New State Privacy Laws Take Effect in 2024‎

Laura Lemire
Schwabe, Williamson & Wyatt PC
Contact
LinkedIn
Facebook
X
Send
Embed

Schwabe, Williamson & Wyatt PC

On July 1, 2024, Florida’s Digital Bill of Rights, Oregon’s Consumer Privacy Act, and the Texas Data Privacy and Security Act will take effect. And on October 1, 2024, Montana’s Consumer Data Privacy Act will become law.

For anyone counting, twelve U.S. states have passed comprehensive privacy laws since the California Consumer Protection Act of 2018. All these state laws provide individuals with rights to access, delete, and opt out of the sale of their personal information, as well as require businesses to honor such rights, disclose details about the personal information they collect and process, and meet accountability measures. Though the laws have much in common, they differ in key areas which may materially affect your business. For example, they vary in their applicability thresholds and in the provision of certain individual rights.

Here is a closer look at the state comprehensive laws that take effect in 2024.

  • Florida’s Digital Bill of Rights (FDBR). The FDBR differs from most state comprehensive privacy laws in its scope, so it’s often excluded from the count of state comprehensive privacy laws. It is said to regulate “Big Tech,” since it primarily applies to businesses that have at least $1 billion in gross annual revenue and (1) derive at least half of their revenue from digital ad sales; (2) operate large app stores or digital distribution platforms; or (3) offer their consumers smart speakers with voice-enabled assistants. Like other state privacy laws, the FDBR embodies commonly understood privacy principles, such as transparency, accountability, and data minimization, and it provides users choice and control with respect to certain types of personal information and uses of personal information. The act provides consumers with an array of rights vis-à-vis their personal information, requires businesses to supply privacy notices, and sets limits to the collection, use, and retention of personal information. The FDBR also features unique provisions related to online protections for minors and government-directed content moderation.
  • Oregon’s Consumer Privacy Act (OCPA). This act applies to those who conduct business in Oregon, or provide products or services to state residents; and during the calendar year either (1) process personal information of at least 100,000 state consumers, or (2) process the personal information of 25,000 state consumers and derive more than 25% of revenue from the sale of personal information. Unlike other state privacy laws, the OCPA sets no revenue threshold and applies to nonprofits, who have an additional year to comply. The act guarantees consumers a variety of privacy rights common to other state privacy laws, and requires businesses to furnish comprehensive privacy notices; limit their collection of personal information to what is adequate, relevant, and reasonably necessary to serve the purposes the business provides notice of; implement and maintain reasonable safeguards; ensure contracts with key provisions are in place with processors; and conduct data protection assessments where consumers face heightened risks. Further, the OCPA requires consent to process sensitive information, to use personal information for secondary purposes, and to handle personal information of consumers ages 13-15 in certain instances. Look for our upcoming client alert for more details about the OCPA.
  • The Texas Data Privacy and Security Act (TDSPA). This act applies broadly to anyone who does business in Texas or provides products or services to Texas residents. “Small businesses,” which are defined by industry by the Small Business Administration, are exempt, unless they sell sensitive data that requires prior consumer consent. Like other state privacy laws, the TDPSA promises consumers a number of privacy rights. The act requires businesses to provide comprehensive privacy notices; limit their collection of personal information to what is adequate, relevant, and reasonably necessary to serve the purposes the firm provides notice of; implement and maintain reasonable safeguards; ensure contracts with key provisions are in place with processors; and conduct data protection assessments where consumers face heightened risks. Like the OCPA, the TDPA requires consent to process sensitive information and to use personal information for secondary purposes.
  • Montana’s Consumer Data Privacy Act (MCDPA). The MCDPA applies to those doing business in the state, or providing products or services targeted to state residents, and who (1) process the personal information of at least 50,000 state residents, or (2) process the personal information of 25,000 state residents and derive more than 25 percent of revenue from the sale of personal information. The act is much like other state privacy laws in its establishment of consumer privacy rights and requirements for businesses. Like Oregon’s privacy law, the MCDPA contains heightened requirements for the processing of personal data of consumers aged 13-15.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Schwabe, Williamson & Wyatt PC | Attorney Advertising

Written by:

Schwabe, Williamson & Wyatt PC
Schwabe, Williamson & Wyatt PC
Contact
more
less

Schwabe, Williamson & Wyatt PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide