HB Ad Slot
HB Mobile Ad Slot
State Privacy Law Updates Coming in July 2024 and Beyond
Friday, June 7, 2024

We’re halfway through 2024. Are you wondering what you need to think about for your privacy program in the rest of 2024? At the federal level, at the time of this alert, the American Privacy Rights Act remains at the committee level and many steps remain before a federal law is a reality. While we wait, we keep a close watch at the very active state-level privacy requirements. 

Below, we highlight key changes coming at the start of the third quarter, with the following new state laws effective July 1, 2024: 

Texas

  • Subject to certain exceptions, companies that conduct business in Texas or provide products and services to Texas consumers, process or sell personal data, and are not a small business as defined by the U.S. Small Business Administration, will be subject to the Texas Data Privacy and Security Act. Unlike many other U.S. states that have data processing volume thresholds for privacy law applicability, Texas does not have a threshold.
  • Texas follows many existing US state privacy laws in its requirements on controllers and the data rights available to Texas consumers. It has additional restrictions on data brokers and requires specific disclosures for businesses that sell sensitive data or biometric data. 
  • On June 4, 2024, just ahead of the effective date for the Texas law, the Texas Attorney General’s office announced it will establish a dedicated enforcement team for privacy issues within its Consumer Protection Division. Its enforcement priorities are the Texas Data Privacy and Security Act, Texas’s data broker, biometric privacy, data breach, and unfair and deceptive trade practice laws, and federal privacy laws such as HIPAA and COPPA. 

Oregon

  • Subject to certain exceptions, companies that conduct business in Oregon or provide products and services to Oregon consumers, and that during a calendar year either control or process personal data of 100,000 or more Oregon consumers (excluding personal data processed solely for completing a payment transaction) or personal data of 25,000 or more Oregon consumers and derive 25% or more of their annual gross revenue from such sales, will be subject to the Oregon Consumer Privacy Act
  • Oregon also follows many other U.S. state privacy laws, but has some deviations to consider. Oregon’s definition of sensitive data specifically includes, among the typical data points, data revealing status as transgender or nonbinary and status as a victim of a crime. Oregon consumers also have a unique data right, the right to request a business to provide a list of specific third parties (but not processors) with whom the business shares personal data. The business may decide to respond with a consumer-specific answer or list all third parties with whom it shares personal data.

Florida

  • Florida’s Digital Bill of Rights will apply to a limited set of companies that meet the following criteria: conduct business in Florida, collect personal data about Florida consumers, make in excess of $1 billion in global gross annual revenues and one of the following: derive 50% or more of that revenue from sale of ads online, operate a consumer smart speaker and voice command cloud-based system using hands-free verbal cues, or operate an app store or digital platform with at least 250,000 software applications for Florida consumers to download and install. 

Also beginning July 1, Colorado will require regulated businesses to provide a Universal Opt-Out Mechanism on their digital platforms that allows Colorado consumers to opt out of the sale of their personal data or use for targeted advertising. The Colorado Attorney General maintains a universal opt-out shortlist of approved tools that meet Colorado’s privacy regulations. Those regulated by California’s privacy law must already provide this functionality on their digital platforms. 

More states are on the way in 2024 and beyond. Montana’s Consumer Data Privacy Act takes effect October 1, 2024. As of the date of this alert, the 2025 wave of state comprehensive privacy laws includes: Delaware, Iowa, Nebraska, New Hampshire, and New Jersey all in January, Tennessee and Minnesota in July, and Maryland in October, and the 2026 wave includes Indiana and Kentucky both in January. 

We continue to monitor for amendments to the existing state privacy laws and those states with rulemaking authority for new or revised regulations. State AGs are also sharing their enforcement priorities and communications about their state laws.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins