Four New State Consumer Privacy Laws Are Slated to Take Effect in 2024

Looking ahead to July 2024, a new class of consumer privacy laws will begin to take effect in Florida, Oregon, Montana and Texas. While laws in this class significantly resemble their predecessors, unique provisions within each will demand a comprehensive review of new compliance obligations. Below, we have summarized the key takeaways of consumer privacy laws taking effect in 2024, and detail how organizations can prepare.

Florida Digital Bill of Rights: Effective July 1, 2024
The Florida Digital Bill of Rights (FDBOR) will apply to persons that (a) conduct business in Florida or produce products or services used by Florida individuals or households and (b) process or engage in the sale of personal data. Unlike other state consumer privacy laws, the FDBOR will affect a narrow band of the largest tech firms. Specifically, FDBOR will apply to data controllers that operate a business in Florida with annual gross revenue over $1 billion U.S. dollars and that either: (a) make 50% or more of their revenue from the sale of online ads, including targeting advertising, (b) operate a consumer smart speaker and voice command component service, or (c) operate an app store with more than 250,000 apps.

Like many other state privacy laws, FDBOR will include the rights to access, correct, delete and port personal information, as well as the rights to opt out of the processing of personal information for the purposes of targeted advertising, the sale of data or profiling. However, FDBOR will introduce several unique opt-in and opt-out requirements. Specifically, the bill will grant all consumers the right to opt out of the collection, processing and sale of sensitive data. Additionally, the bill will require any for-profit data controller that operates in Florida to obtain an affirmative opt-in prior to selling an individual’s sensitive data—regardless of whether such controller satisfies the FDBOR’s $1 billion revenue threshold.

FDBOR also contains unique provisions regarding voice and facial recognition systems. While related laws like the Illinois Biometric Information Privacy Act (BIPA) require covered businesses to make a disclosure and obtain opt-in consent before collecting biometric information, FDBOR will solely require covered entities to make a disclosure if they engage in the sale of sensitive data, and will permit consumers to opt out of the collection of personal information specifically obtained through voice or facial recognition systems.

In addition to these requirements, FDBOR includes substantial provisions regarding children’s online safety. Section 2 (Protection of Children in Online Spaces) of the bill requires compliance by any media and online gaming platform—regardless of annual revenue—that is “likely to be predominantly accessed by children.” Covered platforms cannot process the personal information of individuals under 18 if they have actual knowledge or willfully disregard that processing could create substantial harm or privacy risks to children. The bill defines “substantial harm or privacy risks” to include mental health disorders, addictive behaviors, physical violence, sexual exploitation and predatory or unfair marketing practices.

The Florida Department of Legal Affairs and Florida Attorney General will enforce the FDBOR, and there is no private right of action. The department will have the discretion to offer a 45-day cure period to address alleged violations, which will depend on factors like the frequency of violations and the probability of public injury. Similar to other state consumer privacy laws, FDBOR will permit recovery of civil penalties up to $50,000; however, it also provides for treble damages if a violation involves (a) a consumer that is a known to be a child, (b) failure to act on an authenticated request to delete or correct a consumer’s personal data, or (c) the failure to stop the sale or sharing of personal data after a consumer exercises an opt-out right.

Oregon Consumer Data Privacy Act: Effective July 1, 2024
The Oregon Consumer Privacy Act (OCPA) resembles Colorado’s consumer privacy act, with notable exceptions. OCPA will apply to persons that conduct business in Oregon or produce products or services targeted to Oregon residents and that either (a) control or process the personal information of at least 100,000 Oregon residents—excluding personal data controlled or processed for payment transactions or (b) control or process the personal information of 25,000 state residents and derive over 25% of its gross annual revenue from selling personal information. Once effective, Oregon and Colorado will be the only two states with consumer privacy laws that do not exempt nonprofit organizations from compliance. All covered nonprofits will one have additional year—until July 1, 2025—to comply with OCPA.

Akin to many other state privacy laws, OCPA will include standard data subject rights allowing individuals to access, correct, delete and port personal information, as well as the rights to opt out of the sale of personal information or the disclosure of personal information for targeted advertising. Unlike other states, OCPA defines “personal data” to include “data, derived data, or any unique identifier” that is reasonably linkable to (a) a consumer or (b) to a device that is linkable to one or more consumers in a household. “Derived data” is not defined but is presumed to cover inferences about a consumer. This may create new compliance obligations, as no other state privacy law specifically permits consumers to request the deletion of derived data. OCPA will also expand the definition of “sensitive personal data” to include personal data of individuals under 13 years of age; transgender, nonbinary, citizenship and immigration statuses; and a new category—status as a victim of a crime.

In addition to these updates, OCPA will also increase data controller obligations. Under the law, data controllers must obtain affirmative consent from a parent or guardian to profile data from individuals that are 13 to 15 years old and must retain all data protection impact assessments for a period of five years. Additionally, the OCPA grants individuals the right to know the specific third parties to whom a data controller discloses their personal data, which will augment standard data subject rights to access, correct, delete and port data.

The Oregon Attorney General will have exclusive enforcement authority over the OCPA and can issue penalties up to $7,500 per violation. Covered businesses will have a 30-day cure period to correct alleged violations, and this right to cure will expire on January 1, 2026. 

Texas Data Privacy and Security Act: Effective July 1, 2024
The Texas Data Privacy and Security Act (TDPSA) will govern the collection, use and transfer of consumer data and will apply to entities that (a) conduct business in Texas or offer products and services consumed by Texas residents and (b) process or engage in the sale of personal data. Unlike other state privacy laws, TDPSA will apply to “large businesses” and will exempt entities that meet the U.S. Small Business Administration’s definition of a “small business.” Despite this nuance, TDSPA requires all businesses—regardless of entity size or revenue—to obtain opt-in consent prior to the sale of sensitive personal information. As a result, this may create new compliance obligations for businesses within and beyond the state that offer products to, or collect information from, Texas residents.

The TDPSA will include standard data subject rights to access, correct, delete and port personal information. Like other consumer privacy laws, it will grant consumers the right to opt out of the sale of data, targeted advertising and certain profiling activities, and will require businesses to obtain an opt-in before processing sensitive data. Unlike other states, Texas will broadly define “personal data” to include “any information, including pseudonymous data and sensitive data” that can be reasonably linked to an individual. Other states have not explicitly extended data subject rights to access, correct, delete or port data to pseudonymized data; the TDPSA notes that such rights will not apply if a data controller can demonstrate that any information necessary to identify the consumer is separately stored and subject to technical and organizational controls that prevent the controller from accessing such information.

The Texas Attorney General will have exclusive enforcement authority over TDPSA and can issue penalties up to $7,500 per violation. Covered businesses will have a 30-day cure period to address alleged violations.

Montana Consumer Data Privacy Act: Effective October 1, 2024
The Montana Consumer Data Privacy Act (MCDPA) will apply to persons that conduct business in Montana or produce products or services targeted to Montana residents and that either (a) handle the personal information of 50,000 residents or more—excluding personal data controlled or processed for payment transactions or (b) that process the data of 25,000 or more consumers and derive 25% of gross revenue from the sale of such data. This is a narrower threshold than other consumer privacy laws, reflecting Montana’s comparatively small population.

The MCDPA mirrors Connecticut’s consumer privacy law and grants consumers standard data subject rights to access, correct, delete and port personal data. Additionally, Montana residents will have the right to opt out of certain sales of data, targeted advertising and profiling decisions regarding pseudonymous data. However, data subject rights regarding pseudonymous data will not apply if a data controller can demonstrate that any information necessary to identify the consumer is separately stored and subject to technical and organizational controls that prevent the controller from accessing such information. Additionally, in contrast to the identity verification required under the CCPA, data controllers will not be able to ignore opt-out requests under the MCDPA where they cannot verify a data subject’s identity.

The Montana Attorney General will have exclusive enforcement authority over MCDPA violations, and the text of the act excludes a minimum penalty for violations. Covered businesses will have a 60-day cure period to remediate alleged violations, which will expire on April 1, 2026.

2024 and Beyond
In addition to Florida, Montana, Oregon and Texas, new consumer privacy laws in Delaware, Iowa and Tennessee will become effective in 2025, and an Indiana law will take effect in 2026. In early January 2024, New Jersey became the first state of the year to pass a comprehensive privacy law, which will also take effect in January 2025. More than nine other states have introduced privacy bills since the start of the new year. Without a federal privacy law in place, covered businesses must continually assess their data privacy strategies to maintain compliance with the evolving patchwork of state laws.

How Can Your Organization Prepare?

• Identify the new state laws that apply to your organization. The definition of covered business varies in each state and may depend upon factors such as annual revenue, small business or nonprofit status, data processing volume and more. Consult the terms of each privacy law carefully to determine your status as a covered or exempt entity.
• Prepare for expanded data subject requests. Covered entities must prepare to receive, respond to and certify data subject requests from consumers in additional states. Fulfilling these subject requests will require sound data governance practices that account for the entire life cycle of consumer data—from collection to deletion. Amidst a patchwork of state privacy laws, covered entities might consider siloing consumer data by state of residency or adhering to strict privacy standards that satisfy most compliance criteria.
• Update privacy policies. While new laws in Florida and Texas will require verbatim disclosures regarding the sale of sensitive and biometric data, other states require the inclusion of specific opt-out mechanisms. Covered entities should assess necessary revisions to external privacy policies on websites, apps and mobile devices, and ensure that such policies accurately reflect new consumer rights.
• Review retention policies and data impact assessments. Some state laws may create specific data retention limits or impose new responsibilities for high-risk processing activities, such as data impact assessments. Compliance obligations should be thoroughly understood before undertaking any new processing activities that could harm consumer data or data subject rights.
• Update key contracts. Increasingly, covered entities must reconcile obligations under U.S. state laws with international privacy laws. This process will demand thorough review of vendor agreements, security policies and data processing agreements to ensure that new responsibilities are captured.