Three states have data privacy laws taking effect as soon as July.
06/12/2024 2:20 P.M.
2.5 minute read
Privacy laws in three states—Montana, Oregon, and Texas—will take effect starting in July 2024. In a recent ACA Huddle webinar, Leslie Bender, senior counsel at Eversheds Sutherland, noted that all three provide consumers with the right to know what information you’re collecting about them, the right to be forgotten, and the right to know who’s accessing their information.
“These laws basically give huge superpowers to state attorney generals to enforce them,” she said.
Here’s an overview of the newest state privacy laws:
Montana
The Montana Consumer Data Privacy Act applies to companies that conduct business in Montana or that produce products or services that are targeted to Montana residents and:
- Control or process personal data of at least 50,000 consumers; or
- Control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
With the state’s small population, the thresholds are lower than in other states.
It takes effect Oct. 1, 2024.
Oregon
The Oregon Consumer Privacy Act (OCPA) outlines obligations for businesses that collect, use, store, disclose and analyze data as well as entities that process personal data on behalf of those businesses. It applies to any company that conducts business in Oregon or provides products or services targeted to Oregon residents, and during a calendar year, controls or processes the personal data of:
- 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
- 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
The OCPA provides an exemption to personal data subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.
It takes effect July 1, 2024.
Texas
The Texas Data Privacy and Security Act applies to anyone conducting business in the state of Texas and to any products or services consumed by Texas residents.
“However, the TDPSA carved an exception for companies defined as ‘small businesses’ by the U.S. Small Business Administration,” according to a from ACA member firm Troutman Pepper. “Other entities exempted from the TDPSA include financial institutions, nonprofits, and higher education institutions. Certain data also exempted includes protected health information under the Health Insurance Portability and Accountability Act and data regulated under the Fair Credit Reporting Act.”
Most provisions take effect July 1, 2024. Some components, such as universal opt-out mechanisms, don’t take effect until January 2025.
To learn more, listen to the recording of a recent ACA Huddle, “AI and Privacy Laws in 2024,” right here.
Subscribe to ACA International’s State Guide Cohort and join our monthly webinar series for additional updates on state laws and practices. The next webinar is in July.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org.