On July 1, 2024, a new wave of state consumer privacy laws will go into effect in Florida, Oregon, and Texas, ushering in additional obligations for companies. This wave of new laws will be closely followed by a Montana consumer privacy law taking effect on October 1, 2024. In advance of these dates, businesses should assess whether these laws apply and, if applicable, update their privacy programs to account for key changes relating to sensitive data, consumer rights processes, and privacy notices. Even businesses that are fully compliant with the state laws effective today will need to make changes to address novel provisions within the new laws.
Additional businesses may be swept in by unique applicability provisions
As with existing omnibus privacy laws, to determine whether a company is subject to the new Montana and Oregon laws, a business that operates in these states should look to whether it meets each state's respective threshold for processing personal data from a certain number of consumers or deriving a certain percentage of revenue from the sale of personal data.
Rather than imposing a processing or revenue threshold, Texas's privacy law applies broadly to any company that operates in Texas, processes personal data of Texas consumers, and is not a small business as defined by the Small Business Administration. Even businesses not subject to other states' privacy laws may be subject to Texas obligations if they are not considered small businesses. Additionally, some provisions of Texas law apply even to small businesses if those businesses engage in sales of sensitive personal data.
Most obligations of the Florida law apply only to "controllers," a term defined—more narrowly than in many other states—to apply generally to businesses that exceed $1 billion in annual revenue and are engaged in specific business activities. Notably, however, certain provisions relating to the sale of sensitive personal data apply more broadly to any business that operates in the state and processes personal data about Florida consumers.
Businesses should update their consent processes for sensitive data
Businesses, including small businesses in Texas, should carefully assess whether they engage in any processing activities that would be considered "sales" of sensitive data under Texas's and Florida's broadly applicable sensitive data provisions. Even if no other provisions of these laws apply to the business, a business that engages in such sales should seek consent from the consumer before selling sensitive data and update their privacy notice to include specific language required by law.
Montana, Oregon, and Texas join the growing number of states that require businesses to obtain consumer consent before processing any sensitive personal data about that consumer, regardless of whether the business sells sensitive data. Oregon's privacy law adds new categories of data to its "sensitive data" definition, including data revealing a consumer's national origin, status as transgender or nonbinary, or status as a victim of a crime. Additionally, Oregon expands its sensitive data definition to any personal data of a child under 13, rather than limiting this definition to data collected from a "known" child like most other states. Companies should assess whether they process any of these sensitive data elements from Oregon consumers and update their consent processes as appropriate.
Companies that process the personal data of teenage consumers should similarly ensure that appropriate consent processes are in place before engaging in certain processing activities. Businesses should obtain consent from known teens aged 13-15 in Montana and Oregon before processing personal data for sales or targeted advertising and in Oregon before processing for profiling with significant effects. Florida expands the age range to 18, requiring consent before selling the personal data of any minors under 18.
Consumer rights processes should account for new rights and extend to consumers from additional states
Oregon's privacy law creates a new type of consumer access right related to third-party disclosures. Under this law, Oregon consumers will be able to request that a business provide a list of specific third parties to which it has disclosed either personal data about that consumer or any personal data. Companies may choose whether to provide a personalized list or a generic list of all third parties to which it disclosed personal data. To prepare for this new access right, business should begin inventorying entities to which they disclose personal data about Oregon consumers. Companies should then assess whether these entities are considered "third parties" under the Oregon law and, if so, whether an exception may apply, such as Oregon's trade secret exception.
Businesses will also need to extend access, correction, deletion, opt-out, and appeals rights to Montana, Oregon, and Texas consumers. When updating these processes, companies may wish to consider authentication standards in Texas's law that differ from those in many other state privacy laws, as well as Montana's differing definition of "profiling," which is limited to certain types of "solely automated" decisions. Businesses should also take note of exceptions for pseudonymous data from certain consumer requests.
Although such requests are not effective in July, companies should also prepare to honor opt-out requests sent via universal opt-out mechanisms from Montana, Oregon, and Texas consumers. Businesses will be required to honor requests to opt out of sales or processing for targeted advertising from Montana and Texas consumers on January 1, 2025, and from Oregon consumers on January 1, 2026.
Privacy notices should reflect new disclosure requirements and consumer rights
Businesses should review their current privacy notices to ensure they accurately reflect data practices and account for new disclosure obligations. For example, notices should adequately describe third-party sharing practices, contact information, and any new categories of "sensitive data" to comply with new Oregon disclosure requirements. Companies that engage in sensitive data sales of Florida and Texas consumers as described above will need to update their privacy notice to include specific language required by law. Businesses should also assess whether they engage in sales of biometric data about Texas consumers, as similar notice language will need to be added. Finally, businesses should update any relevant disclosures to reflect the availability of relevant consumer rights to Montana, Oregon, and Texas consumers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.