Next Wave of U.S. State Data Privacy: Effective July 1, 2024

Nelson Mullins Riley & Scarborough LLP
Contact

Nelson Mullins Riley & Scarborough LLP

As of July 1, three new comprehensive state privacy laws – the Florida Digital Bill of Rights (FDBR), the Oregon Consumer Privacy Act (OCPA), and the Texas Data Privacy and Security Act (TDPSA) – will take effect, joining the ranks of existing laws in California, Colorado, Connecticut, Virginia, and Utah.

Here's a quick breakdown of the key aspects of these new laws:

Florida Digital Bill of Rights (FDBR): 

This law has a limited scope compared to others and applies to for-profit legal entities doing business in Florida, who collect personal data of Florida residents, control the means of processing, have an annual global revenue exceeding $1 billion, and meet one of the following criteria: (a) derive 50%of its global gross annual revenue from the sale of advertisements online; (b) operate a consumer-smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (c) operate an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install. 

The FDBR grants consumers rights to access, correct, delete, and opt out of the sale of their personal data and targeted advertising. Additionally, the FDBR includes provisions relating to children's (under 18) data, sensitive data consent, data minimization, annual privacy notice updates, data retention schedules, impact assessments, and prohibitions on government officials moderating content. 

While the FDBR doesn't have a private right of action, the Florida Attorney General enforces the law with a discretionary 45-day cure period. FDBR authorizes civil penalties of up to $50,000 per violation and damages may be trebled if an online platform has knowledge that it is violating the rights afforded to children. 

Oregon Consumer Privacy Act (OCPA): 

The OCPA applies to an individual or legal entity that either: (a) collects personal data from at least 100,000 Oregon residents (excluding data solely for payment transactions); or (b) processes personal data from at least 25,000 Oregon residents and derives more than 25% of their revenue from data sales. 

OCPA grants consumers rights to access, obtain, correct, delete, third-party disclosures, and opt out of the sale of their personal data, targeted advertising, and certain profiling. Additionally, the OCPA includes provisions relating to data minimization, children’s data, sensitive data consent, opt out  preference signals, and data protection assessments.   
While the OCPA doesn't have a private right of action, the Oregon Attorney General enforces the law that includes a limited cure period of 30 days for violations, ending Jan. 1, 2026. The Oregon Attorney General may seek civil penalties of $7,500 per violation.

Texas Data Privacy and Security Act (TDPSA): 

The TDPSA applies to a person or entity who determines the purpose and means of processing personal data and (a) conducts business in Texas by producing products or services consumed by residents of the state; (b) processes or engages in the sale of personal data; and (c) is not a small business, as defined by the U.S. Small Business Administration (unless selling sensitive data). 

TDPSA grants consumers rights to access, correct, delete, and opt out of the sale of their personal data and targeted advertising. Additionally, the TDPSA includes provisions relating to data minimization, sensitive data consent, biometric data, and impact assessments. 

While the TDPSA doesn't have a private right of action, the Texas Attorney General enforces the law, with a 30-day cure period. The Texas Attorney General may bring an action in court seeking various forms of relief, including declaratory judgment, injunctive relief, civil penalties, attorney fees, and investigative costs. A court may impose civil penalties of up to $7,500 for each violation and if the violation is found to be willful or knowing, treble damages may be awarded. 

Nelson Mullins Riley & Scarborough will continue to monitor these state privacy laws and consumer privacy obligations. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nelson Mullins Riley & Scarborough LLP | Attorney Advertising

Written by:

Nelson Mullins Riley & Scarborough LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Nelson Mullins Riley & Scarborough LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide