Countdown to 3 new data privacy laws: Texas, Oregon, Florida

Businesses should assess whether they are covered by these new laws and, if so, confirm compliance before the effective dates. Here is a summary of the laws taking effect on July 1:

• Texas Data Privacy and Security Act. The TDPSA applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a “small business” as defined by the U.S. Small Business Administration. The TDPSA excludes other categories of businesses, such as non-profit organizations, institutions of higher education, and entities subject to the Health Insurance Portability and Accountability Act and the Graham-Leach Bliley Act; however, the exclusion for small businesses is unique to Texas. Small businesses that meet the first two requirements must still obtain consent from website users and customers before selling sensitive personal data. The TDPSA will take effect on July 1, but businesses will have until January 1, 2025, to recognize universal opt-out mechanisms such as the Global Privacy Control.
• Oregon Consumer Privacy Act. The OCPA applies to entities that conduct business in Oregon, or that provide products or services to Oregon residents; and that during a calendar year, control or process (1) the personal data of 100,000 consumers (other than personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) the personal data of 25,000 or more consumers, while deriving 25 percent or more of annual gross revenue from selling personal data. Non-profit organizations are generally not exempt from the OCPA. However, the law exempts non-profits (1) specifically established to detect and prevent fraudulent acts in connection with insurance, or (2) that engage in non-commercial activity in providing programming to radio or television networks. The OCPA will take effect on July 1, but non-profit organizations that are not exempt will have until July 1, 2025, to comply. Controllers will have until January 1, 2026, to recognize universal opt-out mechanisms.
• Florida Digital Bill of Rights. The Florida Digital Bill of Rights applies to entities that (1) conduct business in Florida, or produce a product or service used by Florida residents; and (2) process or engage in the sale of personal data. The law does not apply to businesses with less than $1 billion in gross annual revenue, so many large organizations will not be covered. Even with high-revenue businesses, the law will not apply unless the businesses (1) derive 50 percent or more of global gross annual revenues from the sale of advertisements online, including targeted advertising and the sale of ads; (2) operate a consumer smart speaker and voice command component service with an integrated virtual assistance connected to a cloud computing service that uses hands-free verbal activation; or (3) operate an app store or digital distribution platform that offers at least 250,000 software applications for consumers to download and install. Given the narrow applicability of the Digital Bill of Rights, many do not consider this to be a comprehensive data privacy law.

Businesses subject to any of these new state laws should confirm that they have implemented appropriate policies, are making the appropriate disclosures in privacy notices, have procedures in place to handle data subject requests, and have processes for conducting data protection impact assessments if needed. Businesses covered by the Texas and Oregon laws will also need to recognize universal opt-out mechanisms by 2025 and 2026, respectively.

As more state privacy laws come into effect, and as other states pass their own comprehensive privacy laws, the complexity of data privacy compliance continues to increase.