On July 1, 2024, Florida’s Digital Bill of Rights, Oregon’s Consumer Privacy Act, and the Texas Data Privacy and Security Act will take effect. And on October 1, 2024, Montana’s Consumer Data Privacy Act will become law.
For anyone counting, twelve U.S. states have passed comprehensive privacy laws since the California Consumer Protection Act of 2018. All these state laws provide individuals with rights to access, delete, and opt out of the sale of their personal information, as well as require businesses to honor such rights, disclose details about the personal information they collect and process, and meet accountability measures. Though the laws have much in common, they differ in key areas which may materially affect your business. For example, they vary in their applicability thresholds and in the provision of certain individual rights.
Here is a closer look at the state comprehensive laws that take effect in 2024.
- Florida’s Digital Bill of Rights (FDBR). The FDBR differs from most state comprehensive privacy laws in its scope, so it’s often excluded from the count of state comprehensive privacy laws. It is said to regulate “Big Tech,” since it primarily applies to businesses that have at least $1 billion in gross annual revenue and (1) derive at least half of their revenue from digital ad sales; (2) operate large app stores or digital distribution platforms; or (3) offer their consumers smart speakers with voice-enabled assistants. Like other state privacy laws, the FDBR embodies commonly understood privacy principles, such as transparency, accountability, and data minimization, and it provides users choice and control with respect to certain types of personal information and uses of personal information. The act provides consumers with an array of rights vis-à-vis their personal information, requires businesses to supply privacy notices, and sets limits to the collection, use, and retention of personal information. The FDBR also features unique provisions related to online protections for minors and government-directed content moderation.
- Oregon’s Consumer Privacy Act (OCPA). This act applies to those who conduct business in Oregon, or provide products or services to state residents; and during the calendar year either (1) process personal information of at least 100,000 state consumers, or (2) process the personal information of 25,000 state consumers and derive more than 25% of revenue from the sale of personal information. Unlike other state privacy laws, the OCPA sets no revenue threshold and applies to nonprofits, who have an additional year to comply. The act guarantees consumers a variety of privacy rights common to other state privacy laws, and requires businesses to furnish comprehensive privacy notices; limit their collection of personal information to what is adequate, relevant, and reasonably necessary to serve the purposes the business provides notice of; implement and maintain reasonable safeguards; ensure contracts with key provisions are in place with processors; and conduct data protection assessments where consumers face heightened risks. Further, the OCPA requires consent to process sensitive information, to use personal information for secondary purposes, and to handle personal information of consumers ages 13-15 in certain instances. Look for our upcoming client alert for more details about the OCPA.
- The Texas Data Privacy and Security Act (TDSPA). This act applies broadly to anyone who does business in Texas or provides products or services to Texas residents. “Small businesses,” which are defined by industry by the Small Business Administration, are exempt, unless they sell sensitive data that requires prior consumer consent. Like other state privacy laws, the TDPSA promises consumers a number of privacy rights. The act requires businesses to provide comprehensive privacy notices; limit their collection of personal information to what is adequate, relevant, and reasonably necessary to serve the purposes the firm provides notice of; implement and maintain reasonable safeguards; ensure contracts with key provisions are in place with processors; and conduct data protection assessments where consumers face heightened risks. Like the OCPA, the TDPA requires consent to process sensitive information and to use personal information for secondary purposes.
- Montana’s Consumer Data Privacy Act (MCDPA). The MCDPA applies to those doing business in the state, or providing products or services targeted to state residents, and who (1) process the personal information of at least 50,000 state residents, or (2) process the personal information of 25,000 state residents and derive more than 25 percent of revenue from the sale of personal information. The act is much like other state privacy laws in its establishment of consumer privacy rights and requirements for businesses. Like Oregon’s privacy law, the MCDPA contains heightened requirements for the processing of personal data of consumers aged 13-15.
To learn more about the applicability of these laws, please contact Laura Lemire.
This article summarizes aspects of the law and does not constitute legal advice. For legal advice for your situation, you should contact an attorney.