Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.
For July 1, 2024
The three additional state omnibus consumer privacy laws coming into effect on July 1st are:
Oregon’s An Act Relating to Protections for the Personal Data of Consumers (Oregon Privacy Law)
The Oregon Privacy Law is the most unique law going into effect on July 1. It varies in some significant ways from the California, Colorado or Virginia model that state legislatures have used to date to model their consumer privacy laws. For its size, Oregon also has a relatively low threshold for applicability – (i) controlling or processing the personal data of 100K+ consumers (other than for the processing solely for payment transactions) or (ii) controlling or processing 25K+ consumers while deriving 25% or more annual gross revenue from selling personal data (i.e., exchange of personal data for monetary or other valuable consideration). Oregon applies to most nonprofit organizations, which further expands its applicability.
Key provisions of the Oregon Privacy Law are:
- A controller’s privacy notice must describe how “third parties” process the personal data that the controller shares with them. The term “third parties” is not a controller’s affiliates or processors (including affiliates of the processors). This privacy notice requirement effectively only applies to third parties to which the controller has sold personal data. Additionally, since some controller’s vendors may not be considered processors under the Oregon Privacy Law, it’s possible that certain vendors could be a third party subject to this requirement.
- Upon request from a consumer, a controller must provide details on personal data disclosures to third parties. The controller can choose to provide (i) the list of third parties to which the controller has disclosed the consumer’s personal data; or (ii) the list of third parties to which the controller has disclosed any consumer’s personal data.
- A controller must obtain consent to process sensitive data, subject to exceptions typical of other states (e.g., to process a consumer request).
- The definition of sensitive data includes status as transgender or nonbinary and status as a victim of a crime, which are not specifically included in many of the other state laws, as well as other categories commonly included in the definitions in other state consumer privacy laws, such as personal data of a child (under 13 years of age) and consumer’s present or past location within a radius of 1,750 feet.
- A controller must provide an “effective” method for a consumer to revoke previously given consent to process the consumer’s personal data and must honor the revocation within 15 days after receipt of the request.
- A controller must provide a method for consumers to opt-out of processing of personal data for targeted advertising and accept global browser signals as an opt-out. Unlike the California Consumer Privacy Act (“CCPA”) or the Colorado Privacy Act (“CPA”), the Oregon Privacy Law does not provide specific requirements for signal type and the Oregon Privacy Law does not require regulations that could include specifications. An opt-out method also is required for personal data sales and profiling. The controller must authenticate all consumer requests, including an opt out request, are either the consumer or her authorized agent. This is based on the Virginia approach which Texas has also adopted and is materially different than California which specifically prohibits authentication for opt-out requests absent reasonable suspicion of fraud.
- No private right of action is available. The Oregon AG may bring an action if, after issuing a notice of a violation, the controller fails to cure the violation within a thirty-day cure period. Unlike some other states, the cure right does not sunset.
Texas Data Privacy and Security Act (TDPSA)
The most notable aspect of the TDPSA is the broad scope of applicability. Unlike most of the other state privacy laws (except the newly enacted Nebraska Data Privacy Act), an organization is in TDPSA’s scope if it offers products or services used by Texas residents and processes or sells personal data, regardless of revenue or number of personal data records processed. TDPSA does, however, offer a limited exception for small businesses (as defined by the United States Small Business Administration). More details are available here.
Florida’s Consumer Privacy Bill and Bill of Rights (Florida Privacy Law)
Most of the Florida Privacy Law’s requirements apply only to large online businesses – like social media platforms. All for-profit organizations conducting business in Florda and collecting Florida consumers’ personal data must, however, obtain consumer consent prior to selling sensitive data. The Florida Privacy Law’s other requirements (which are similar to the requirements in the other state consumer privacy laws) apply only to an organization operating for profit in Florida and collecting Florida consumers’ personal data with at least $1 billion in global gross revenue and meeting at least one of three additional elements: derives 50%+ of global gross annual revenue from online advertisement sales, operates a consumer smart speaker with an integrated virtual assistant or operates a mobile app store or a digital distribution platform that offers 250,000 or more different software applications for consumers to download and install. We discuss the Florida Privacy Law in more detail here and here.
Beyond July 1
As of July 1, 2024, eight (counting Florida) state omnibus consumer privacy laws will be in effect and 10 more state omnibus privacy laws come into effect thereafter – with more state legislatures expected to enact consumer privacy laws in the coming months, including Vermont which has sent a bill with a limited private right of action to its Governor.
- Montana Consumer Data Privacy Act – effective October 1, 2024
- Delaware Personal Data Privacy Act – effective January 1, 2025
- Iowa’s Act Relating to Consumer Data Protection – effective January 1, 2025
- New Hampshire’s Act Relative to the Expectation of Privacy – effective January 1, 2025
- Nebraska’s Data Privacy Act – effective January 1, 2025
- New Jersey Data Protection Act – effective January 15, 2025
- Tennessee Information Protection Act – effective July 1, 2025
- Maryland Online Data Privacy Act – effective October 1, 2025, but data processing activities that occur before April 1, 2026 are out of scope
- Indiana Consumer Data Protection Act – effective January 1, 2026
- Kentucky’s Act Relating to Consumer Data Privacy – effective January 1, 2026
Compliance Considerations
An organization’s privacy compliance choices will vary based on size, budget, industry, type and volume of personal data processed (among other factors), the following are some core operational actions to consider between now and July 1st:
- Update privacy notices and related disclosures to address requirements of the state consumer privacy laws with a July 1st effective date and consider whether to add the requirements of the 2025 and 2026 consumer privacy laws to the updates for July 1 or to apply the requirements on a rolling basis as the 2025 and 2026 consumer privacy laws become effective. An organization that updates it US privacy notice effective July 1, 2024, to include all the consumer privacy laws that go into effect in 2024 and through July 1, 2025, has the added benefit of resetting the 12-month lookback required under the California Consumer Privacy Act. This would avoid an organization’s need to revise its US privacy notice to meet the January 1, 2025 deadline at year’s end, when stakeholders are often managing multiple competing business priorities, potentially postponing further updates until July 1, 2025.
- Update internal processes (such as consumer rights request intake and response practices and assessment requirements) and, again consider whether to address requirements of only the of the laws with a July 1st effective date or to follow a rolling applicability approach based on effective dates. For example, an organization could decide to address requirements of all the currently enacted laws now to help avoid potential future violations but choose whether to honor consumer rights requests from consumers residing in states with an enacted but not yet effective law.
- Consider whether to design compliance on a jurisdiction-by-jurisdiction basis or to apply a highwater mark nationwide, i.e., follow the strictest requirement from among all state consumer privacy laws, regardless of whether a particular law applies to the organization. The later design offers administrative simplicity while the former maximizes personal data processing options.