New Sweeping Data Privacy Laws On the Horizon, by Richard J. Perr, Esq., 3-21-2024

A wave of new data privacy laws are slated to take effect in close to a dozen states over the next two years. The number of states passing privacy laws continues to grow in the absence of a federal data privacy law. That could change if the American Data Privacy and Protection Act (ADPPA), currently under Congressional review, gets enacted.

But until then, there continues to be a patchwork of state privacy laws that create a new level of complexity for organizations. Below is a state-by-state breakdown of privacy laws on the slate for 2024 and 2025:

2024

Florida

Florida’s Digital Bill of Rights (SB 262), effective July 1, 2024, is probably the least restrictive of the pending data privacy laws due it its higher revenue thresholds. Notably, the law does not apply to businesses with less than $1 billion in global gross annual revenue.

The law gives consumers the following protections:

• The right to control personal data, including the right to confirm, access, and delete their personal data from a social platform; 
• The right to know that their personal data will not be used against you when purchasing a home, obtaining health insurance, or being hired; 
• The right to know how internet search engines manipulate search results; 
• The right to opt out of having personal data sold; and 
• The right to protect children from personal data collection.

It applies to “controllers” conducting business in Florida that collect personal data about consumers, or is the entity on behalf of which such information is collected, and satisfies at least one of the following:

• Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
• Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.
• Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

Oregon

The Oregon Consumer Privacy Act (SB 619), which relates to protections of the personal data of consumers, will take effect July 1, 2024 with the exception of some amendments to certain provisions that do not take effect until Jan. 1, 2026.

The law applies to entities that conduct business in Oregon or provide products or services to state residents and, that during a calendar year, control or processes:

• Personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Personal data of 25,000 or more consumers, while deriving 25% or more of its annual gross revenue from selling personal data.

There are certain exemptions both to entities including public corporations and data including certain protected health information. There is a separate effective date for nonprofits, which is July 1, 2025.

Texas

The Texas Data Privacy and Security Act (HB 4) is set to take effect on July 1, 2024 and essentially regulates how businesses collect, use, and process the personal data of Texas consumers. Certain provisions relating to opt-outs and designating authorized agents to act on the consumer’s behalf won’t go into effect until January 1, 2025.

The obligations of this law applies to a person that:

• Conducts business in Texas or produces a product or services consumed by residents of the state;
• Processes or engages in the sale of personal data; and,
• Is not a small business as defined by the United States Small Business Administration.

Unlike some other state privacy laws, the legislation has no specific thresholds related to annual revenue or volume of personal data processed. There are certain exemptions including a state agency or political subdivision of the state and a nonprofit organization.

Montana

The Montana Consumer Data Privacy Act (SB 384) protects the privacy and data rights of Montana residents. It goes into effect October 1, 2024.

The law applies to persons that conduct business in the state or persons that produce products or services that are targeted to residents of the state and:

• Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or,
• Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Like some of the other privacy laws, there are certain exemptions including individuals acting in a commercial or employment context and nonprofit organizations.

2025

New Jersey

New Jersey started the New Year with Governor Phil Murphy signing a new data privacy law (SB 332) on January 16, 2024.  It goes into effect on January 15, 2025.

New Jersey’s Data Privacy law applies to “controllers” that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either:

1. Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
2. Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services from the sale of personal data.

The controller has certain obligations including providing to the consumer a “reasonably accessible, clear, and meaningful” privacy notice that includes, among other things, the categories of the personal data that the controller processes.

Delaware

The Delaware Personal Data Privacy Act (HB 154) becomes effective on January 1, 2025 with the exception of certain provisions relating to opt-outs taking effect January 1, 2026. It applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following:

1. Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
2. Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

There are certain exceptions including government entities.

Iowa

Iowa’s Consumer Data Protection Act (SF 262) will become effective on January 1, 2025. The bill applies to persons conducting business in the state or producing products or services targeted to Iowans that:

• annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of personal data.

The law’s definition of consumer excludes individuals acting in a commercial or employment context. Unlike some other state privacy laws, this Act does not include a minimum annual revenue threshold.

Tennessee

The Tennessee Information Protection Act (HB 1181) will take effect on July 1, 2025 and applies to persons that conduct business in the state and produce products or services that target state residents and that:

1. Exceed $25,000,000 in revenue; and
2. (a) Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale or personal information; or
   (b) During a calendar year, control or process personal information of at least 175,000 consumers.

There are certain exemptions including for licensed insurance companies, the first state law to include that category exemption.

New Hampshire

The New Hampshire Senate passed the New Hampshire Privacy Act (SB 255) on January 18. It awaits the Governor’s signature but is slated to take effect January 1, 2025.

The statute applies to persons that conduct business in the state or persons that produce products or services that are targeted to state residents that during a one-year period:

1. Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
2. Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

It excludes individuals acting in a commercial or employment context.

 Kaufman Dolowich Can Help

Navigating the patchwork of various state privacy rules can be an unwieldy task. Kaufman Dolowich’s team of skilled Financial Services & Institutions attorneys have a wide breadth and depth of experience dealing with these matters. If you need assistance in complying with the ever-evolving regulatory environment we can help.