We are midway through 2024, and data privacy continues to dominate headlines and strategic business decisions across industries. Seventeen data privacy laws have been adopted across the U.S., and legislatures are continuing to consider, debate, and adopt new laws every month.
On July 1st, three new state privacy laws go into effect: (1) Texas; (2) Oregon; and (3) Florida. While Texas and Oregon are, in many respects, following the trends set by other privacy laws that are already in effect in the U.S., Florida is breaking with tradition and approaching the space from a new perspective with a Digital Bill of Rights and narrowly focusing on large ($1 billion plus) companies.
Businesses are increasingly exhausted by the complex data privacy legal landscape across the U.S. So, understanding how these new laws may impact their privacy strategy is a key step in the coming weeks. But the good news is that for the most part, these laws align with key privacy laws such as Colorado and Virginia, making compliance (assuming a business is already in compliance with those jurisdictions) a much easier process.
First step: Do these laws apply to your business?
For businesses, it is important to conduct an initial assessment to determine if these new laws even apply to the businesses' operations. This is where the specific language of each statute is important to understand and apply:
- The Florida Digital Bill of Rights applies to entities that (1) conduct business in Florida, or produce a product or service used by Florida residents; and (2) process or engage in the sale of personal data. Additionally, the law does not apply to a business if it has less than $1 billion in gross annual revenue.
- The Texas Data Privacy and Security Act applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a "small business"” as defined by the U.S. Small Business Administration.
- The Oregon Consumer Privacy Act applies to entities that conduct business in Oregon, or that provide products or services to Oregon residents; and that during a calendar year, control or process (1) the personal data of 100,000 consumers (excluding personal data that is controlled or processed solely for the purpose of completing a payment transaction); or (2)personal data of 25,000 or more consumers when the business derives 25% or more of its annual gross revenue from selling personal data.
Second step: Can my business take advantage of any carve outs or exemptions?
Many, if not most, of the state privacy laws recognize certain exemptions to their requirements depending on the industry, type of data, or other regulatory requirements that a business may face. It is important, when reviewing these exemptions, to determine if the exemptions are entity-level or data-level exemptions. Entity-level exemptions mean that if an entity qualifies for an exemption, all of the business' operations are typically exempt from the privacy law. Conversely, if the law provides for a data-level exemption, only the data itself is exempted from the privacy law, and the entity may still have compliance obligations for non-exempted data.
All three of these upcoming laws maintain important exemptions to their requirements. For example, Oregon exempts data collected for Fair Credit Reporting Act purposes, employment purposes, and under the Gramm-Leach-Bliley Act, among many other exemptions. Interestingly, Oregon does not exempt nonprofits, which have generally been exempted from state privacy laws that have gone into effect so far; although, there is a longer time period for nonprofits to come into compliance with the law. (Newer state privacy laws, including New Jersey and Delaware, also do not exempt nonprofits from their requirements).
If your business is already in a regulated industry, or dealing with highly regulated data, it is important to determine whether an exemption under one of these laws applies to your operations.
Third step: Assuming my business needs to comply, what does compliance mean under these new laws?
Compliance for these three new laws needs to be broken into two different focuses: on the one side, there is compliance with Oregon and Texas, both of which align with the more standard U.S. state privacy law approach. Requirements include many different proactive requirements, including:
- Privacy policies and transparency in the collection and processing of personal information;
- Data privacy rights and opt-out rights for the sharing of personal information;
- Data privacy impact assessments for higher risk personal information and processing activities;
- Reasonable security controls for personal information; and
- Contractual provisions between businesses and service providers to address the processing of personal information.
Turning to Florida, the law is very different. Arguably, it is not a comprehensive privacy law, but it is instead a very narrowly focused law on large businesses in Florida and search engines. While many of the requirements will look familiar (privacy notices, data rights, and privacy assessments), it has requirements to restrict government moderating of social media platforms, and provides for more robust protections for children's personal information in the digital sphere.
Fourth step: What are the penalties if I am not compliant with any of these laws?
A main driving force of compliance is understanding the potential costs and fines allowed for under each privacy law. For all three of these laws, the Attorney General in each state is the sole enforcer of the law. There are no private rights of action under these laws. And the penalties are generally aligned with other states: Texas and Oregon both allow for civil penalties of up to $7,500 per violation; Florida allows for civil penalties of up to $50,000 per violation, and tripled penalties for certain violations, such as those involving a known child.
In short, privacy continues to dominate business strategy in 2024. As more and more states adopt privacy laws, and those privacy laws go into effect, it is harder for businesses to avoid the impact of privacy on their businesses. Understanding the impact and requirements of these laws is a good starting point to creating a mature and comprehensive approach to data privacy and information governance.
________________________________________
NOTE: Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.
