The U.S. cybersecurity and data privacy law framework continues to evolve and expand rapidly. Here, we share a summary of the eight new state data privacy and security laws that will take effect in 2024 and 2025. Businesses in all 50 states should assess the effect that upcoming and existing state data privacy laws may have on their business.
Texas Data Privacy and Security Act (Effective July 1, 2024)
The Texas Data Privacy and Security Act (“TDPSA”) is a comprehensive data privacy law that applies to any business that (i) conducts business in Texas or produces products or services consumed by Texas residents, (ii) processes any volume of personal data or engages in the sale of personal data, and (iii) is not a “small business” as defined by the U.S. Small Business Administration (“SBA”). However, even those businesses that qualify as “small businesses” must comply with certain obligations under the TDPSA if they meet the first two requirements. The SBA’s definition of a “small business” is rather nuanced, with different revenue or other thresholds based on industry, so we recommend consulting with an attorney to determine (i) whether the “small business” exception applies to your business, and (ii) if so, what obligations under the TDPSA may still be applicable.
The TDPSA provides for certain consumer privacy rights and imposes certain obligations on data controllers, including the implementation of data security practices and the publication and/or disclosure of certain policies and actions.
Florida Digital Bill of Rights (Effective July 1, 2024)
The Florida Digital Bill of Rights (“FDBR”) largely applies to certain for-profit companies with an annual global revenue of more than $1 billion and which meet one of the following criteria:
- derives 50% of its global gross annual revenue from the sale of advertisements online, including online ads sales or targeted advertising;
- operates a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- operates an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.
However, the FDBR’s sensitive data requirements apply more broadly to for-profit entities that conduct business in Florida and collect personal data about consumers directly or through others. The FDBR and its accompanying legislation cover a wide array of data privacy topics, including certain consumer privacy rights (including opt-out rights for voice and facial recognition technology), data controller obligations, and restrictions on websites accessible to children.
Oregon Consumer Privacy Act (Effective July 1, 2024)
The Oregon Consumer Privacy Act (“OCPA”) applies to any individual or business who (i) conducts business in Oregon or provides products or services to Oregon residents, and (ii) during a calendar year, meets one of the following criteria:
- controls or processes the personal data of 100,000 or more Oregon residents (other than solely for the purpose of completing a payment transaction); or
- controls or processes the personal data of 25,000 or more consumers while deriving twenty-five percent (25%) or more of its annual gross revenue from selling personal data.
The OCPA provides data privacy rights similar to those provided under the California Consumer Protection Act/California Privacy Rights Act, including rights to access, correct, delete, opt out of sales, and opt in for sensitive data processing. The OCPA also requires data controllers to implement reasonable data security measures such as those already required by Oregon’s identity theft prevention law. Unlike many U.S. state privacy laws, the OCPA contains no exemptions for financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”) or certain non-profit organizations.
Montana Consumer Data Privacy Act (Effective October 1, 2024)
The Montana Consumer Data Privacy Act (“MCDPA”) applies to companies that conduct business in Montana or target products or services to Montana residents that (i) control or process the personal data of not less than 50,000 state residents (other than solely for the purpose of completing a payment transaction); or (ii) control or process the personal data of not less than 25,000 Montana residents and derive more than twenty-five percent (25%) of gross revenue from the sale of personal data.
Uniquely, the MTCDPA does not specify a cap for monetary penalties. It provides for certain consumer privacy rights and imposes certain obligations on data controllers, including the implementation of data security practices and the publication and/or disclosure of certain policies and actions.
Delaware Personal Data Privacy Act (Effective January 1, 2025)
The Delaware Personal Data Privacy Act (“DPDPA”) creates data privacy requirements for anyone who (i) conducts business in Delaware or produces products or services targeted to Delaware residents and (ii) during the preceding calendar year, either:
- controlled or processed the personal data of at least 35,000 Delaware residents (other than solely for the purpose of completing a payment transaction); or
- controlled or processed the personal data at least 10,000 Delaware residents and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
The DPDPA does not provide for entity-level exemptions for certain nonprofit organizations, certain institutions of higher education, or companies subject to the Health Insurance Portability and Accountability Act (“HIPAA”). However, DPDPA does contain certain exemptions for financial institutions and personal data governed by the GLBA.
Iowa Act Relating to Consumer Data Protection (Effective January 1, 2025)
The Iowa Act Relating to Consumer Data Protection (“ICDPA”) applies to businesses within the state or producing products or services targeted at Iowans that also meet one of the following criteria:
- control or process personal data of at least 100,000 Iowans; or
- control or process personal data of at least 25,000 Iowans and derive over fifty percent (50%) of gross revenue from the sale of personal data.
The ICDPA excludes personal data of individuals acting in a commercial or employment context. Unlike most state privacy legislation, the ICDPA does not contain a revenue threshold and, therefore, may be applicable to your small business. If you are a small business operating in Iowa or with Iowans, we recommend consulting with an attorney.
New Jersey (Effective January 15, 2025)
The New Jersey Privacy Act (“NJPA”) applies to data controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and meet one of the following criteria:
- control or process the personal data of at least 100,000 New Jersey residents (other than solely for the purpose of completing a payment transaction); or
- control or process the personal data of at least 25,000 New Jersey residents and derive revenue or receive a discount, in any amount, on the price of goods or services, from the sale of personal data.
Like Delaware’s legislation, the NJPA does not provide for entity-level exemptions for certain nonprofit organizations, certain institutions of higher education, or companies subject to HIPAA, but does contain certain exemptions for financial institutions governed by the GLBA.
Tennessee Information Protection Act (Effective July 1, 2025)
The Tennessee Information Protection Act (“TIPA”) applies to businesses that (i) conduct business in Tennessee or produce products or services that target Tennesseans, (ii) exceed $25 million in annual revenue, and (iii) meet one of the following criteria:
- control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information, or
- control or process personal information of at least 175,000 consumers.
TIPA defines “consumer” as a natural person who resides in Tennessee “acting only in a personal context” and therefore excludes personal data of individuals acting in a commercial or employment context. Data controllers are also obligated to provide “reasonable data security” to protect the confidentiality, integrity, and accessibility of personal data.
Key Takeaways
As states continue to enact cybersecurity and data privacy laws, it’s more important than ever for businesses of all sizes to keep data privacy and security best practices at the forefront of their operational and administration priorities. Not only do these new laws impact IT systems and operations on an ongoing basis, but cybersecurity and data privacy issues can also often be a make-or-break issue in an M&A transaction.
[View source.]