ARTICLE
1 July 2024
On July 1, 2024, a new wave of state consumer privacy laws will go into effect in Florida, Oregon, and Texas, ushering in additional obligations for companies. This wave of new laws will be closely followed by a Montana.
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.
On July 1, 2024, a new wave of state consumer privacy laws willgo into effect in Florida, Oregon, and Texas, ushering inadditional obligations for companies. This wave of new laws will beclosely followed by a Montana consumer privacy law taking effect onOctober 1, 2024. In advance of these dates, businesses shouldassess whether these laws apply and, if applicable, update theirprivacy programs to account for key changes relating to sensitivedata, consumer rights processes, and privacy notices. Evenbusinesses that are fully compliant with the state laws effectivetoday will need to make changes to address novel provisions withinthe new laws.
Additional businesses may be swept in by unique applicabilityprovisions
As with existing omnibus privacy laws, to determine whether acompany is subject to the new Montana and Oregon laws, a businessthat operates in these states should look to whether it meets eachstate's respective threshold for processing personal data froma certain number of consumers or deriving a certain percentage ofrevenue from the sale of personal data.
Rather than imposing a processing or revenue threshold,Texas's privacy law applies broadly to any company thatoperates in Texas, processes personal data of Texas consumers, andis not a small business as defined by the Small BusinessAdministration. Even businesses not subject to other states'privacy laws may be subject to Texas obligations if they are notconsidered small businesses. Additionally, some provisions of Texaslaw apply even to small businesses if those businesses engage insales of sensitive personal data.
Most obligations of the Florida law apply only to"controllers," a term defined—more narrowly than inmany other states—to apply generally to businesses thatexceed $1 billion in annual revenue and are engaged in specificbusiness activities. Notably, however, certain provisions relatingto the sale of sensitive personal data apply more broadly to anybusiness that operates in the state and processes personal dataabout Florida consumers.
Businesses should update their consent processes for sensitivedata
Businesses, including small businesses in Texas, shouldcarefully assess whether they engage in any processing activitiesthat would be considered "sales" of sensitive data underTexas's and Florida's broadly applicable sensitive dataprovisions. Even if no other provisions of these laws apply to thebusiness, a business that engages in such sales should seek consentfrom the consumer before selling sensitive data and update theirprivacy notice to include specific language required by law.
Montana, Oregon, and Texas join the growing number of statesthat require businesses to obtain consumer consent beforeprocessing any sensitive personal data about that consumer,regardless of whether the business sells sensitive data.Oregon's privacy law adds new categories of data to its"sensitive data" definition, including data revealing aconsumer's national origin, status as transgender or nonbinary,or status as a victim of a crime. Additionally, Oregon expands itssensitive data definition to any personal data of a child under 13,rather than limiting this definition to data collected from a"known" child like most other states. Companies shouldassess whether they process any of these sensitive data elementsfrom Oregon consumers and update their consent processes asappropriate.
Companies that process the personal data of teenage consumersshould similarly ensure that appropriate consent processes are inplace before engaging in certain processing activities. Businessesshould obtain consent from known teens aged 13-15 in Montana andOregon before processing personal data for sales or targetedadvertising and in Oregon before processing for profiling withsignificant effects. Florida expands the age range to 18, requiringconsent before selling the personal data of any minors under18.
Consumer rights processes should account for new rights andextend to consumers from additional states
Oregon's privacy law creates a new type of consumer accessright related to third-party disclosures. Under this law, Oregonconsumers will be able to request that a business provide a list ofspecific third parties to which it has disclosed either personaldata about that consumer or any personal data. Companies may choosewhether to provide a personalized list or a generic list of allthird parties to which it disclosed personal data. To prepare forthis new access right, business should begin inventorying entitiesto which they disclose personal data about Oregon consumers.Companies should then assess whether these entities are considered"third parties" under the Oregon law and, if so, whetheran exception may apply, such as Oregon's trade secretexception.
Businesses will also need to extend access, correction,deletion, opt-out, and appeals rights to Montana, Oregon, and Texasconsumers. When updating these processes, companies may wish toconsider authentication standards in Texas's law that differfrom those in many other state privacy laws, as well asMontana's differing definition of "profiling," whichis limited to certain types of "solely automated"decisions. Businesses should also take note of exceptions forpseudonymous data from certain consumer requests.
Although such requests are not effective in July, companiesshould also prepare to honor opt-out requests sent via universalopt-out mechanisms from Montana, Oregon, and Texas consumers.Businesses will be required to honor requests to opt out of salesor processing for targeted advertising from Montana and Texasconsumers on January 1, 2025, and from Oregon consumers on January1, 2026.
Privacy notices should reflect new disclosure requirements andconsumer rights
Businesses should review their current privacy notices to ensurethey accurately reflect data practices and account for newdisclosure obligations. For example, notices should adequatelydescribe third-party sharing practices, contact information, andany new categories of "sensitive data" to comply with newOregon disclosure requirements. Companies that engage in sensitivedata sales of Florida and Texas consumers as described above willneed to update their privacy notice to include specific languagerequired by law. Businesses should also assess whether they engagein sales of biometric data about Texas consumers, as similar noticelanguage will need to be added. Finally, businesses should updateany relevant disclosures to reflect the availability of relevantconsumer rights to Montana, Oregon, and Texas consumers.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circ*mstances.
