In 2024, privacy laws adopted by Montana, Oregon, Texas and Utah will become effective. While the laws have much in common (and are similar to the laws already in effect), they each have special characteristics, and companies will need to evaluate how they impact operations, disclosures and policies.
What do they have in common?
Each of the new laws provides similar rights to consumers:
- The right to opt out of data collection and processing
- The right to correct inaccuracies in their personal data
- The right to access a copy of their data
- The right to delete their personal data
- The right to opt in, or opt out, of processing sensitive personal data
- The right to opt out of the sale of personal data, profiling, or profiling personal information for targeted advertisements
The statutes also impose similar obligations on businesses:
- Publish a privacy notice and description of business’s data collection and processing practices, and whether data is shared with third parties
- Recognize opt-out preference signals, which could allow consumers to opt out of data collection and processing without having to verify their identities
- Perform and document data protection assessments (DPAs) for high-risk processing activities
None of the new state laws provides for a private right of action like California’s (which allows users to sue violating companies), but each of them has an enforcement mechanism that includes penalties for noncompliance. Enforcement will generally be carried out by the attorney general of these states.
What’s different about the laws?
Montana’s Consumer Data Privacy Act (MCDPA) was passed in May 2023 and will take effect on October 1, 2024. The MCDPA applies to entities that:
- Operate within Montana
- Provide products or services specifically targeted towards Montana residents and meets one of the following criteria:
- Control or process the personal data of 50,000 or more Montana residents during a calendar year; or,
- Derive over 25 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents.
The law exempts state entities, nonprofit organizations, institutions of higher education, registered national securities associations, and entities governed by the privacy regulations of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).
Note: The thresholds for coverage by the MCDPA are generally lower than other states, and have no monetary floor; companies should consider whether they might fall within the purview of the MCDPA even if they do limited business in Montana.
Oregon’s Consumer Privacy Act (OCPA) will take effect on July 1, 2024. The OCPA applies to entities that meet the following criteria:
- Conduct business in Oregon;
- Provide products or services to Oregon residents and meet one of the following criteria:
- Control or process the personal data of at least 100,000 consumers during a calendar year (except for purposes of completing a payment transaction); or,
- Control or process the personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
The OCPA exempts specific entities, including state government entities, certain financial institutions, insurance producers and consultants, and nonprofit organizations focused on detecting and preventing insurance fraud.
Businesses must also must obtain affirmative consent to collect and process sensitive information (an “opt-in” mechanism).
Note: the opt-in mechanism is more restrictive than many other states that have an opt-out requirement.
The Texas Data Privacy and Security Act (TDPSA) will take effect on July 1, 2024. The TDPSA uses a unique standard to determining coverage and generally applies to any that:
- Conducts business in Texas or produces a product or service consumed by Texas residents
- Processes or engages in the sale of personal data
- Is not a small business as defined by the United States Small Business Administration
The TDPSA also has several entity-level exemptions, including: nonprofits, state agencies and political subdivisions, financial institutions subject to GLBA, covered entities and business associates governed by HIPAA, and institutions of higher education.
Unlike the privacy laws in many other states, the TDPSA has no specific thresholds based on annual revenue or volume of personal data processed.
Business Obligations. The TDPSA imposes specific obligations on data “controllers”—those that determine the purposes and means of processing personal data, including: limiting collection of personal data to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection; prohibiting controllers from processing personal data in violation of state and federal antidiscrimination laws or discriminate against a consumer for exercising any of the consumer’s rights under the TDPSA, including by denying goods or services, charging different prices, or providing different quality of goods or services; giving consumers’ right to opt out of the sale of personal information by the controller; obtain consent from a consumer prior to processing sensitive personal data; and “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) in March 2022. The law will take effect on December 31, 2023. The UCPA applies to entities that:
- Conduct business in Utah;
- Target Utah residents as consumers; or,
- Generate annual revenue of $25 million or more and either control or process personal data of 100,000 or more Utah consumers or derive more than 50% of gross revenue from the sale of personal data and processing data of 25,000 or more Utah consumers.
Like other states, the UCPA has exemptions, including institutions of higher education, nonprofit organizations, government organizations and contractors, indigenous tribes, air carriers, organizations covered by HIPAA, and financial institutions governed by the GLBA.
The UCPA does not require consent for processing sensitive personal data, but controllers do have to clearly notify consumers and provide them the opportunity to opt out of having their sensitive personal data processed ahead of time.
What Should You Do?
In addition to the laws described above, more statutes will go into effect in 2025, and states (like New Jersey) are actively pursuing their own variations of data privacy laws. These laws will create challenges for companies as they seek strategies to comply with laws and, just as importantly, to protect the personal information of their employees, customers, clients and other stakeholders. The JMBM Cybersecurity and Privacy Group works with clients to develop and implement policies and procedures to achieve these goals.
JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Stuart K. Tubis is an attorney in JMBM’s Cybersecurity and Privacy Group. Stuart uses his background in technology to counsel clients on a range of legal issues, including compliance with privacy and security laws and regulations. Stuart is available to develop privacy policies, help prevent data breaches and respond if/when they occur. Contact Stuart at firstname.lastname@example.org or 415-984-9622.