A total of 15 states have taken action to protect consumers’ personal data and regulate businesses’ use of this data. The latest states are Texas, Oregon, and Montana.
In an era where data is the new oil, privacy laws are becoming increasingly important. As of Q1 of 2024, Texas, Oregon, and Montana have joined the growing list of states with active consumer privacy laws. These new laws grant protections for consumers and impose requirements on companies collecting consumer personal data.
Texas Data Privacy and Security Act (TDPSA)
The TDPSA, to be enforced starting July 1, 2024, applies to anyone who conducts business in Texas or produces products or services consumed by Texans and engages in the processing or sale of personal data.
The TDPSA is unique because it applies to companies outside the state even if they do not target Texas consumers. There is no minimum number of Texas residents whose data is processed before a business is subject to the requirements of the law. However, small businesses are exempt unless they sell sensitive data.
The TDPSA grants residents a number of familiar rights. These rights include the right to confirm whether a controller is processing personal data and access the personal data, correct inaccuracies in their personal data, delete personal data provided by or obtained about the consumer. Texans can also obtain a copy of their personal data, if available, in a portable and readily usable format, and opt out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.
Oregon Consumer Privacy Act (OCPA)
The OCPA, which will take effect from July 1, 2024, applies to any company that conducts business in Oregon or produces products or services targeted to Oregon residents and, during a calendar year, controls or processes the personal data of at least 100,000 Oregon residents or controls or processes the personal data of at least 25,000 Oregon residents while deriving more than 25% of its gross revenue from the sale of personal data.
It does not apply to information subject to HIPAA or the GLBA or to personal data processed solely for the purpose of completing a payment transaction. The OCPA grants Oregon residents similar consumer rights as other states, including the right to access, correct, delete, and port personal information.
Montana Consumer Data Privacy Act (MCDPA)
The MCDPA, taking effect on October 1, 2024, applies to anyone that conducts business in Montana or produces products or services targeted to Montana and either controls or processes the personal data of at least 50,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction). Or if someone controls or processes the personal data of at least 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data.
Overview of Other States’ Privacy Laws
As of February 2024, 14 states - California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia - have enacted privacy laws designed to increase protections for consumers’ personal data, provide consumers with certain rights to control their personal data, and regulate businesses’ use of consumers’ personal data, including sensitive personal data.
These laws grant protections for consumers and impose requirements on companies collecting consumer personal data. While companies whose privacy programs already comply with existing data privacy laws will not have to make significant changes, companies considering data privacy laws for the first time will need to update their privacy policies and develop and implement new processes before the laws take effect.
As privacy laws continues to pop up, it is crucial for businesses to stay informed and adapt their practices accordingly. The enactment of these laws in Texas, Oregon, and Montana is a step towards greater consumer data protection in the United States.