Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.

Newsletter Articles

Privacy Law Patchwork Expands: Two New State Laws Join the Data Protection Mosaic

07 Aug 2024 IP, IT and Data Protection

On July 1, 2024, two more U.S. states joined the data privacy law landscape, with Texas and Oregon being the latest states to have data privacy laws become effective.  This now makes 7 states with effective state privacy laws.  Montana’s law is due to become effective on October 1 of this year, and 11 other states have passed similar laws which will become effective in 2025 and 2026.  Entities that interact with consumers, have publicly available websites, and collect personal data from people in the U.S. must stay abreast of the newly effective laws, assess their applicability, and adapt or modify privacy policies and practices to ensure compliance.

As the number of state privacy laws grows, adding to the complexity of compliance, early 2024 hopes for the passage of a federal privacy law have dimmed. The American Privacy Rights Act (APRA), introduced by a bi-partisan group in Congress on April 7 of this year, was initially well received; however, momentum stalled amidst heavy industry, state, and political opposition, including complaints about APRA’s private right of action, the preemption of state privacy laws, and the removal of certain anti-discrimination and ant-bias provisions.

Below is a brief summary of the newly effective laws.

Texas

Like other state privacy laws, it applies to businesses operating in or serving residents of the state that process or sell personal data and are not “small businesses” (as that term is defined by the U.S. Small Business Association), while exempting certain entities such as state agencies, financial institutions governed by specific federal laws, healthcare entities subject to HIPAA, nonprofits, higher education institutions, and certain utility companies.  The Texas law (HB 4) requires controllers to provide consumers with a reasonably accessible and clear privacy notice detailing the categories of personal data processed, purposes for processing, how consumers can exercise their rights, and information about data sharing with third parties, while also mandating specific notices for the sale of sensitive or biometric data and clear disclosure of data sales or targeted advertising practices.  Data subjects must be given the option to opt-out of certain automated decision making and targeted advertising.  There is no private right of action for violations, as enforcement is conducted by the state Attorney General.

Oregon

Oregon’s SB 619 applies to businesses operating in or serving residents of the state that process personal data of 100,000 or more consumers, or 25,000 or more consumers while deriving 25% or more of annual gross revenue from selling personal data. The Oregon law requires controllers to provide consumers with a privacy notice specifying the purposes for collecting and processing personal data, limit data collection to what’s necessary for specified purposes, implement safeguards to protect personal data, and provide an effective means for consumers to revoke consent. Controllers must obtain consent for processing sensitive data and for targeted advertising or selling personal data of consumers aged 13-15. The law grants consumers various rights, including access, correction, deletion, and the right to opt out of certain automated decision making and targeted advertising. Enforcement is conducted by the state Attorney General through investigative demands, with no mention of a private right of action.

Oregon v. Texas: Similarities and Differences

Both the Texas (HB 4) and Oregon (SB 619) laws share several common features. They both apply to businesses operating in or serving residents of their respective states and focus on the protection of personal data. Both laws grant consumers similar rights, including the right to access, correct, delete, and opt out of certain data processing activities such as automated decision making and targeted advertising. They also require controllers to provide clear privacy notices detailing how personal data is collected, used, and shared. Both laws mandate obtaining consent for processing sensitive data and prohibit discrimination against consumers who exercise their rights. Enforcement in both states is primarily conducted by the state Attorney General, with no explicit mention of a private right of action.

The laws differ in their specific applicability thresholds. While Texas doesn’t specify a numerical threshold, Oregon’s law applies to businesses processing data of 100,000 or more consumers, or 25,000 or more while deriving 25% of revenue from selling data. Oregon’s law includes more detailed provisions on consent revocation, requiring controllers to cease processing within 15 days of receiving a revocation. Oregon also has specific provisions for consumers aged 13-15, requiring consent for targeted advertising or selling their data. The Texas law explicitly mentions exemptions for certain entities like state agencies, financial institutions, and healthcare entities, which are not clearly stated in the Oregon text provided. Texas also requires specific notices for the sale of sensitive or biometric data, which isn’t mentioned in the Oregon text. Lastly, the Texas law gives the Attorney General the power to evaluate data protection assessments, a detail not mentioned in the Oregon text.

***

Entities that do business in these states or collect data from persons in such state, such that these laws may be applicable, should consult counsel and ensure that their privacy policies and practices are updated and in compliance.   

In conclusion, the privacy law landscape in the United States continues to evolve rapidly, with Texas and Oregon joining five other states in enacting comprehensive data protection legislation.  In October 2024, Montana’s privacy law will become effective, and it has some similarities to the many other effective state privacy laws. However, Montana’s law has some distinctive features, including a unique applicability threshold based on the number of residents whose data is processed, the absence of a general revenue threshold for applicability, and a 60-day cure period for violations before the Attorney General can take action.

These new laws, while sharing common features such as consumer rights and privacy notice requirements, also present unique challenges due to their specific provisions and applicability thresholds. As more states prepare to implement similar laws in the coming years, and with federal privacy legislation facing obstacles, businesses must remain vigilant and adaptable in their approach to data privacy compliance, navigating an increasingly complex patchwork of state-level regulations.

For more about our series of privacy and data protection intelligence, see https://www.clm.com/understanding-tech-terms-cybersecurity-crypto-and-data-privacy-part-i/ and https://www.clm.com/understanding-tech-terms-cybersecurity-crypto-and-data-privacy-part-ii/