as an entity that can prove the following for the prior 3 calendar years:

  • Has earned $41 million or less in annual revenue, on average
  • Has collected, transferred or processed personal data from less than 200,000 individuals or devices
  • Has earned 50% or less of its annual revenue from data transferring

Non-profits usually fall under the "small business" exemptions as well.

Argentina's Personal Data Protection Act (PDPA)

Under Argentina's Personal Data Protection Act (PDPA), a business is any public or private organization that processes the personal data of residents of Argentina and does so within Argentina's territory.

Australia Privacy Act of 1988

The Australia Privacy Act of 1988 defines a business as an organization or government agency that has an annual revenue of over $3 million, and collects or discloses personal information for some sort of service, benefit or advantage. This includes buying, selling or trading.

An organization is defined by the Act to include any of the following:

  • Individuals, including sole traders, who are not working in a personal capacity
  • Partnerships
  • Corporations
  • Unincorporated associations
  • Trusts

Small businesses are defined as an organization with an annual revenue of $3 million or less. Some small businesses will have some obligations under the Act, including the following:

  • Businesses that buy or sell personal information
  • Businesses that have opted in to the Privacy Act
  • Businesses that are involved in credit reporting
  • Businesses acting as a contracted service provider under a contract with the Australian Government
  • Private sector health service providers such as a medical practitioner, private hospital, therapist, chiropractor, gym, or private school
  • Businesses that are related to another business that is covered by the Privacy Act
  • Any employee association that is either registered or recognized under Australia’s Fair Work (Registered Organisations) Act 2009
  • Businesses that hold accreditation under the Consumer Data Right System

Brazil's LGPD

Brazil's LGPD has an extremely broad definition of business. Under the LGPD, a business includes any organization, non-profit, government entity or individual that does one of the following:

  • Processes personal information of people located in Brazil, or
  • Processes data that was collected in Brazil, even if processed elsewhere

Processing includes a range of activities including collection, storage, use, transfer, sale, etc.

There is no size or financial turnover requirement as seen with most other privacy laws. This means even small businesses and sole proprietors must comply.

California AB 2426: Consumer Protection: False Advertising: Digital Goods

Under CA AB 2426, a business is a business that sells or advertises digital goods to California consumers.

"Digital goods" is defined quite broadly and includes digital books, apps, games, digital audio/visual works, digital codes and more.

There are a few exemptions, including subscription-based services that allow access to digital goods solely for the duration of the subscription, and transactions where the seller is unable to revoke access to the digital good after the buyer completes the purchase.

California Age-Appropriate Design Code Act (CAADCA)

Under the CAADCA, a "business" is any for-profit entity that is both:

  • Subject to the California Consumer Privacy Act (CCPA/CPRA), and
  • Provides online products, services or features that are likely to be accessed by children under the age of 18

To be a business subject to the CCPA/CPRA, the business must meet at least one of the following criteria:

  • Have an annual gross revenue of over $25 million
  • Buy, share or sell personal information from 100,000 or more California households or residents
  • Make 50% or more of its annual revenue from sharing or selling personal information from California residents

California Automatic Renewal Law

Under this law, a business is any business that sells recurring memberships, or other services sold under a subscription model to consumers that are located in California.

California Data Breach Law

Under the California Data Breach Law, a business is defined as a for-profit entity that conducts business in California, collects personal information, and meets at least one of the following criteria:

  • Has an annual gross revenue of over $25 million
  • Buys, shares or sells personal information from 100,000 or more California households or residents
  • Makes 50% or more of its annual revenue from sharing or selling personal information from California residents

California Delete Act

Under the California Delete Act, a business is defined as a for-profit entity that collects personal information, does business in California, and meets at least one of the following criteria:

  • Has an annual gross revenue of over $25 million
  • Buys, shares or sells personal information from 100,000 or more California households or residents
  • Makes 50% or more of its annual revenue from sharing or selling personal information from California residents

CalOPPA: California Online Privacy Protection Act

Under CalOPPA, a business is any entity, regardless of location, that operates a commercial website or mobile app and collects personal information from residents of California.

CAN-SPAM

Under CAN-SPAM, business/commercial messages are the focus here versus the status of the sender. For example, an individual can send a message that would fall under CAN-SPAM, even though he is technically not a business.

CCPA/CPRA

Under the CCPA/CPRA, a business is defined as a for-profit entity that:

  • Collects personal information,
  • Does business in California, and

  • Meets at least one of the following:

    • Has a gross annual revenue of more than $25 million
    • Annually buys, sells, or shares personal information of 100,000 or more consumers or households
    • Derives more than 50% of its annual revenue from selling or sharing consumers' personal information

Children and Teens' Online Privacy Protection Act (COPPA 2.0)

Under COPPA 2.0, a business will be any website, online service, web app, mobile app, and IoT that is reasonably likely to be used by children and/or teens, and that collects personal data from anyone under the age or 17.

