Just in Time for the 4th of July, New Privacy Laws Effective in Texas, Florida, and Oregon
On July 1, 2024, three more U.S. state privacy regulations will take effect. While these laws align with many of the principles established by other state privacy laws, they also introduce unique compliance requirements specific to each state's legislative framework.
As the regulatory landscape continues to evolve, businesses must stay informed and proactive in their compliance efforts. This overview highlights key aspects of forthcoming legal changes that may require updates to your privacy compliance work.
The Texas Data Privacy and Security Act (TDPSA) imposes significant compliance obligations for businesses, excluding small businesses, that operate in Texas or provide products and services to Texas residents.
One notable aspect of the TDPSA is the aggressive enforcement approach by the Texas Attorney General. According to a recent press release, the Texas Attorney General, Ken Paxton, has established a dedicated team within its Consumer Protection Division focused on enforcing privacy laws, including the TDPSA. The TDPSA establishes guidelines for how controllers must handle, verify, and respond to consumer privacy requests. Controllers with websites must provide a mechanism for consumers to submit data privacy requests online. For controllers that operate exclusively online and collect personal information directly from consumers, providing an email address for these requests is sufficient.
The TDPSA requires that organizations establish a process allowing consumers to appeal a controller’s refusal to act on a data rights request. The appeal process must be clearly accessible and similar to the process for submitting privacy rights requests. Controllers are required to notify consumers in writing about the actions taken in response to appeals, provide the reasons for their decisions, and inform consumers how they can contact the attorney general to file a complaint.
Beginning January 1, 2025, covered organizations must acknowledge universal opt-out mechanisms, such as the Global Privacy Control, enabling consumers to opt out of the sale of their personal data and its use in targeted advertising (this requirement becomes effective on July 1, 2024, under the Colorado Privacy Act—see below). Under the TDPSA, personal data is defined broadly to include any information that can be linked to an identified or identifiable individual, encompassing pseudonymous and sensitive data. This distinguishes it from other U.S. privacy laws by specifically including pseudonymous data, which requires additional information to attribute it to a specific individual, though the requirements for handling pseudonymous data are relatively limited. A controller that sells personal data or uses it for targeted purposes has the additional obligation to “clearly and conspicuously disclose” such processing and how consumers can exercise their opt-out rights.
The law sets out requirements for data minimization, security, and consumer rights like other state laws, and includes specific notice and opt-in consent requirements for the sale of sensitive or biometric data that applies to all businesses – including those that would otherwise be exempt as a small business. Sensitive data, as defined by the TDPSA, includes information that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexuality, citizenship or immigration status, genetic or biometric data used for identification, data collected from known children, and precise geolocation data. Processing sensitive data is subject to stricter regulations and generally requires obtaining consent from the relevant party. Controllers that sell sensitive data or biometric personal data must post a notice in the same location and manner as the privacy notice, and these respective notices must include the following language:
- For sale of sensitive data, “NOTICE: We may sell your sensitive personal data.”
- For sale of biometric data, “NOTICE: We may sell your biometric personal data.”
The Oregon Consumer Privacy Act (OCPA) also introduces significant changes. What sets Oregon’s privacy law apart is the introduction of a new privacy right not found in other state comprehensive privacy laws: the right to request from a controller a list of specific third parties, excluding natural persons, to whom the controller has disclosed personal data. The controller can respond by naming the third parties that have received either the requesting consumer’s personal data or any personal data. This new right necessitates that companies keep a detailed list of specific third parties rather than merely describing categories of recipients. This emphasizes the importance of maintaining a comprehensive data inventory that includes the types of personal data collected, the reasons for collection, and the parties to whom it is disclosed.
The OCPA applies to entities controlling or processing data of 100,000 Oregon residents or 25,000 residents if over 25% of revenue comes from selling personal information. “Sensitive data”1 includes the categories set forth in most other comprehensive data privacy laws. However, the OCPA introduces unique elements, such as including data revealing transgender or nonbinary status as part of a broader definition of sensitive, granting consumers the right to request a consumer-specific or general third parties their data is shared with, and including “derived data” within the definition of personal data.
The OCPA, similar to the California Privacy Rights Act (CPRA), provides a narrower exemption for financial institutions compared to other states’ privacy laws, which generally provide a full exemption for entities considered financial institutions under the federal Gramm-Leach-Bliley Act (GLBA). As a result, financial institutions subject to the GLBA may now need to comply with the OCPA in addition to the CPRA.
