July 1st, 2024, marked the introduction of three (3) new state privacy laws that became effective in the United States.
Florida
Florida's Digital Bill of Rights introduces new consumer privacy protections for Florida residents by providing individuals the right to confirm whether their personal data is being processed, the ability to obtain a copy of that data, correct any inaccuracies found, opt-out of the sale of their personal data, and to make requests for deletion. Under the Law, data controllers are obligated to respond to individuals with privacy right requests within 45 days.
This law significantly enhances the privacy rights of Florida residents, putting the state in line with other progressive data protection regulations. Businesses operating in Florida will need to update their data handling practices and implement new processes to comply with these requirements.
Oregon
The Oregon Consumer Privacy Act (OCPA) applies to businesses that control or process personal data of 100,000+ Oregon residents or 25,000+ consumers while deriving 25%+ of their annual revenue from selling personal data. What differentiates the OCPA from several other state privacy laws is two-fold: 1) it includes fewer exemptions than other state laws provide, and 2) it applies to both for-profit and non-profit entities.
The OCPA's broad scope and limited exemptions make it one of the more comprehensive state privacy laws in the U.S. Its application to non-profit organizations is particularly noteworthy, as it sets a new precedent for privacy regulation in the non-profit sector.
Texas
The Texas Data Privacy and Security Act (TDPSA) affects businesses operating in Texas or that target Texas residents whose personal data is sold or processed, and do not qualify as a small business under the SBA's definitions. Unlike the OCPA above, it exempts not-for-profit organizations from the mandates and provides for a 30-day cure period for violations. The Act also directs businesses to comply with consumer data subject requests, conduct regular data protection assessments, provide privacy notices to consumers, and have a contractual relationship in place with their third-party data processors.
The TDPSA brings Texas into the growing group of states with comprehensive privacy laws. Its 30-day cure period for violations offers businesses some flexibility in addressing compliance issues, while still maintaining strong protections for consumers.
To learn more about the mandates outlined in the TDPSA, the Texas State Attorney General released a Memorandum dated July 1, 2024, providing guidance. To understand the potential impacts of the new regulations on your organization, Gray Reed Advisory has published three prior blogs in a series that delve into the mandates and how to implement compliance using leading practices:
- Texas Data Privacy and Security Act Compliance Countdown: Part 1 – Enabling Consumer Rights Requests
- Texas Data Privacy and Security Act Compliance Countdown: Part 2 – Conducting Data Protection Assessments
- Unpacking the Texas Data Privacy & Security Act: A Company's Guide for Navigating Compliance
Conclusion
The introduction of these three new state privacy laws on July 1st, 2024, marks a significant milestone in the evolving landscape of data protection in the United States. Florida, Oregon and Texas have joined the ranks of 14 other states prioritizing consumer privacy rights and data security, each with its own unique approach and requirements.
These laws reflect a growing trend towards more comprehensive and stringent data protection regulations at the state level, in the absence of a federal privacy law. Businesses operating across multiple states now face an increasingly complex compliance landscape, necessitating a thorough review and potential overhaul of their data handling practices.
As more states enact similar legislation, companies must stay vigilant and adaptable. Implementing robust data protection measures, establishing clear privacy policies and maintaining transparency with consumers will be crucial for compliance and building trust in this new era of privacy regulation.
Organizations should consider seeking expert guidance to navigate these new requirements effectively and efficiently. By proactively addressing these privacy mandates, businesses can not only avoid potential costly penalties but also demonstrate their commitment to protecting consumer data, ultimately strengthening their relationships with customers and stakeholders.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.