Three More States Pass Data Privacy Laws
Eleven States Now Have Comprehensive Data Privacy Legislation
Texas, Florida, and Oregon are the latest states to join the growing landscape of data privacy laws. While the Texas Data Privacy and Security Act and Oregon Consumer Privacy Act bear similarities to previously enacted comprehensive privacy laws in other states, Florida’s Digital Bill of Rights is targeted at big tech companies and thus has a narrower scope than the other laws.
With most states’ legislative sessions over for 2023, unless Oregon Governor Tina Kotek vetoes the bill sent to her desk, there will be 11 states with comprehensive data privacy laws. Before 2023, only five states had passed such laws.
Texas Data Privacy and Security Act
Key takeaways: The Texas Data Privacy and Security Act, which takes effect July 1, 2024, is similar to the Virginia Consumer Data Protection Act, but will apply to a wider range of entities nationwide given its lack of a monetary threshold.
On June 18, 2023, Texas enacted the Texas Data Privacy and Security Act (the “Texas Law”). The Texas Law applies to any individual or business that (1) conducts business in Texas or produces a product or service consumed by Texas residents, (2) processes or engages in the sale of personal data, and (3) is not a “small business” as defined by the federal Small Business Administration. In contrast to other state data privacy laws, the law does not attach any monetary thresholds to its applicability criteria. Given the lack of a monetary threshold and considering that “processing” includes any “collection, use, storage, disclosure, analysis, deletion, or modification of personal data,” many individuals and businesses will be subject to the Texas Law.
Key Features
While the Texas Law’s consumer rights are generally consistent with those provided by other states, Texas also requires data controllers to recognize universal opt-out mechanisms beginning January 1, 2025, in alignment with Montana, Connecticut and California laws. The Texas Law explicitly states that any agreement to waive or limit consumer rights is contrary to public policy and unenforceable.
Under the Texas Law, controllers are prohibited from processing sensitive data without first obtaining consumer consent. “Sensitive data” is defined as any of the following: (1) personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (2) genetic or biometric data processed for the purpose of uniquely identifying an individual, (3) personal data collected from a known child, or (4) precise geolocation data.
Importantly, the consumer rights and controller duties explained above do not apply to the processing of pseudonymous data if the controller can demonstrate that any information necessary to identifying a consumer is kept separate and that effective control mechanisms are in place to prevent controller access to such information. “Pseudonymous data” refers to personal data which cannot be attributed to a specific individual without the use of additional information.
The Texas Law also requires controllers to utilize data processing agreements and maintain a public privacy policy. The privacy policy must indicate whether the controller sells sensitive personal data or biometric data using the following language: “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric data.”
Enforcement
Like most state data privacy laws, the Texas Law does not grant individuals a private right of action. The Texas Attorney General (“AG”) has the exclusive authority to enforce the law. Before initiating an enforcement action, the AG must provide notice of an alleged violation and allow a 30-day cure period. Controllers who are able to cure the alleged violation must provide a written statement asserting that the alleged violation is cured and that no further violation will occur. Any violation or breach of a written statement provided to the AG is liable for a penalty of up to $7,500 per violation. The AG may also seek an injunction against the controller.
Oregon Consumer Privacy Act
Key takeaways: The Oregon Consumer Privacy Act is among the more consumer-friendly laws passed in 2023 and shares some features of the Colorado Privacy Act and Connecticut Data Privacy Act. However, the Act contains some novel components that may require new operational procedures.
On June 22, 2023, the Oregon legislature passed the Oregon Consumer Privacy Act (“Oregon Law”). Unless vetoed by the governor, the Oregon Law will go into effect July 1, 2024. The Oregon Law utilizes an applicability threshold similar to most other state privacy laws, applying to persons conducting business in Oregon or providing products and services to Oregon residents that either 1) control or process the personal data of 100,000 or more Oregon consumers in a calendar year, or 2) control or process the personal data of 25,000 or more Oregon consumers and derive 25% or more of their gross annual revenue from selling personal data. Like all current state privacy laws other than California, the Oregon Law exempts B2B and employment related data. Notably, the Oregon Law does not contain the entity-level Gramm-Leach-Bliley Act (“GLBA”), Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but instead includes only information-level exemptions for data subject to these laws. The Oregon Law also does not include the broad exemption for non-profit organizations found in other state laws.
Key Features
The Oregon Law’s definition of personal data is broader than that of other state privacy laws, consisting of “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.” The inclusion of derived data is notable as it would encompass inferences made by the controller based on the consumer’s data, a category of data that is commonly used for profiling and marketing purposes. In addition, controllers must include in their publicly available privacy notice the express purposes for which personal data is collected and processed.
Sensitive data includes the categories set forth in most other laws and also includes a consumer’s national origin, status as transgender or nonbinary, and status as a victim of a crime. A controller may not process sensitive data without the consumer’s consent. The Oregon Law’s definition of biometric data is also unique. While it includes the data categories set forth in other state privacy laws, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer, it does not require that such data actually be used for identification purposes in order to qualify as biometric data.
The Oregon Law contains consumer rights consistent with those found in other state privacy laws, as well as a new right for consumers to obtain a list of specific third parties with whom the controller has shared the consumer’s personal data, or personal data generally. The requirement that specific third parties, rather than categories of third parties, be named is intended to help consumers track their data downstream and effectively exercise their consumer rights. The Oregon Law also includes an express right for consumers to request the deletion of derived data. Notably, pseudonymized data is not exempt from consumer requests. Like California, Colorado, Connecticut, and Montana, controllers that sell personal data or use personal data for targeted advertising must a respond to opt-out preference signals beginning January 1, 2026.
Enforcement
The Oregon Law does not provide a provide right of action. The Oregon Attorney General (“AG”) has exclusive enforcement authority and may seek injunctive relief and civil penalties of up to $7,500 for each violation. Until January 1, 2026, the AG must provide notice of any alleged violations and a 30-day cure period prior to bringing an enforcement action.
Florida Digital Bill of Rights
Key takeaways: The Florida Digital Bill of Rights differs greatly from other state privacy laws both in its scope, with businesses with less than $1 billion in gross annual revenue exempt from the law, and in its substantive content.
Florida has also enacted a new privacy law, dubbed the Florida Digital Bill of Rights (“Florida Law”). The Florida Law was signed into law on June 6, 2023 and will take effect on July 1, 2024. The Florida Law sets a high threshold for applicability, limiting “controllers” to for-profit entities with global annual revenues of at least $1 billion. It also restricts applicability to those controllers who are both: (1) conducting business in Florida or producing a product or service used by Florida residents, and (2) processing or engaging in the sale of personal data.
Key Features
Florida grants consumers the ability to exercise rights consistent with those found in other state data privacy laws. Controllers must obtain consumer consent before selling sensitive data, which includes any of the following: (1) personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, (2) genetic or biometric data processed for the purpose of uniquely identifying an individual, (3) personal data collected from a known child, or (4) precise geolocation data. Importantly, “child” is defined by statute as any individual younger than 18 years of age. Like the Texas Law, the FDBR provides that a privacy policy must indicate whether the controller sells sensitive personal data or biometric data using the following language: “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric data.”
The Florida Law is unique in several other respects:
- The Florida Law prohibits certain features of devices (voice/facial recognition, video/audio recording, or any other electronic visual, thermal, or olfactory features) from being used for surveillance by a controller, processor, or affiliate thereof without the consumer’s active authorization.
- While other state data privacy laws include a general data retention requirement, the Florida Law requires controllers and processors to implement a specific data retention schedule with prohibitions on the use and retention of data after two years, with some exceptions.
- Also enacted with the Florida Law was accompanying legislation which prohibits online platforms that provide an online service, product, game, or feature that is likely to be predominantly accessed by children from processing the personal information of any known child, profiling a child (unless a two-pronged exception is met), or collecting, selling, sharing, or retaining any personal information belonging to the child which is not necessary to provide the service, product, or feature (unless a compelling reason exists and there is no substantial harm or privacy risk to children). The legislation also prohibits using any personal information collected to estimate age or age range of the users for any other purpose, and prohibits retention of such information for longer than reasonably necessary for age estimation.
- Controllers who operate search engines also must make available, in an easily accessible location on the webpage, an up-to-date plain language description of the main parameters that are individually and collectively the most significant in determining ranking and the relative importance of those main parameters.
Enforcement
Like most other states, the Florida Law provides no private right of action and will be enforced exclusively by the Office of the Attorney General’s Department of Legal Affairs (the “Department”). Prior to bringing an enforcement action, the Department may provide notice of any alleged violations and provide a 45-day cure period. The decision to grant a cure period is generally discretionary and, in making the determination, the Department considers the number and frequency of alleged violations, the substantial likelihood of injury to the public, and the safety or persons or property. However, when the alleged violation involves a known child, no cure period is available. Violations of the Florida Law are considered to be unfair and deceptive trade practices for purposes of other state laws, and the Department may impose penalties of up to $50,000 per violation. Penalties may be trebled for any of the following: (1) a violation involving a known child; (2) failure to delete or correct consumer’s personal data after receiving an authenticated consumer request or directions from a controller to do so, unless an exception applies; or (3) continuing to sell or share a consumer’s personal data after the consumer chooses to opt out.
Koley Jessen will continue to monitor developments related to these laws and advise as updates become available. If you have questions on whether your business needs to comply with the law or what steps you must take to comply, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.
Special thanks to summer associate Nathan Sheeley for his contributions to this article.