Unlike the General Data Protection Regulation (GDPR) in the European Union (EU), the United States does not have a nationwide comprehensive data privacy law. Instead, the United States applies a sectoral approach to its privacy landscape, which allows privacy regulations to only apply to specific industries. As a result, states across the country have stepped into the void and passed their own data privacy laws to protect their own residents’ data. California was the first to pass a state privacy legislation and has the most comprehensive state privacy laws with the enactment of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The CCPA was signed into law in June 2018 and was subsequently amended by the CPRA in November 2020. The CPRA established the California Privacy Protection Agency (CPPA), which implements and enforces California’s privacy laws. Following California’s implementation of the CCPA and CPRA, many other states have implemented their own data privacy laws. In 2023, multiple state privacy laws became effective, including the Colorado Privacy Act (signed into law in 2021), the Connecticut Data Privacy Act (signed into law in 2022), the Utah Consumer Privacy (signed into law in 2022), and the Virginia Consumer Data Protection Act, (signed into law in 2021).

Continuing this trend, in 2024, three more state privacy laws will come into effect. These new privacy laws include the Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, and Texas Data Privacy and Security Act. Below is a brief summary of what these three new privacy laws require:

Montana Consumer Data Privacy Act

• Modeled after the Connecticut Data Privacy Act, the Montana Consumer Data Privacy Act limits the collection of personal data to only “adequate, relevant, and reasonably necessary” information, and it requires opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising;
• Applies to persons that conduct business in this state, or persons that produce products or services aimed at residents of the state who either:
  • Controls or processes personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction, or
  • Controls or processes personal data of no less than 25,000 consumers and earns over 25 percent of their gross revenue from selling personal data; and
• Grants Montana consumers the right to opt out of data collection and processing, and requires both businesses and third parties to implement reasonable protective measures to ensure data security.

Oregon Consumer Privacy Act

• Similar to the Colorado Privacy Act, the Oregon Consumer Privacy Act applies to commercial business providing and targeting goods and services to Oregon residents;
• The Act does not provide for a general exemption for non-profit organizations. It does provide for specific exemptions for some non-profit organizations;
• It requires a controller’s privacy notice to illustrate “all categories of third-parties with which the controller shares at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data[;]” and
• Grants Oregon residents within their individual capacity certain access and control rights with respect to their personal data and imposes transparency and disclosure obligations on the data controller.

Texas Data Privacy and Security Act

• Similar to the state privacy laws in Iowa and Utah with the Virginia Consumer Data Protection Act appearing to serve as its foundation, the Texas Data Privacy and Security Act is generally more “business-friendly” in comparison to the state privacy laws of California, Connecticut, and Colorado.
• Texas is the second largest state after California to enact a comprehensive consumer data privacy law.
• The Act applies to persons or entities that: conduct business in the state or produce products or services targeted to Texas residents; process or engage in the sale of personal data; and are not a “small business” as defined by the United States Small Business Administration (U.S. SBA).
  • Notably, the Act adopts a first-of-its-kind carveout for "small businesses" as defined by the U.S. Small Business Administration;
• The law includes several key components including:
  • A first of its kind, “Small Business Exception” allowing certain small businesses to be exempt from the provisions of the Act while also expanding the law’s reach to impact many (or most) companies that do business in the state;
  • Requires the data processor provide notice that it may sell the sensitive personal data collected;
    • Specifically, the Act requires the controller to include the following notice: "NOTICE: We may sell your sensitive personal data."
  • Universal opt-out mechanism requirement for the sale of personal data and targeted advertisements in 2025; and
  • Consent requirement to process sensitive personal data.

In addition to Montana, Oregon, and Texas having new privacy laws take effect in 2024, even more states across the United States currently have proposed privacy-related bills moving through their state legislatures. These proposed bills include: the Maine Consumer Privacy Act and Data Privacy and Protection Act, the Massachusetts Information Privacy and Security Act and Internet Bill of Rights, the Michigan Personal Data Privacy Act, the New Jersey Disclosure and Accountability Transparency Act, the North Carolina Consumer Privacy Act, the Ohio Personal Privacy Act, and the Pennsylvania Consumer Data Privacy Act and Consumer Data Protection Act. It is clear that states are taking the privacy of their residents’ data seriously and are moving quickly to protect it. Spilman will continue to monitor the passage of new state privacy laws in order to assist our clients with compliance with an ever-evolving patchwork of privacy laws throughout the country.