July 1 Implementation of New US Privacy Laws Looms
The Florida Digital Bill of Rights, the Texas Data Privacy and Security Act, and the Oregon Consumer Privacy Act all enter into effect in just over three weeks, on July 1st, 2024. While the US is up to 19 states that have passed data privacy laws, the vast majority of those laws have come over the past year and a half, so currently the country only has five laws in effect: California, Virginia, Colorado, Connecticut, and Utah.
Texas, Florida, and Oregon will become states 6, 7, and 8 with effective data privacy laws (although there is plenty of debate about whether Florida's law counts as comprehensive).
Here are key points to know for each in order to comply.
Florida
FDBR only applies to Big Tech, given its first applicability threshold is $1 billion+ in annual revenue; the targeted nature of the law is largely why many do not consider this to be a comprehensive law. However, given the prevalence of Big Tech companies on the internet and the fact that FDBR gives its citizens data rights, we're going to count it.
You likely do not need to do anything to comply with this law, but Floridians now have data rights, so keep an eye out for more data subject requests coming from the state.
Texas
TDPSA has a broader applicability threshold than most state laws, so any organization that engages in the sale or sharing of personal data and is NOT a small business will need to comply.
Texas companies will need to honor data subject requests (with Texans having access to a set of rights including deletion, access, correct, and opt-out of targeted advertising and user profiling) and conduct data protection impact assessments. Another quirk of TDPSA is that data controllers must include a special clause in their privacy notice if they sell consumers' sensitive or biometric data, so double-check your consent notices if that applies to you.
As per most other state laws, processing sensitive data requires opt-in consent from consumers, and organizations must acknowledge and honor universal opt-out mechanisms by January 1, 2025 (an extra 6-month window).
Oregon
The last law of this trio to pass, Oregon grants its residents the largest set of consumer rights of any enacted law. The key to this is the new right for consumers to see which third parties a data controller has shared your data with, meaning more documentation and data visibility requirements for organizations, as well as a new DSR handling template.
Another notable aspect of OCPA is that it does NOT exempt nonprofit organizations, a rarity up until now. Nonprofits will have an extra year to comply, with their deadline coming July 1, 2025.
Other key requirements in OCPA include standard responsibilities like completing data protection impact assessments, requiring opt-ins for sensitive data processing (and processing any data from children under 13 years old), and data processing agreements.
The timeline for handling DSRs under these state laws (and virtually every state law) is 45 days, and with all three entering into effect on the same day, organizations should expect an increase in the number of DSR requests they receive.
