- The best Galaxy Z Flip 6 cases of 2024
- This retractable USB-C charger is my new favorite travel accessory (and it's on sale for Black Friday)
- Skip the iPad: This tablet is redefining what a kids tablet can do, and it's 42% off for Black Friday
- Why the iPad Mini 7 is the ultraportable tablet to beat this holiday travel season - and it's $50 off
- The best iPads for college: Expert tested and reviewed
The Next Iteration of Privacy: What Businesses Should Know About New Privacy Laws in Oregon, Texas, and Florida
As businesses enter the third quarter of 2024, they need to contend with three new state privacy laws. The Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, and Florida Digital Bill of Rights all came into effect on July 1. With consumer data privacy laws already in effect in California, Colorado, Connecticut, Utah, and Virginia, many national and international companies need to confirm compliance with the eight state privacy laws currently in force.
With even more state privacy laws scheduled to come into effect within the next two years, consumer privacy regulation in the United States has become increasingly challenging for businesses. Many businesses are struggling with the daunting task of determining which laws apply to them and what they need to do to comply. Although there are many similarities between these laws, there are some nuances that businesses should take into consideration as they seek to update their external website documentation and internal compliance procedures.
In this article, we take a look at some of the more significant differences between the Texas, Oregon, and Florida laws.
Applicability Thresholds
How can a company determine whether it falls within the scope of a particular state consumer privacy law? Typically, state privacy laws specify a minimum number of consumers for which personal data is processed, or a smaller minimum number of consumers if the business derives a specific percentage of revenue from selling personal data. These are the primary thresholds that trigger the applicability of a state privacy law, although some, like the California Consumer Privacy Act and the Utah Consumer Privacy Act, incorporate revenue directly into the applicability analysis.
Consistent with the majority of state privacy laws, the Oregon Consumer Privacy Act includes a data processing volume threshold, applying to any entity that conducts business in Oregon or provides products or services to Oregon residents, and that, during a calendar year, controls or processes (1) the personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) the personal data of 25,000 or more consumers while deriving 25 percent or more of annual gross revenue from selling personal data.
In contrast, the bulk of the obligations under the Florida Digital Bill of Rights apply to entities that, among other things, make more than $1 billion in global gross annual revenue and that satisfy at least one of the following: (1) derive 50 percent or more of global gross annual revenue from the sale of advertisements online (including providing targeted advertising); (2) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (3) operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. In other words, FDBR applicability does not depend on exceeding a threshold number of consumers for data processing. Instead, FDBR applicability is narrowly confined to a specific set of very large businesses based on revenue and certain business activities.
The Texas Data Privacy and Security Act takes yet another approach to applicability. The TDPSA generally applies to entities that (1) conduct business in Texas, or produce products or services used by Texas residents; (2) process or engage in the sale of personal data; and (3) are not small businesses as defined by the U.S. Small Business Administration. There are no revenue thresholds or minimum numbers of individuals here. Instead, applicability will depend on the size of a business relative to a specific industry, as defined by the Small Business Administration.
Entity-Type Exemptions
All state data privacy laws contain an assortment of entity or data-specific exemptions, although the laws vary significantly in this area as well. Some exempt certain types of entities (for example, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) or health care entities subject to the Health Insurance Portability and Accountability Act (HIPAA)). Others exempt certain categories of data (for example, data subject to Title V of the GLBA, or protected health information subject to HIPAA). Therefore, it is important to confirm whether the exemption applies to the entity as a whole or to a specific type of data. For example, the Texas law does not apply to financial institutions or data subject to the GLBA. In contrast, the Oregon law exempts only information collected, processed, sold, or disclosed in accordance with the GLBA.
Most but not all of the state privacy laws also contain exemptions for other categories of businesses, such as nonprofit organizations or institutions of higher education. It is important for businesses to be cognizant of these other exemptions and any exceptions to the typical exemptions. For example, unlike most state privacy laws, the Oregon law does not contain a general exemption for nonprofit organizations. The Oregon law exempts public corporations, including the Oregon Health and Science University and the Oregon State Bar, as well as nonprofits established to detect and prevent fraudulent acts in connection with insurance, or those that are engaged in noncommercial activity when providing programming to radio or television networks. Oregon does provide additional time for nonprofit organizations to comply – until July 1, 2025.
Privacy Policy Disclosures
All data privacy laws require businesses to publish privacy policies that describe how personal information is collected and used. They also generally require privacy policies to disclose whether the business sells personal data to third parties, or processes it for purposes of targeted advertising or profiling. For example, the Oregon law requires privacy policies to include a clear and conspicuous description of any processing of personal data for the purpose of targeted advertising or profiling. But under the Florida and Texas laws, businesses that engage in the sale of sensitive data must specifically include the following disclosure in their privacy policies: “NOTICE: We may sell your sensitive personal data.” Businesses that engage in the sale of biometric data must also specifically include the following disclosure in their privacy policies: “NOTICE: We may sell your biometric personal data.”
Data Subject Rights
Data subject rights commonly granted by state consumer privacy laws include the right to know and access, right to correct, right to delete, right to data portability, and right to opt out of the sale of personal data, targeted advertising, or profiling. Oregon grants consumers an additional right to obtain a list of specific third parties to which a business has disclosed personal data. The Florida law also includes a right to opt out of the collection or processing of sensitive data, as well as the right to opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
Definition of “Sensitive Data”
Many state privacy laws define “sensitive data” to include personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying an individual, the personal data of a child, and precise geolocation data. The definition of sensitive data in the Oregon law also includes a consumer’s national origin, status as transgender or non-binary, and status as a victim of crime.
Looking Ahead
As more state consumer privacy laws come into effect over the course of the next couple of years, businesses should carefully consider whether they are covered and adjust their privacy compliance programs to account for the different requirements and nuances in the applicable laws. The Montana Consumer Data Privacy Act will become effective in October. Other states with privacy laws coming into force within the next several years include Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island, and Tennessee. These laws contain many of the same major features found in the eight laws that are already in effect, but there are slight differences and nuances that can have a significant impact on applicability and requirements. As more states enact data privacy laws, keeping track of the differences will be an important, and in some ways, challenging exercise in developing and maintaining an adaptable compliance program. Furthermore, the possibility that Congress will pass a comprehensive federal privacy law anytime soon seems unlikely. On April 7, U.S. Senator Maria Cantwell, Chair of the Senate Committee on Commerce, Science and Transportation, and U.S. Representative Cathy McMorris Rodgers unveiled draft legislation for the American Privacy Rights Act. There have been some updates to the draft since as well as a Senate Commerce Committee hearing on the “Need to Protect Americans’ Privacy and the AI Accelerant”. However, significant hurdles remain, and we do not anticipate a federal data privacy law passing this year.
About the Authors
Carolyn Ho and Sarah Rugnetta are New York-based attorneys at Constangy, Brooks, Smith & Prophete LLP and members of the firm’s Constangy Cyber Team, which may be reached at [email protected].