In the absence of federal legislation, state legislatures continue to take the lead on privacy regulation. In 2024, new privacy laws will go into effect in Florida, Montana, Oregon, Texas and Washington. These laws give individuals more control over the collection, processing and sharing and selling of their personal data and require certain companies doing business in these states to furnish privacy notices, provide opt-out choices and limit their collection of personal information. Now is a good time for organizations to revisit their data privacy strategy to ensure they are prepared to comply.
March 31, 2024:
- Washington: The Washington My Health My Data Act goes into effect. The law focuses exclusively on regulating personal health data outside the scope of HIPAA (Health Insurance Portability and Accountability). It applies to covered entities that collect, store and transfer health data and requires them to ensure the sale of consumer health data is consistent with the authorization signed by a customer and provides consumers with a private right of action where an entity violates the law. The law also prohibits “health care services” providers, which is broadly defined, from using geo-fencing data to identify or advertise to consumers.
July 1, 2024:
Three state privacy laws take effect:
- Oregon: The Oregon Consumer Privacy Act covers businesses in the state that collect or process: (1) the personal data of 100,000 or more Oregon customers; or (2) the personal data of 25,000 or more Oregon customers and derive 25% or more of its annual gross revenue from selling the personal data. The law requires opt-in consent if a data processor knowingly processes the data of an Oregon resident aged 13 to 15 and provides consumers with the ability to opt-out of the use of their data.
- Texas: The Texas Data Privacy and Security Act has no volumes or thresholds. The law requires any entity that conducts business in Texas, produces products or services for Texas consumers, and processes or engages in the sale of personal data to conduct data protection assessments to ensure they comply with the law. Certain small businesses and companies in highly regulated industries are exempt. It provides for a 30-day cure window that allows a business to correct violations within 30 days to avoid any penalties. Unique to the Texas law, the cure window provision will remain part of the law in perpetuity. Every other state that’s passed a similar law provides a specific date when the cure process sunsets and is no longer available.
- Florida: The Florida Digital Bill of Rights only applies to companies with $1 billion or more in revenue and where at least 50% of their global gross annual revenue is derived from the sale of online advertisements and other narrow criteria. It is aimed at “Big Tech” companies and seeks to prohibit them from collecting certain consumers’ data from devices that are not active or without the expressed consent of the consumer.
October 1, 2024:
- Montana: The Montana Consumer Data Privacy Act goes into effect. It applies to controllers that conduct business in Montana or produce products or services targeted to Montana residents and (1) control or process the personal data of 50,000 or more Montana residents; or (2) control or process the personal data of more than 25,000 Montana residents and derive 25% of their annual gross revenue from the sale of personal data. Notably, the resident threshold excludes personal data controlled or processed solely to complete a payment transaction. With this new law, Montana joins a growing list of states that require a “universal opt-out” mechanism allowing consumers to opt out of any processing of their personal data for the purpose of targeted advertising.
Preparing for State Privacy Requirements
Organizations should determine what laws apply to them and take the following steps in preparation:
- Update privacy policies: Review current privacy notices to ensure they sufficiently outline data privacy practices, collection, use and sharing of personal information and include details about individuals’ data privacy rights under state law.
- Map data: Perform data mapping exercises to know what customer data you have, where it is stored and who has access to it.
- Reduce collection of personal data: Minimize data collection by determining what types of personal data are needed and used as part of your organization’s operations.
- Review processes and protections: Ensure opt-in and opt-out mechanisms related to collection, use and sharing of personal data are implemented. Companies that collect consumer health data in Washington need to implement mechanisms to collect consent to the sharing of such information with third parties under the “My Health My Data Act.”
- Review and update vendor agreements: Assess whether and how vendors and other third parties that operate in Florida, Montana, Oregon, Texas and Washington comply with these laws and update data processing agreements accordingly.
- Review and enhance data security safeguards: Conduct a data protection impact assessment (DPIA) to identify potential data privacy risks and review, test and enhance the physical, technical, and administrative safeguards in place to secure company information, including personal data.
- Provide training for employees: All employees throughout the company need to be aware of how these new state privacy laws apply to their roles and responsibilities.
Traliant Resources
For more information on Traliant’s Global Data Privacy Awareness training click here.
To register for our March 13 webinar, Navigating the Data Privacy Landscape, at 2 pm ET, click here.