The Florida Digital Bill of Rights (FDBR) differs from other US privacy laws by specifically targeting large tech platforms, focusing on businesses with global gross annual revenues exceeding $1 billion that are involved in activities such as selling ads online as a primary business model, operating smart speakers, or running a large app store.2 The law emphasizes consumer opt-out rights for data collected via voice and facial recognition and includes specific provisions for children's online privacy. The FDBR also prohibits the use of certain device features for surveillance without active consumer authorization and mandates specific data retention schedules.
Violations of the FDBR, similar to those under the Colorado Privacy Act (CPA), are classified as deceptive trade practices. Once the Attorney General notifies an organization of violations in writing, a 45-day cure period may be granted, allowing the organization to address the issues and implement preventive measures without facing penalties. Unlike some of the other state privacy laws, the FDBR does not include a provision to sunset the cure period after a year or two. The cure period does not apply if a violation involves a known child.
Civil penalties under the law may be tripled for any violation involving a Florida child who the online platform has actual knowledge is under 18 years of age.
The Florida law also allows parents to exercise rights on behalf of their children (i.e., act as a child’s agent) and contains an age-appropriate design code for services predominantly accessed by children (those under 18). This is similar to Connecticut’s Data Privacy Act (CDPA), which allows a child's parent or legal guardian to exercise rights on the child's behalf when the child's personal data is being processed.
The FDBR provides that consumer opt-out out rights should be made available on the company’s website. The law gives consumers the right to confirm whether their data is processed, obtain a copy of their data, correct any inaccuracies related to their data, and delete their data. Under the FDBR, the data controllers are obligated to respond to the data subject requests within 45 days following the receipt of the request. If the request is complex, data controllers may extend this deadline by up to 15 days.
How The Three New Privacy Laws Stack Up Against Existing Regulations
Unlike the California Privacy Rights Act, the definition of “consumer” under the three above laws excludes individuals acting in a commercial or employment context, so business to business personal data and employee personal data do not fall within the scope.
The following chart highlights some of the other unique requirements under each of the new laws.
Requirement |
Texas (TDPSA) |
Oregon (OCPA) |
Florida (FDBR) |
Scope and Applicability |
Businesses in Texas or companies providing products/services to Texas residents; exempts small businesses. |
Processing data of 100,000 Oregon residents or 25,000 residents if over 25% revenue from selling personal info; includes nonprofits. |
Businesses with annual revenue over $1 billion and a) 50%+ revenue from online ads, b) smart speakers and voice command services, or c) operate a large app store. |
Consent Requirements (selected) |
Opt-in consent for processing sensitive personal data. |
Parental consent for profiling data from individuals aged 13-15. |
Opt-in consent required for collection of data via voice and facial recognition. |
Sensitive Data |
Broad definition of “personal data” includes pseudonymous data and sensitive data that can be reasonably linked to an individual. |
Includes data revealing transgender or nonbinary status and status as a victim of a crime; past or present location within 1750 feet. |
Specific provisions for online platforms targeting children (under 18); requires an affirmative opt-in prior to selling sensitive data, regardless of revenue. |
Privacy Notices |
Categories of personal data processed; purposes of processing; consumer rights exercise info; third-party data sharing; specific notices for sensitive/biometric data sale. |
Clear information on processing activities; disclose third parties with whom data is shared. |
Clear and concise privacy notices about data collection and processing activities. |
Data Protection Assessments |
Required for high-risk processing activities, targeted advertising, data sales, profiling, and sensitive data processing. |
Required where processing activities are likely to present a heightened risk of harm to consumers; must be retained for five years. |
Required for targeted advertising, sale of personal data, and profiling where there is a potential risk of harm to consumers. |
Enforcement |
Texas Attorney General enforcement; 30-day cure period; penalties up to $7,500 per violation; no private right of action. |
Oregon Attorney General enforcement; 30-day cure period expiring January 1, 2026; penalties up to $7,500 per violation; no private right of action. |
Florida Department of Legal Affairs and Attorney General enforcement; 45-day cure period; penalties up to $50,000, with treble damages for specific violations; no private right of action. |
Businesses operating in these states should review these regulations carefully to ensure compliance by July 1, 2024. Also effective July 1, 2024, controllers subject to the Colorado Privacy Act (CPA) must recognize Colorado consumers' privacy preferences submitted through browser signals conforming to the Global Privacy Control (GPC) specification as requests to opt out of data sales or targeted advertising.
Looking ahead to the rest of the year, the Montana Consumer Data Privacy Act (MCDPA) and the Maryland Kids Code become effective on October 1, 2024.
Footnotes
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.