All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart indicates, the statutes differ in terms of how they define corporate affiliates with some statutes focusing solely on ownership structure while other statutes consider the use of common branding.

Requirements to be considered an affiliate

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Connecticut 2023

CTCPA

Is common branding required in all instances? [1]
Is common branding sufficient unto itself? [2] [3] [4]
Is common control required in all instances? [5] [6] [7]
Is common control sufficient unto itself? [8] [9] [10] [11]
Can control be evidenced by ownership of only 25% of voting shares [12] Unclear[13]
Can control be evidenced by ownership of only 50% of voting shares [14] [15] [16] [17] Unclear[18] [19]
Can control be evidenced by ability to appoint majority of directors? [20] [21] [22] [23] Unclear[24] [25]
Can control be demonstrated by other evidence that indicates a power to influence the management of the company? [26] [27] [28] [29] Unclear[30] [31]