We are midway through 2024, and data privacy continues to dominate headlines and strategic business decisions across industries. Seventeen data privacy laws have been adopted across the U.S., and legislatures are continuing to consider, debate, and adopt new laws every month.
On July 1st, three new state privacy laws go into effect: (1) Texas; (2) Oregon; and (3) Florida. While Texas and Oregon are, in many respects, following the trends set by other privacy laws that are already in effect in the U.S., Florida is breaking with tradition and approaching the space from a new perspective with a Digital Bill of Rights and narrowly focusing on large ($1 billion plus) companies.
Businesses are increasingly exhausted by the complex data privacy legal landscape across the U.S. So, understanding how these new laws may impact their privacy strategy is a key step in the coming weeks. But the good news is that for the most part, these laws align with key privacy laws such as Colorado and Virginia, making compliance (assuming a business is already in compliance with those jurisdictions) a much easier process.
For businesses, it is important to conduct an initial assessment to determine if these new laws even apply to the businesses' operations. This is where the specific language of each statute is important to understand and apply:
Many, if not most, of the state privacy laws recognize certain exemptions to their requirements depending on the industry, type of data, or other regulatory requirements that a business may face. It is important, when reviewing these exemptions, to determine if the exemptions are entity-level or data-level exemptions. Entity-level exemptions mean that if an entity qualifies for an exemption, all of the business' operations are typically exempt from the privacy law. Conversely, if the law provides for a data-level exemption, only the data itself is exempted from the privacy law, and the entity may still have compliance obligations for non-exempted data.
All three of these upcoming laws maintain important exemptions to their requirements. For example, Oregon exempts data collected for Fair Credit Reporting Act purposes, employment purposes, and under the Gramm-Leach-Bliley Act, among many other exemptions. Interestingly, Oregon does not exempt nonprofits, which have generally been exempted from state privacy laws that have gone into effect so far; although, there is a longer time period for nonprofits to come into compliance with the law. (Newer state privacy laws, including New Jersey and Delaware, also do not exempt nonprofits from their requirements).
If your business is already in a regulated industry, or dealing with highly regulated data, it is important to determine whether an exemption under one of these laws applies to your operations.
Compliance for these three new laws needs to be broken into two different focuses: on the one side, there is compliance with Oregon and Texas, both of which align with the more standard U.S. state privacy law approach. Requirements include many different proactive requirements, including:
Turning to Florida, the law is very different. Arguably, it is not a comprehensive privacy law, but it is instead a very narrowly focused law on large businesses in Florida and search engines. While many of the requirements will look familiar (privacy notices, data rights, and privacy assessments), it has requirements to restrict government moderating of social media platforms, and provides for more robust protections for children's personal information in the digital sphere.
A main driving force of compliance is understanding the potential costs and fines allowed for under each privacy law. For all three of these laws, the Attorney General in each state is the sole enforcer of the law. There are no private rights of action under these laws. And the penalties are generally aligned with other states: Texas and Oregon both allow for civil penalties of up to $7,500 per violation; Florida allows for civil penalties of up to $50,000 per violation, and tripled penalties for certain violations, such as those involving a known child.
In short, privacy continues to dominate business strategy in 2024. As more and more states adopt privacy laws, and those privacy laws go into effect, it is harder for businesses to avoid the impact of privacy on their businesses. Understanding the impact and requirements of these laws is a good starting point to creating a mature and comprehensive approach to data privacy and information governance.
________________________________________
NOTE: Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.