Since the passage of the California Consumer Privacy Act (“CCPA”) in 2018 and its amendment in 2020 by the California Privacy Rights Act (“CPRA”), a rapidly-increasing number of U.S. states have passed comprehensive data privacy legislation that broadly protects the personal data of their residents and gives residents a wide range of rights and choices with regard to the collection and use of their personal data. Modeled after the CCPA/CPRA, these new state data privacy laws provide state residents a wide range of rights with respect to their personal data, including the right to know what personal data is being collected and how it is used by the business through disclosures in a privacy policy, the right to correct or delete their personal data held by the business, and the right to opt-out of sales of their personal data. In 2023 alone, comprehensive data privacy laws became effective in four states (Colorado, Connecticut, Utah and Virginia). 2024 will see comprehensive data privacy laws go into effect in Montana, Oregon, and Texas. The following is a brief overview of the key points of each of these new state data privacy laws going into effect in 2024.
Montana: The Montana Consumer Data Privacy Act (“MTCDPA”) will go into effect on October 1, 2024. The MTCDPA will apply to businesses that: (1) control or process the personal data of at least 50,000 Montana residents, or (2) control or process the personal data of 25,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data. The MTCDPA carries fines of up to $7,500 per violation after a 60-day cure period and is enforced by the Montana Attorney General, with no private right of action for violations.
Oregon: The Oregon Consumer Privacy Act (“OCPA”) will go into effect on July 1, 2024. The OCPA will apply to businesses and non-profits that: (1) control or process the personal data of 100,000 or more Oregon residents, or (2) control or process the personal data of 25,000 or more Oregon residents, while deriving 25% or more of gross revenue from selling personal data. The penalties for violations of the OCPA consist of up to $7,500 per violation after a 30-day cure period. The OCPA is enforced exclusively by the Oregon Attorney General and there is no private right of action.
Texas: The Texas Data Privacy and Security Act (“TDPSA”) will become effective on July 1, 2024. Unlike other state data privacy laws which have annual revenue thresholds or require personal data to be collected from a certain number of state residents, the TDPSA will apply to businesses that: (1) conduct business in Texas or produce products or services consumed by Texas residents, or (2) process or engage in the sale of personal data and are not “small businesses” as defined by the U.S. Small Business Administration (SBA). The TDPSA is enforced exclusively by the Texas Attorney General with no private right of action, and the penalties for violations consist of fines of up to $7,500 per violation after a 30-day cure period.
Businesses with significant nationwide consumer-facing operations or those with a significant presence in these specific states with comprehensive data privacy laws should review their current data privacy policies and determine if further updates are needed for compliance. If you have any questions about how these new state data privacy laws may apply to your business, please contact your Masuda Funai relationship attorney for a consultation.
©2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. This publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended solely for informational purposes and you should not act or rely upon information contained herein without consulting a lawyer for advice. This publication may constitute Advertising Material.