The past couple of years have seen a number of states enact comprehensive privacy laws. Thus far, California, Colorado, Connecticut, Utah, and Virginia have enacted state privacy laws. In July, we will see three new privacy laws take effect in Texas, Oregon, and Florida. A privacy law in Montana will become effective on October 1.
Businesses should assess whether they are covered by these new laws and, if so, confirm compliance before the effective dates. Here is a summary of the laws taking effect on July 1:
- Texas Data Privacy and Security Act. The TDPSA applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a “small business” as defined by the U.S. Small Business Administration. The TDPSA excludes other categories of businesses, such as non-profit organizations, institutions of higher education, and entities subject to the Health Insurance Portability and Accountability Act and the Graham-Leach Bliley Act; however, the exclusion for small businesses is unique to Texas. Small businesses that meet the first two requirements must still obtain consent from website users and customers before selling sensitive personal data. The TDPSA will take effect on July 1, but businesses will have until January 1, 2025, to recognize universal opt-out mechanisms such as the Global Privacy Control.
- Oregon Consumer Privacy Act. The OCPA applies to entities that conduct business in Oregon, or that provide products or services to Oregon residents; and that during a calendar year, control or process (1) the personal data of 100,000 consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) the personal data of 25,000 or more consumers, while deriving 25 percent or more of annual gross revenue from selling personal data. Non-profit organizations are generally not exempt from the OCPA. However, the law exempts non-profits (1) specifically established to detect and prevent fraudulent acts in connection with insurance, or (2) that engage in non-commercial activity in providing programming to radio or television networks. The OCPA will take effect on July 1, but non-profit organizations that are not exempt will have until July 1, 2025, to comply. Controllers will have until January 1, 2026, to recognize universal opt-out mechanisms.
- Florida Digital Bill of Rights. The Florida Digital Bill of Rights applies to entities that (1) conduct business in Florida, or produce a product or service used by Florida residents; and (2) process or engage in the sale of personal data. The law does not apply to businesses with less than $1 billion in gross annual revenue, so many large organizations will not be covered. Even with high-revenue businesses, the law will not apply unless the businesses (1) derive 50 percent or more of global gross annual revenues from the sale of advertisements online, including targeted advertising and the sale of ads; (2) operate a consumer smart speaker and voice command component service with an integrated virtual assistance connected to a cloud computing service that uses hands-free verbal activation; or (3) operate an app store or digital distribution platform that offers at least 250,000 software applications for consumers to download and install. Given the narrow applicability of the Digital Bill of Rights, many do not consider this to be a comprehensive data privacy law.
Businesses subject to any of these new state laws should confirm that they have implemented appropriate policies, are making the appropriate disclosures in privacy notices, have procedures in place to handle data subject requests, and have processes for conducting data protection impact assessments if needed. Businesses covered by the Texas and Oregon laws will also need to recognize universal opt-out mechanisms by 2025 and 2026, respectively.
As more state privacy laws come into effect, and as other states pass their own comprehensive privacy laws, the complexity of data privacy compliance continues to increase.
The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Jason Cherry
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Allison Prout
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou