The list of U.S. state-level data privacy laws will grow substantially this summer as three more comprehensive state laws become effective. Texas, Oregon and Florida each have a comprehensive data privacy law taking effect on July 1, 2024. In addition, businesses subject to the Colorado Privacy Act must begin recognizing the Global Privacy Control (GPC) signal starting July 1.

Texas Data Privacy and Security Act

Any person or business offering a product or service consumed by a Texas resident is likely to be subject to the Texas Data Privacy and Security Act (TDPSA). The TDPSA applies to a much broader range of individuals and businesses (known as “Controllers” under the statute) inside and outside of the state. The TDPSA pulls in individuals and businesses regardless of their revenue or the number of individuals whose personal data is processed or sold. The TDPSA applies to any individual or business that meets all of the following criteria:

• Conducts business in Texas or produces a product or service consumed by residents of Texas.
• Processes or engages in the sale of personal data.
• Is not a small business as defined by the U.S. Small Business Administration (SBA).

In addition, even small businesses must obtain a consumer’s consent for the sale of sensitive personal data.

In short, collecting, storing or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, will likely meet this standard. The third standard allows for an exemption for businesses that meet the SBA definition of a “small business.” Consider using the SBA’s resources linked here to determine if your business may apply.

If you are already complying with the Virginia Consumer Data Protection Act (VCDPA) or other similar state laws, you may already be meeting most of the requirements for the TDPSA, but there are some unique aspects of the TDPSA to consider.

Under the TDPSA, Controllers must maintain both data processing agreements and privacy policies. In the privacy policy, a Controller is required to specify whether it sells sensitive personal data and/or biometric data. In order to satisfy this requirement, the Controller must include a notice stating, “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric data.”

The TDPSA has a broader definition of “personal data,” which also includes any “pseudonymous data” that is “used by a Controller or processor in conjunction with additional information that reasonably links it to an identified or identifiable individual.” A Controller that is in possession of such data should take reasonable measures to ensure that the data cannot be associated with an individual, and it must publicly commit to not re-identify the data. Furthermore, the Controller must contractually obligate any recipient of the pseudonymous data to comply and exercise reasonable oversight to monitor compliance with those contractual commitments.

Starting on January 1, 2025, Controllers under the TDPSA must also recognize the Universal Opt Out Mechanism (UOOM) for the sale of personal data and targeted advertising.

If you think that you or your business may be subject to the TDPSA, read our analysis of the TSPSA here.

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) follows a more standard threshold that is common in various other state privacy laws. The OCPA applies to any person who conducts business in Oregon and controls or processes the personal data of either of the following:

• At least 100,000 Oregon residents (other than personal data controlled or processed solely to complete a payment transaction).
• At least 25,000 Oregon residents while deriving at least 25% of its revenue from the sale of personal data.

Several provisions of the OCPA differ from those found in other similar laws, including privacy notice and data protection assessment requirements. The OCPA requires the privacy notice to identify the Controller, any business name under which the Controller is registered with the Secretary of State, and any assumed business name that the Controller uses within the state. The OCPA also requires that Controllers maintain data protection assessments for five years, which is longer than any other state.

Additionally, OCPA allows Oregon residents to obtain a list of specific third parties that have received, at the Controller’s option, either the individual’s specific personal data or the personal data provided by the Controller. OCPA is the first comprehensive state data privacy law to require Controllers to identify not just categories but specific third parties to which the Controller has disclosed personal data.

Notably, there are several organizations typically exempt under other state privacy laws that do not have an exemption under OCPA including Gramm-Leach-Bliley Act (GLBA)-regulated financial institutions (though non-public information may still be exempt), HIPAA-covered entity exemption (though PHI is exempt), and nonprofits.

The OCPA has several other important future dates:

• July 1, 2025: The OCPA applies to nonprofits.
• January 1, 2026: The right to cure sunsets and UOOM must be recognized.
• July 1, 2026: Consumers can opt out of the sale of personal data or targeted advertising using GPC signals.

Read our review of the OCPA here if you think your business may be subject to the OCPA.

Florida Digital Bill of Rights

The Florida Digital Bill of Rights (FDBR) contains several provisions that set it apart from other comprehensive data privacy laws, including a complicated applicability threshold (see below), additional opt-out rights and consent requirements, and unique definitions related to children’s data.

A majority of the provisions in the FDBR will not apply to most businesses.  The entirety of FDBR applies to entities (known as Controllers) that generate more than $1 billion in annual global revenue and meet any of the following criteria:

• Derive at least 50% of global annual revenues from the sale of advertisements online (including from providing targeted advertising).
• “Operate… a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.”
• Operate an app store or digital distribution platform with at least 250,000 apps for consumers to download and install.

The FDBR, however, does require consumer consent before any for-profit entity conducting business in Florida sells sensitive data or processes the sensitive data of a known child.

For entities that are involved in the selling or processing of sensitive data of known children and that conduct business in Florida, that business will want to pay close attention to the definition of a “known child.” Notably, Florida’s definition of “known child” is any individual under the age of 18, which is higher than the definition in other existing state laws. Additionally, the Florida legislature is currently considering proposed additional draft privacy regulations, with the intention of further clarifying definitions related to children under FDBR.

If you think your business may be subject to the FDBR, read our analysis here for more details.