New State Privacy Laws Take Effect Beginning on July 1
State Privacy Law Is Heating Up
In addition to the comprehensive state privacy laws that took effect in 2023, state legislatures have continued to pass new comprehensive privacy laws protecting consumers’ personal data. Five state laws took effect through 2023, three additional broadly applicable laws will take effect this year, eight will become effective in 2025, and three more states have enacted laws set to take effect in 2026. In the years to come, additional states will almost certainly enact legislation to protect their residents’ personal information.
Despite digital privacy concerns making national headlines, the United States remains without a federal omnibus privacy law. In June 2024, a sprawling federal privacy bill (H.R.8818 - American Privacy Rights Act) was formally introduced, aiming to standardize privacy laws across the nation. However, experts are skeptical of its success. Drawing parallels to a somewhat similar bill that stalled in the US Senate in 2022, the bill was pulled from a June 27 markup over concerns among some members of US Congress to certain aspects of the bill, such as the private right of action. Consequently, as we saw with data breach notification legislation, state laws will continue to proliferate until Congress passes a preemptive bill that the President signs into law.
Current Climate
Managing compliance in the ever-growing digital privacy landscape is challenging. The first step is as simple as assessing whether a given state’s law applies to your business. If applicable, there are common consumer rights that each law includes, such as the right to access, correct, erase, and retrieve personal information. However, there are also distinct features that add complexity to compliance. The following is a brief (not-exhaustive) overview of the applicability and notable features of the state privacy bills taking effect in 2024.
The Florida Digital Bill of Rights (FDBR) – Effective July 1, 2024
The FDBR imposes obligations on controllers[1] who (1) conduct business in Florida, (2) have an annual global revenue of more than $1 billion, and (3) satisfy one of the following criteria:
- Derives 50% of their global gross annual revenue from the sale of online advertisements;
- Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (excluding any in-vehicle smart speaker and voice command services operated by a motor vehicle manufacturer or its affiliates/subsidiaries); or
- Operates an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.
Compared to other state privacy laws, the FDBR may not be applicable to many businesses due to its high revenue threshold and narrow criteria. However, for those controllers to whom it does apply, there are some important differences to consider. Fines may be up to $50,000 per violation (the cap in California is just $2,500 for most violations). Moreover, Florida’s broad definition of “personal data,” which includes pseudonymous data, expands the compliance obligations. With enforcement from the Department of Legal Affairs of Florida looming, covered businesses must carefully craft data processing policies and practices to avoid substantial fines.
The Oregon Consumer Privacy Act (OCPA) – Effective July 1, 2024
The OCPA applies to any person (not just controllers) that (1) conducts business in Oregon or provides products or services to residents of Oregon and (2) during that calendar year does one of the following:
- Controls or processes the personal data of 100,000 or more Oregon residents (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or
- Controls or processes the personal data of 25,000 or more consumers while deriving 25% or more of the person’s annual gross revenue from selling personal data.
While many state privacy laws exempt entities and data governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), the OCPA only exempts the data governed by those two laws. Following in California’s footsteps, entities subject to HIPAA and GLBA must adhere to OCPA. Notably, nonprofits, which are typically exempt under other state comprehensive privacy laws (Colorado being the exception), are generally not exempt under the OCPA; however, 501(c)(3) nonprofits do not need to comply until July 1, 2025.
The Texas Data Privacy and Security Act (TDPSA) – Effective July 1, 2024
The TDPSA applies to any person that meets all three of the following:
- Conducts business in Texas or produces a product or service consumed by Texas residents;
- Processes or engages in the sale of personal data; and
- Is not a small business (as defined by the US Small Business Administration).[2]
Notwithstanding its low applicability thresholds, the TDPSA is generally considered more business-friendly than other privacy laws. The TDPSA allows businesses 30 days to cure any alleged violations after receiving notice from the attorney general. Notably, this cure period does not sunset, unlike in California or Colorado, allowing businesses to perpetually avoid penalties if (and if possible) they rectify violations promptly. However, some features of the TDPSA are less business-friendly, such as the additional disclosure necessary for entities that sell sensitive or biometric information.
The Montana Consumer Data Privacy Act (MCDPA) – Effective October 1, 2024
The MCDPA applies to persons that (1) conduct business in Montana or produce products or services targeted to residents of Montana and (2) do at least one of the following:
- Controls or processes the personal data of 50,000 or more resident (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
- Controls or processes the personal data of 25,000 or more residents and derives more than 25% of gross revenue from the sale of personal data.
The MTCDPA is one of the strictest state comprehensive privacy laws. It has a low applicability threshold, which may be a product of the state’s population. The most significant concern for businesses, however, is that the MTCDPA does not specify caps on monetary penalties for violations. This gives the Montana attorney general the discretion to dole out higher fines than any other state.
Future Forecast
We are still in the early stages of this legislative revolution. As new state laws continue come into effect, it is crucial for businesses to invest in robust compliance programs and seek guidance. ArentFox Schiff regularly assists clients in navigating this complex legislative and regulatory environment, ensuring that their privacy policies and personal data processing practices meet the diverse requirements of state laws. By staying ahead of the curve, businesses can avoid regulatory penalties and build trust, thereby enhanced loyalty from their customers.
If you have any questions, please contact our Privacy, Data Protection & Data Security team or the ArentFox Schiff attorney with whom you work.
Additional research and writing from John Keblish, a 2024 summer associate in ArentFox Schiff’s Washington, DC office and a law student at the University of Maryland Francis King Carey School of Law.
[1] For profit legal entities that collect personal consumer data and determine the means of the processing it.
[2] If a small business is selling sensitive personal data, it must obtain prior consent from the consumer or else they may be subject to the TDPSA.
Contacts
- Related Practices