China's Draft Personal Information Protection Law (PIPL)

Under China's PIPL, a business is any business or individual that handles the personal information of individuals located in China. The location of the individual or business doesn't matter.

Colorado Privacy Act

The Colorado Privacy Act defines a business as "data controllers" that conduct business from within Colorado or directly target Colorado residents directly with their commercial products or services, and do at least one of the following:

  • Process or control the personal data of 100,000 or more consumers during one calendar year, or
  • Obtain revenue or receive a discount on the price of goods/services from their sale of personal data and process or control the data of at least 25,000 consumers.

Computer Misuse Act 1990

Under this act, a business is any organization or entity that owns, operates, or uses computer systems, networks, or data for commercial or operational purposes. It also includes businesses that engage in unauthorized and illegal computer activities, such as hacking, spreading viruses/malware, or altering software or data.

Connecticut Personal Data Privacy and Online Monitoring

Under the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA), a business is a person that:

  • Conducts business in Connecticut or produces products/services targeted to Connecticut residents, and
  • During the preceding year, controlled or processed the personal data of 100,000 or more consumers, or
  • Controlled or processed the personal data of 25,000 or more consumers and derived more than 25% of their gross revenue from selling that personal data

COPRA: The Consumer Online Privacy Rights Act

Under COPRA, a business is defined as any entity that is subject to the Federal Trade Commission Act.

Some smaller businesses are excluded, such as those that:

  • Make less than $25 million in annual revenue,
  • Process data of less than 100,000 individuals, and
  • Don't derive at least 50% or more of its revenue from transferring personal data

Delaware Online Privacy and Protection Act

Under the DOPPA, businesses are entities that run websites, online services, mobile or web apps that are accessible by residents of Delaware.

Delaware Personal Data Privacy Act (DPDPA)

Under the Delaware Personal Data Privacy Act (DPDPA), a business is defined as an entity that conducts business either from within Delaware, or outside of the state but targets Delaware residents, and either:

  • Processes or controls the personal data of 35,000 or more consumers, or
  • Processes the personal data of 10,000 or more consumers and earns more than 20% of its gross annual revenue from the selling of personal data.

District of Columbia Uniform Personal Data Protection Act of 2021: Bill 24-451

Under this act, a business is defined as any entity that either collects or uses personal data from consumers. It is extremely broad in definition.

ePrivacy Regulation

Under the ePrivacy Regulation, a business is defined as both businesses and individuals that are engaged in any electronic forms of direct marketing such as emails, phone calls, or SMS/other types of messages.

It also includes developers that create software or websites if such platform uses cookies and other similar types of tracking technologies.

EU Cookies Directive

Under the EU Cookies Directive, a business is a website operating within the EU that uses cookies or similar tracking technologies to collect personal data from the website's visitors.

EU Data Governance Act (DGA)

Under the DGA, a business is defined as a data intermediary, which is any entity or organization that facilitates the sharing and reuse of data by connecting data holders with data users.

Examples of this would be marketplaces, platforms and other types of outlets that make it possible to easily share and access data.

EU Omnibus Directive

Under this EU directive, business is defined as all entities doing business online and selling to EU consumers. This applies regardless of where the business is located, so long as it has an online marketplace and customers making purchases from within the EU.

Florida Digital Bill of Rights

Under the Florida Digital Bill of Rights (FDBR), a business, or a data controller, is an entity that earns over $1 billion in global annual revenue and either:

  • Derives 50% or more of that revenue from online advertisements, or
  • Operates a consumer smart speaker or an app store with 250,000 or more applications

Florida Privacy Protection Act: SB 1864

This act defines businesses as "controllers" that meet the following requirements:

  • Any entity that is organized or operated for the financial benefit or profit of its owners or shareholders
  • Does business in Florida or provides services or products to residents of the state
  • Determines the means and purposes of processing a consumer's personal information, alone or jointly with others

If an entity meets either of the following, it will also be considered a business/controller under this act:

  • Controls the processing of the personal information of 100,000 or more consumers who are not covered by an exception under SB 1864 during one calendar year, or
  • Controls or processes the personal data of at least 25,000 consumers who are not covered by an exception under SB 1864 and derives 50 percent or more of its global annual revenues from selling consumers' personal information

GDPR

Under the GDPR, a business is any organization, regardless of its location, that processes personal information from any individual located in the EU/EEA.

