Most modern state privacy laws attempt to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. While the specific thresholds differ between states, many of the new statutes only apply to organizations that control or process personal information relating to at least 100,000 state residents.[1] Many organizations struggle to quantify the number of state residents about whom they have personal information, and often consider whether analytics reports that show the number of “visits” to their website from certain regions (e.g., a specific state) suggest they have met, or exceeded, the thresholds.
