06/28/2024 | News release | Distributed by Public on 06/28/2024 08:01
In addition to the comprehensive state privacy laws that took effect in 2023, state legislatures have continued to pass new comprehensive privacy laws protecting consumers' personal data. Five state laws took effect through 2023, three additional broadly applicable laws will take effect this year, eight will become effective in 2025, and three more states have enacted laws set to take effect in 2026. In the years to come, additional states will almost certainly enact legislation to protect their residents' personal information.
Despite digital privacy concerns making national headlines, the United States remains without a federal omnibus privacy law. In June 2024, a sprawling federal privacy bill H.R.8818 - American Privacy Rights Act) was formally introduced, aiming to standardize privacy laws across the nation. However, experts are skeptical of its success. Drawing parallels to a somewhat similar bill that stalled in the US Senate in 2022, the bill was pulled from a June 27 markup over concerns among some members of US Congress to certain aspects of the bill, such as the private right of action. Consequently, as we saw with data breach notification legislation, state laws will continue to proliferate until Congress passes a preemptive bill that the President signs into law.
Managing compliance in the ever-growing digital privacy landscape is challenging. The first step is as simple as assessing whether a given state's law applies to your business. If applicable, there are common consumer rights that each law includes, such as the right to access, correct, erase, and retrieve personal information. However, there are also distinct features that add complexity to compliance. The following is a brief (not-exhaustive) overview of the applicability and notable features of the state privacy bills taking effect in 2024:
The FDBR imposes obligations on controllers[1] who (1) conduct business in Florida, (2) have an annual global revenue of more than $1 billion, and (3) satisfy one of the following criteria:
Compared to other state privacy laws, the FDBR may not be applicable to many businesses due to its high revenue threshold and narrow criteria. However, for those controllers to whom it does apply, there are some important differences to consider. Fines may be up to $50,000 per violation (the cap in California is just $2,500 for most violations). Moreover, Florida's broad definition of "personal data," which includes pseudonymous data, expands the compliance obligations. With enforcement from the Department of Legal Affairs of Florida looming, covered businesses must carefully craft data processing policies and practices to avoid substantial fines.
The OCPA applies to any person (not just controllers) that (1) conducts business in Oregon or provides products or services to residents of Oregon and (2) during that calendar year does one of the following:
While many state privacy laws exempt entities and data governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), the OCPA only exempts the data governed by those two laws. Following in California's footsteps, entities subject to HIPAA and GLBA must adhere to OCPA. Notably, nonprofits, which are typically exempt under other state comprehensive privacy laws (Colorado being the exception), are generally not exempt under the OCPA; however, 501(c)(3) nonprofits do not need to comply until July 1, 2025.
The TDPSA applies to any person that meets all three of the following:
Notwithstanding its low applicability thresholds, the TDPSA is generally considered more business-friendly than other privacy laws. The TDPSA allows businesses 30 days to cure any alleged violations after receiving notice from the attorney general. Notably, this cure period does not sunset, unlike in California or Colorado, allowing businesses to perpetually avoid penalties if (and if possible) they rectify violations promptly. However, some features of the TDPSA are less business-friendly, such as the additional disclosure necessary for entities that sell sensitive or biometric information.
The MCDPA applies to persons that (1) conduct business in Montana or produce products or services targeted to residents of Montana and (2) do at least one of the following:
The MTCDPA is one of the strictest state comprehensive privacy laws. It has a low applicability threshold, which may be a product of the state's population. The most significant concern for businesses, however, is that the MTCDPA does not specify caps on monetary penalties for violations. This gives the Montana attorney general the discretion to dole out higher fines than any other state.
We are still in the early stages of this legislative revolution. As new state laws continue come into effect, it is crucial for businesses to invest in robust compliance programs and seek guidance. ArentFox Schiff regularly assists clients in navigating this complex legislative and regulatory environment, ensuring that their privacy policies and personal data processing practices meet the diverse requirements of state laws. By staying ahead of the curve, businesses can avoid regulatory penalties and build trust, thereby enhanced loyalty from their customers.
If you have any questions, please contact our Privacy, Data Protection & Data Security team or the ArentFox Schiff attorney with whom you work.
Additional research and writing from John Keblish, a 2024 summer associate in ArentFox Schiff's Washington, DC office and a law student at the University of Maryland Francis King Carey School of Law.
[1] For profit legal entities that collect personal consumer data and determine the means of the processing it.
[2] If a small business is selling sensitive personal data, it must obtain prior consent from the consumer or else they may be subject to the TDPSA.