Since the passage of the California Consumer Privacy Act (“CCPA”) in 2018 and its amendment in 2020 by the California Privacy Rights Act (“CPRA”), a rapidly-increasing number of U.S. states have passed comprehensive data privacy legislation that broadly protects the personal data of their residents and gives residents a wide range of rights and choices with regard to the collection and use of their personal data. Modeled after the CCPA/CPRA, these new state data privacy laws provide state residents a wide range of rights with respect to their personal data, including the right to know what personal data is being collected and how it is used by the business through disclosures in a privacy policy, the right to correct or delete their personal data held by the business, and the right to opt-out of sales of their personal data. In 2023 alone, comprehensive data privacy laws became effective in four states (Colorado, Connecticut, Utah and Virginia). 2024 will see comprehensive data privacy laws go into effect in Montana, Oregon, and Texas. The following is a brief overview of the key points of each of these new state data privacy laws going into effect in 2024.
Montana: The Montana Consumer Data Privacy Act (“MTCDPA”) will go into effect on October 1, 2024. The MTCDPA will apply to businesses that: (1) control or process the personal data of at least 50,000 Montana residents, or (2) control or process the personal data of 25,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data. The MTCDPA carries fines of up to $7,500 per violation after a 60-day cure period and is enforced by the Montana Attorney General, with no private right of action for violations.
Oregon: The Oregon Consumer Privacy Act (“OCPA”) will go into effect on July 1, 2024. The OCPA will apply to businesses and non-profits that: (1) control or process the personal data of 100,000 or more Oregon residents, or (2) control or process the personal data of 25,000 or more Oregon residents, while deriving 25% or more of gross revenue from selling personal data. The penalties for violations of the OCPA consist of up to $7,500 per violation after a 30-day cure period. The OCPA is enforced exclusively by the Oregon Attorney General and there is no private right of action.
Texas: The Texas Data Privacy and Security Act (“TDPSA”) will become effective on July 1, 2024. Unlike other state data privacy laws which have annual revenue thresholds or require personal data to be collected from a certain number of state residents, the TDPSA will apply to businesses that: (1) conduct business in Texas or produce products or services consumed by Texas residents, or (2) process or engage in the sale of personal data and are not “small businesses” as defined by the U.S. Small Business Administration (SBA). The TDPSA is enforced exclusively by the Texas Attorney General with no private right of action, and the penalties for violations consist of fines of up to $7,500 per violation after a 30-day cure period.
Businesses with significant nationwide consumer-facing operations or those with a significant presence in these specific states with comprehensive data privacy laws should review their current data privacy policies and determine if further updates are needed for compliance. If you have any questions about how these new state data privacy laws may apply to your business, please contact your Masuda Funai relationship attorney for a consultation.
© 2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. 本書は、特定の事実や状況に関する法務アドバイスまたは法的見解に代わるものではありません。本書に含まれる内容は、情報の提供を目的としたものです。かかる情報を利用なさる場合は、弁護士にご相談の上、アドバイスに従ってください。本書は、広告物とみなされることもあります。