Processing includes providing goods and services, monitoring behavior, and collecting personal information.

HIPAA

Under HIPAA, a business (or business associate, as the act calls it) is a person or entity that performs or assists in performing an activity or a function that involves using or disclosing individually identifiable health information.

Some examples would be a person or entity that engages in data analysis, claims processing, or administration work.

Illinois Biometric Information Privacy Act (BIPA)

BIPA defines business as any company or private entity that does the following:

  • Conducts business in Illinois, and
  • Collects biometric data from residents of Illinois, or makes decisions involving processing biometric data

Illinois Geolocation Privacy Protection Act

The Illinois Geolocation Privacy Protection Act defines business very broadly to cover individuals, partnerships, corporations, limited liability companies, associations or other groups.

India Digital Personal Data Protection Act (DPDP)

Under this act, a business is defined as any organization, company, firm, or individual that processes digital personal data, regardless of whether the business is inside of India or not, and meets one of the following:

  • If they offer goods or services to residents of India, or
  • The business's data processing activities are related to the offering of goods or services to residents of India

India IT Act of 2000 (Information Technology Act)

This act doesn't officially define business, but the act applies to businesses and individuals who:

  • Collect, store or process personal data, and
  • Maintain a physical business presence within India's borders

It also applies to third-party intermediaries who own and maintain servers within India.

India Personal Data Protection Bill (PDPB)

Under this bill, a business is referred to as a data fiduciary. This is defined as any entity that operates in India's territory, whether they are government or private, that engages in the collection, storage, or processing of any digital personal data.

Indiana's Consumer Data Protection Act (CDPA)

Under this act, a business is defined as any entity that perates in Indiana or Targets Indiana residents, and either:

  • Controls or processes the personal data of 100,000 or more Indiana residents, or
  • Processes the personal data of 25,000 or more Indiana residents and derives over 50% of its gross revenue from the selling of personal data

Iowa Consumer Data Protection Act (CDPA)

Under this act, a business is defined as an entity that conducts business in Iowa or produces products or services targeted to Iowa residents, and either:

  • Controls or processes the personal data of 100,000 or more Iowa residents, or
  • Controls or processes the personal data of 25,000 or more Iowa residents and obtains over 50% of its gross annual revenue from the selling of personal data

Japan Act on the Protection of Personal Information (APPI)

Under this act, a business includes all business operators that handle personal data of people located in Japan. This applies regardless of whether the business is located in Japan or elsewhere.

Kentucky Consumer Data Protection Act (KCDPA)

Under this act, a business is an entity that either conducts business in Kentucky or produces products or services targeted to Kentucky residents, and during any one calendar year, either:

  • Controls or processes the personal data of 100,000 or more consumers, or
  • Controls or processes the personal data of 25,000 or more consumers and makes over 50% of its gross revenue from the selling of personal data

Kids Online Safety Act (KOSA)

Under this act, a business is a "covered platform" and is defined as a social network, video streaming service, or any other application that both connects to the internet and is likely to be used by minors.

Louisiana Data Breach Law

Under this law, a business is defined as any individual, legal entity, or agency that either:

  • Conducts business in Louisiana, or
  • Owns or licenses computerized data that contains personal information

Malaysia Personal Data Protection Act (PDPA)

Under this act, a business is defined as any individual or entity that handles, or controls the handling, of personal data for purposes of commercial transactions.

Maryland Personal Information Protection Act (PIPA)

This act defines business very broadly as a sole proprietorship, partnership, corporation, association, or any other business entity, including financial institutions and their parent or subsidiary companies. Even non-profit entities are covered as a business.

Michigan Personal Data Privacy Act

This act defines business with a very broad scope to include any corporation, partnership, proprietorship, limited liability partnership, joint venture, trust or business trust, association, joint stock company, syndicate, cooperative, limited liability company, or any other organization.

Minnesota Consumer Data Privacy Act (MNCDPA)

Under this act, a business is referred to as a controller and is defined as a legal entity that conducts business in Minnesota or targets Minnesota residents, and either:

  • Processes the personal data of at least 100,000 consumers, or
  • Processes the data at least 25,000 consumers and earns over 25% of its total gross revenue from the selling of personal data

Minnesota Student Data Privacy Act (MSDPA)

Under this act, a business is defined as:

  • A technology provider that contracts with public educational agencies or institutions in order to provide school-issued devices to students to use, and
  • Creates, receives, or maintains educational data

Montana Consumer Data Privacy Act (MCDPA)

Under this act, a business is defined as an entity that conducts business in Montana, or produces products or services that are directly targeted at Montana residents, and either:

  • Processes the personal data of 50,000 or more Montana residents, or
  • Processes the personal data of 25,000 or more Montana residents and earns over 25% of its total gross revenue from the selling of personal data

Nebraska Data Privacy Act (NDPA)

Under this act, a business is any entity that meets the following requirements:

  • Conducts its business in Nebraska or offers a product or service that is directly consumed by Nebraska residents,
  • Processes or sells personal data, and
  • Is not a "small business" as of January 1, 2024 under the federal Small Business Act

Nevada Consumer Health Data Privacy Law

Under this act, a business is referred to as a "regulated entity" and includes any person who:

  • Conducts business in Nevada or directly targets its products or services to consumers in Nevada consumers, and
  • Determines the purposes and means of how consumer health data will be processed, shared, or sold

Nevada's Internet Privacy Law: SB 220

Under this law, a business or "operator" is defined as:

  • A person/individual or business entity that owns or operates a website or online service for commercial purposes, and
  • Collects and maintains protected information from residents of Nevada, and
  • Targets residents of Nevada through its business activities

New Hampshire Privacy Law (Senate Bill 255)

Under this law, a business is defined as an entity that either conducts business in New Hampshire or produces products/services targeted towards New Hampshire residents, and meets at least one of the following:

  • Controls or processes the personal data of 35,000 or more individual consumers, or
  • Controls or processes the personal data of 10,000 or more individual consumers and also derives over 25% of its total gross annual revenue from selling personal data

New Jersey Privacy Law (SB 332)

Under this law, a business is defined as "business" is defined as any corporation, association, sole proprietorship, partnership, limited liability company, or other legal entity that's organized or operated for profit, that collects consumers' personal information. 

Non-profit organizations are excluded.

New York Privacy Act

Under this act, a business is any entity that meets the following criteria:

  • It operates or has a business presence in New York, or produces products or services that are specifically created for or targeted towards residents of New York, and

    • Has an annual gross revenue of at least $25 million, or
    • Controls or processes personal data of at least 50,000 consumers, or
    • Derives more than 50% of its total gross revenue from selling personal data

New York SHIELD Act

Under this act, a business is considered to be any person or business that meets the following:

  • Either owns or licenses computerized data, and
  • That data includes the personal and private information of any resident of the state of New York, and
  • The individual or business is required by statute to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that information

New Zealand Privacy Act 2020

Under this act, a business, or "agency," is defined as any person, organization, or business that collects and stores personal information about individuals.

This applies to both the public and private sector. Individuals acting solely in a personal or domestic capacity are excluded.

Online Eraser law (CA)

Under this law, a business is an operator of a website, online service or online application, or a mobile application.

Oregon Consumer Privacy Act (OCPA)

Under this act, a business is defined as any entity that does the following:

  • Conducts business in Oregon or provides products or services to Oregon residents, and either:

    • Controls or processes personal data of at least 100,000 consumers, or
    • Processes personal data of at least 25,000 consumers and derives at least 25% of its annual gross revenue from the selling of personal data

Pennsylvania's Consumer Data Privacy Act (PCDPA)

This act defines businesses as data processors or data controllers who deal with personal information of people residing in Pennsylvania.

PIPEDA: Personal Information Protection and Electronic Documents Act

Under this act, a business is defined as being a private sector organization that's engaging in commercial activities such as collecting, processing/using or sharing/selling/disclosing personal information in the course of those commercial activities.

Privacy and Electronic Communications Regulations (PECR)

Under this law, a business is defined as any individual or organization that does any of the following:

  • Provides public electronic communications networks or services (such as ISPs or operators of mobile networks)
  • Engages in electronic marketing (such as by phone, email, or text), or
  • Uses cookies or similar types of technologies on their website, or compiles public directories of people and their personal information

Quebec Privacy Law: Bill 64

Under this law, a business is any organization, whether in the public or private sector, that "carries on an enterprise" in Quebec and collects, uses, or discloses (sells, shares, etc.) any personal information about individuals located in Quebec.

Rhode Island Data Transparency and Privacy Protection Act (DTPPA)

Under this act, a business is defined as:

  • A for-profit entity that either conducts business in Rhode Island or produces products, goods or services that are targeted towards residents of Rhode Island, and

  • During the preceding calendar year has either:

    • Controlled or processed personal data of 35,000 or more Rhode Island residents, or
    • Controlled or processed personal data of at least 10,000 residents and has derived over 20% of its total gross revenue from the selling of personal data

Saudi Arabia Personal Data Protection Law (PDPL)

Under this law, a business is defined to be very broad and includes any entity (including individuals, legal entities, and public bodies) that:

  • Processes personal data within Saudi Arabia, or
  • Processes personal data belonging to individuals who are residing in Saudi Arabia

If the processing is done for family or personal purposes, this will be excluded and not covered by the law.

SOPIPA: Student Online Personal Information Protection Act

Under this act, a business is any operator of a website, online service or mobile application that is either designed for and marketed to K-12 schools for school purposes, or that has actual knowledge that their website, online service or mobile app is being used for such a purpose even if not designed or marketed for such purpose.

South Africa POPI Act

This act defines business very broadly to include any organizations or companies that processes personal information of residents of South Africa. It doesn't matter where the organization or company is located (either within or outside of South Africa).

Swedish Protective Security Act

Under this act, a business is a public or private organization that is involved in activities that are sensitive to security, such as activities related to national defense, communications, energy or transportation.

Swiss New Federal Act on Data Protection (nFADP)

This act defines business quite broadly as any company, regardless of global location, that offers its goods or services to Swiss citizens. There are different responsibilities for businesses categorized as data controllers versus data processors.

Tennessee Information Protection Act (TIPA)

This act defines businesses as any business that produces and targets goods or services to Tennessee residents, and:

  • Earns over $25 million in annual revenue, and either:

    • Controls or processes personal information from 25,000 or more consumers and earns more than 50% of its gross annual revenue from selling personal information, or
    • During one calendar year, it controls or processes personal information from 175,000 consumers or more

Terms of Service Labeling, Design and Readability Act (TLDR)

This act defines businesses as those doing business online. Small businesses are exempt.

Texas Data Privacy and Security Act (TDPSA)

This act defines business very broadly as any entity or individual that:

  • Conducts business in Texas or produces a product or service that consumed by residents of Texas, and
  • Processes or sells personal data in the course of operating, and
  • Is not considered to be a small business as defined by the Small Business Administration (SBA)

Thailand's Personal Data Protection Act (PDPA)

Under this act, a business is any entity that either collects, uses, or discloses personal data. It applies to entities regardless of their location so long as they are offering goods or services to Thai residents, or monitoring the online behavior of Thai residents.

Turkey KVKK

Under this law, a business is defined as any business or individual regardless of global location that collects or processes data of Turkish data subjects.

Utah Consumer Privacy Act

Under this act, a business is defined as having at least $25 million in annual revenue and meeting at least one of the following thresholds:

  • The business controls or processes the personal data of 100,000 or more residents of Utah in a year, or
  • The business controls or processes the personal data of 25,000 or more residents of Utah in a year and derives at least 50% of its gross annual revenue from the selling of personal data

The following types of organizations are exempt:

  • Governmental entities
  • Nonprofit corporations
  • Institutes of higher education
  • Native American tribes
  • Covered entities and business associates, as defined by HIPAA
  • Financial institutions regulated by the Gramm-Leach-Bliley Act

Utah Genetic Information Privacy Act (GIPA)

Under this act, a business is any direct-to-consumer genetic testing company, or a company that either:

  • Offers consumer genetic testing products or services directly to consumers, or
  • Collects, uses, or analyzes genetic data provided by a consumer

Vermont Security Breach Notice Act

Under this act, a business is defined as any data collector/entity that deals with (handles, collects, shares, sells, etc.) non-public personally identifiable information (PII) related to a resident of the state of Vermont.

A business will also be an entity that owns or licenses computerized PII.

Virginia Consumer Data Protection Act (CDPA)

This act defines a business as someone who conducts business in the state of Virginia, or who produces products or services that are targeted to Virginia residents, and meets one of the following:

  • Controls or processes the personal data of 100,000 or more consumers in one calendar year, or
  • Controls or processes personal data of 25,000 or more consumers and derives over 50% of its total gross revenue from the selling of personal data

Washington D.C. Security Breach Protection Amendment Act of 2019

Under this act, a business is any person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District of Columbia. This is a very broad definition that encompasses most businesses.

Washington My Health, My Data Act (WMHMDA)

Under this act, a business is referred to as a regulated entity. A regulated entity for purposes of the act is any legal entity that:

  • Conducts business in the state of Washington or targets products/services to Washington consumers, and
  • Determines why and how consumer health data is to be collected, processed, shared, or sold

Wyoming's Genetic Data Privacy Act

Under this act, a business is defined as a direct-to-consumer genetic testing company, or any person or company that offers genetic testing products or services directly to consumers, or who collects, uses, or analyzes such genetic data that's provided to them directly by a consumer.

Summary

As you can see, what counts as a "business" for purposes of privacy law scope is not always the same. It varies greatly from law to law, and region to region. Knowing what laws your business falls under the scope of can help you know where to direct your compliance efforts.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy