Three new states: Texas; Oregon; and Florida join a growing list of states with data privacy laws that outline how to collect and use customer information.
Montana follows in October.
Understanding these new regulations is crucial for businesses of all sizes, as non-compliance can lead to hefty fines and reputational damage.
Here's a breakdown of the key aspects of each state's law:
Texas Data Privacy and Security Act:
- Broadest Scope: The Act applies to entities conducting business in Texas or offering products and services consumed by Texas residents, and that process or sell personal data. This means large businesses are covered, but unlike most other state laws, the Act offers an exemption for small businesses (except those processing sensitive data) and nonprofits.
- Focus on Sensitive Data: The Act requires businesses to obtain opt-in consent before processing or selling "sensitive personal data" such as social security numbers, health information, and precise geolocation data.
- Consumer Rights: Texas residents gain rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the ability to opt out of the sale of their data and targeted advertising. This reminds me of a similar approach for patients under HIPAA.
Oregon Consumer Data Privacy Act:
- Thresholds and Exemptions: This provision applies to businesses that either control or process the personal information of at least 100,000 Oregon residents (excluding data used for payment transactions) or process information of at least 25,000 residents while deriving over 25% of gross revenue from selling personal data. Non-profits are included.
- Unique Inclusion: The provision incorporates "derived data" into the definition of personal data. Such an inclusion potentially extends compliance obligations and data to inferences made about consumers.
- Enhanced Consumer Rights: Similar to Texas, Oregon residents gain rights to access, correct, delete, and obtain a portable copy of their data. Additionally, Oregon grants the right to know the specific third parties to whom a business discloses their data.
Florida Digital Bill of Rights:
- Narrowest Scope: Florida only applies only to a limited group of large data controllers. These groups must have annual gross revenue exceeding $1 billion, operate a business in Florida and meet at least one of the following criteria: 1. Derive more than 50% of revenue from selling online ads, including targeted advertising. 2. Operate a consumer smart speaker and voice command component service. 3. Operate an app store with more than 250,000 apps.
- Focus on Sensitive Data: Similar to Texas, Florida requires obtaining express consent before selling an individual's sensitive information.
What Businesses Need to Do:
- Compliance Assessment: Businesses that operate in these states or target residents there should conduct a compliance assessment to determine if they fall under the purview of these laws.
- Review and Update Practices: Existing privacy notices and data collection practices need to be reviewed and updated to comply with the specific requirements of each state law.
- Develop Consent Mechanisms: Businesses collecting sensitive data must obtain opt-in consent from consumers before processing or selling such data.
- Respond to Consumer Requests: Processes for receiving and responding to consumer requests regarding data access, correction, deletion, and exercising opt-out rights need to be established.
These new laws represent a significant shift in the data privacy landscape and highlight the growing trend of state regulations in the absence of a comprehensive federal law. With additional states enacting similar legislation in the coming years, businesses must stay informed and adapt their practices to remain compliant.
It's important to note that this is a simplified overview, and each state law has its own nuances. Businesses are advised to consult with legal counsel to ensure full compliance with the specific requirements of each jurisdiction.
This is critical for businesses of all sizes. Understand the new requirements and avoid costly non-compliance issues.
Main Points Across the States
- New consumer rights: Grants access, correction, deletion, and portability of personal data.
- Focus on sensitive data: There are stricter requirements for collecting and using data like social security numbers or health information.
- Actions Required: Updated privacy notices, develop processes for consumer requests, and potentially obtain consent for sensitive data collection.
In addition, new consumer privacy laws in Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee will become effective in 2025, with two other states (Indiana and Kentucky) taking effect in 2026.
