This year has so far proven to be quite active in terms of state privacy legislation. In 2022, California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws on the books, all set to take effect in 2023. Then, earlier this year, Iowa, Indiana, and Tennessee enacted their own respective comprehensive privacy laws. Iowa’s and Tennessee’s laws will take effect in 2025, and Indiana’s law will take effect in 2026.
Three more state privacy laws have now joined the crowd: the Montana Consumer Data Privacy Act, Florida’s SB 262 (which includes the “Florida Digital Bill of Rights” provisions), and the Texas Data Privacy and Security Act.
This post will cover the highlights of these three new laws.
Montana Consumer Data Privacy Act.
On May 19, Governor Greg Gianforte (R) signed the MCDPA into law, and it will take effect on October 1, 2024. The MCDPA will apply to entities that conduct business in Montana, or that produce products or services that are targeted to Montana residents and that (1) control or process the personal data of not less than 50,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of their gross revenues from the sale of personal data. The 50,000-consumer threshold is significantly lower than the 100,000-consumer thresholds in many other state comprehensive privacy laws.
Montana will require businesses to recognize opt-out preference signals starting January 1, 2025. There is no such requirement under the Iowa, Indiana, and Tennessee laws.
The MCDPA provides a 60-day cure period for covered entities, which will sunset on April 1, 2026.
Florida SB 262
On June 7, Gov. Ron DeSantis (R) signed Senate Bill 262 into law, and it will take effect on July 1, 2024. Along with the Florida Digital Bill of Rights provisions, which generally follow the same framework seen in many of the other state comprehensive privacy laws (but with some noticeable differences and additions), SB 262 also contains prohibitions on government-directed content moderation of social media platforms, as well as requirements for the protection of children in online spaces. The provisions prohibiting government-directed content moderation of social media platforms will become effective starting July 1 (this Saturday)..
The definition of “controller” under the Florida Digital Bill of Rights is much narrower than that of other state laws. Under the Florida law, a “controller” is a business that has more than $1 billion in global gross annual revenues, and that satisfies at least one of the following criteria: (a) derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including targeted advertising and the sale of ads; (b) operates a consumer smart speaker and voice command component service with an integrated virtual assistance connected to a cloud computing service that uses hands-free verbal activation; or (c) operates an app store or digital distribution platform that offers at least 250,000 software applications for consumers to download and install.
The Florida Digital Bill of Rights also requires privacy notices to include specific disclosures if a controller engages in the sale of sensitive personal data or biometric data.
In addition to the rights of access, correction, deletion, and data portability, the Florida Digital Bill of Rights also gives consumers the right to opt out of the collection or processing of sensitive data (including precise geolocation data), and the right to opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition features.
Texas Data Privacy and Security Act
On June 18, Gov. Greg Abbott (R) signed the TDPSA into law. The TDSP will take effect on July 1, 2024. The way in which the TDPSA assesses scope and applicability is unique, applying to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not “small businesses” as defined by the U.S. Small Business Administration. The SBA maintains a Table of Small Business Size Standards Matched to North American Industry Classification System Codes. The SBA size standards are for the most part expressed in either revenue amounts or number of employees, and can vary widely between businesses and industries. In its March 2023 FAQ, the SBA’s Office of Advocacy generally defined a small business as an independent business having fewer than 500 employees. Small businesses that meet the first two requirements for TDPSA coverage are still subject to Section 541.107 of the TDPSA, which states that small businesses may not engage in the sale of sensitive personal data without receiving prior consent from consumers.
Like the Montana law, the TDPSA will require covered entities to recognize opt-out preference signals starting January 1, 2025.
Like the Florida law, the TDPSA requires privacy notices to include specific disclosures if a covered entity engages in the sale of sensitive personal data or biometric data.
The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.