Today, July 1st, 2024, marks the enforcement of new privacy regulations in both Texas and Oregon.
While these new laws do not present substantial practical changes from a material perspective, both include nuances that highlight the complexity of evolving U.S. privacy laws and the challenge of applying a one-size-fits-all approach.
Unlike many other state laws that include data processing volume thresholds for enforcement, the new Texas Data Privacy and Security Act (TDPSA) applies to any company conducting business in Texas, regardless of the amount of data they process, unless such a business is deemed a “Small Business” under Texas laws. This means that all Texas consumers, regardless of business size, now have enhanced rights to access, correct, delete their personal information, and opt out of the sale of their data. These rights align closely with those granted under the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). Additionally, the TDPSA imposes stringent requirements on businesses handling sensitive data, such as biometric and health information, necessitating explicit consent from consumers before processing this type of data. This aspect of the law is reminiscent of the Illinois Biometric Information Privacy Act (BIPA) but extends protections to a wider range of sensitive information.
In Oregon, the Consumer Privacy Act (OCPA) introduces similar protections for residents of the state. The OCPA applies to businesses operating within Oregon or targeting Oregon residents, encompassing both traditional personal data and derived data. The law applies to businesses that control or process the personal data of at least 100,000 Oregon residents or derive over 25% of their gross revenue from the sale of personal data, similar to thresholds seen in other state privacy laws. Oregon consumers, like their Texas counterparts, have the right to access, correct, and delete their personal information, and to opt out of data sales.
Derived data, a unique aspect of the OCPA, refers to data created through algorithms, machine learning, or other processes that produce new data or inferences about a consumer from their original data. This could include inferred interests, preferences, or other characteristics that are not directly provided by the consumer but are generated through data analysis. Importantly, the OCPA imposes specific limitations on derived data, requiring businesses to allow consumers to access, correct, delete, and opt out of the sale of such data. Unlike some other privacy laws, the OCPA does not exclude pseudonymous data from these rights, reflecting a broader scope of consumer protections.
In addition to these upcoming laws, Florida’s Digital Bill of Rights will come into force on July 1, 2024. This law, however, will primarily affect large tech firms (e.g., Google, Meta, etc.), requiring explicit consumer consent for processing sensitive data and imposing specific obligations on data controllers.
These state-level developments are part of a larger trend towards comprehensive data privacy laws in the U.S. At the federal level, the American Privacy Rights Act (APRA) remains under discussion, aiming to create a unified framework for data privacy across the country. However, while federal legislation progresses slowly, individual states continue to lead the charge with their own regulations – Montana’s Consumer Data Privacy Act is set to take effect on October 1, 2024, followed by new laws in New Hampshire, New Jersey, Delaware, Nebraska, and Iowa in January 2025.
This surge in legislative activity complicates the adoption of unified practices and policies. While all these state-level laws generally align with either the CCPA or the Washington models (the latter of which failed to be enacted), they each introduce unique nuances, definitions, and obligations. Indeed, the practical differences between these laws may seem minor, yet they require ongoing reassessment and updates of privacy policies and data management practices to ensure compliance. This highlights the critical need for the future APRA to serve as an overarching regulatory framework. Given that, we at APM have developed a unified approach to privacy policies and other privacy documentation, for integrating the various state laws into a cohesive framework in a practical way while still accounting for specific nuances. We will be happy to assist you in ensuring compliance by updating your privacy policies, DPAs, and other documentation. Contact us for expert guidance on adapting to these evolving privacy regulations.
APM Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.
