Get Your Privacy Program Ready as Six Additional States Adopt New Laws
By Thomas DeMayo, Robert Gaines, Keith Hartigan and Sasha Christian
Earlier this month, enforcement began for four states – Texas, Oregon, Florida and Montana – with new consumer privacy laws aimed at protecting their residents’ personal data and establishing requirements for businesses regarding the collection, processing and storage of personal data. Last month, the Minnesota and Rhode Island legislatures passed comparable consumer privacy laws to go into effect over the next 18 months. These new state laws are for:
- Texas: Texas Data Privacy and Security Act (TDPSA)
- Oregon: Oregon Consumer Privacy Act (OCPA)
- Florida: The Florida Digital Bill of Rights (FDBR)
- Montana: Montana Consumer Data Privacy Act (MTCDPA)
- Minnesota: Consumer Data Privacy Act (MN-CDPA)
- Rhode Island: Data Transparency and Privacy Protection Act (DTPPA)
These states follow similar paths toward consumer data protection: California (CCPA), Virginia (VCDPA), New York (SHIELD) and others.
While each law approaches privacy and data protection similarly, the specific details of each are worth noting.
Resident Rights
Almost all the new laws have controls over the ability of residents to regulate the use of their personal data. The only differences among the six are opt-in rights and the right of appeal.
| Data Subject Rights | Texas | Oregon | Florida | Montana | Minnesota | Rhode Island |
| Confirmation of personal data being processed | X | X | X | X | X | X |
Correct inaccuracies in personal data | X | X | X | X | X | X |
Delete personal data | X | X | X | X | X | X |
Obtain a copy of collected personal data | X | X | X | X | X | X |
Opt out of the processing, sale or use of personal data | X | X | X | X | X | X |
Opt-in rights for advertising and targeted marketing to individuals aged 13 to 16 | X | X | ||||
The right to appeal rights requests that have not been fulfilled | X | X | ||||
The right to question profiling determinations significantly impacting the consumer | X |
Controllers
A data controller is responsible for deciding how and why personal data is processed and ensuring that such processing complies with applicable privacy laws. Because a controller decides what personal data to collect and the reasons for collecting it, all laws have specific requirements for controllers.
| Controller Requirements | Texas | Oregon | Florida | Montana | Minnesota | Rhode Island |
Rights to access, delete and correct personal information | X | X | X | X | X | X |
Opt out of the sale of personal information | X | X | ||||
Opt out of the processing of personal information | X | X | ||||
Obtain consent to collect consumer’s sensitive information | X | X | ||||
Implement administrative, technical and physical controls to enforce data security | X | X | X | X | ||
Conduct data protection assessments | X | X | X | X | X | X |
Provide security notice if sensitive data is being sold | X | X | X | X | ||
Provide security notice if biometric data is being sold | X | X | ||||
Timely notification to affected individuals of a data breach | X | |||||
Required to adhere to the Children’s Online Privacy Protection Act (COPPA) | X | X | X | |||
Required to adhere to special provisions relating to children’s data (not specifically COPPA) |
|
| X |
| X |
|
Maintain and use the data in de-identified form | X | X |
Processors
A processor is an entity that processes personal data on behalf of a controller, following the controller’s instructions and ensuring compliance with relevant privacy laws. Only Texas and Oregon currently have requirements for processors in effect.
| Processor Requirements | Texas | Oregon | Florida | Montana | Minnesota | Rhode Island |
Assist controllers in meeting data privacy obligations | X | X |
|
| X |
|
Provide a way for consumers to opt out of the sale of their data | X |
|
Entity Exemptions
Many of the states have specific exemptions to their laws to ensure that regulations do not overlap or to narrow the scope of their oversight.
| Exemptions | Texas | Oregon | Florida | Montana | Minnesota | Rhode Island |
Small businesses | X | X | ||||
Electric utilities, power generation companies and retail electric providers | X | |||||
Financial institutions subject to Title V of the Gramm-Leach-Bliley Act | X | X | X | X | X | X |
Covered entities and business associates governed by HIPAA | X | X | X | X | X | X |
State agencies and political subdivisions | X | X | ||||
Nonprofit organizations | X | X | X | |||
Institutions of higher education | X | X | X | X | ||
Processing data solely for advertising analytics | X |
Reach
All these state-level data privacy laws have extraterritorial reach. This means that any company, regardless of its physical location, must comply with the state law if it processes the personal data of its residents. This ensures that the privacy rights of state residents are protected even when their data is handled by businesses outside of the state.
Enforcement
The enforcement of all these new laws is expected to be aggressive, with oversight from the State Attorney General or a designated department and heavy fines for violations. However, it is important to note that only Oregon has a clause for Private Right to Action: the ability of individuals or consumers to file a lawsuit against an organization or entity that has violated their privacy rights. All other states have enforcement through the Attorney General’s office only.
Call to Action
Having a formal privacy program has become a necessity. As more states continue to adopt their own laws, navigating the regulations will become increasingly more complex. If you are a business that processes personal data in a manner by which you will be subject to the new laws, we recommend you review your privacy policy and program to ensure you incorporate any nuances these laws require. This is inclusive of updating your incident response plan to account for the notification process in those states. If you do not have a formal privacy policy and program, there is no better time but the present to undertake the initiative.
Contact Us
We have a team of Cybersecurity and IT Privacy professionals who specialize in helping organizations develop well-structured privacy programs that are foundational, strong and nimble to adapt to new regulations as they arise. If these new regulations impact your business and you need assistance, please contact your client service team or any of the following:
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
Cybersecurity and Privacy Advisory
tdemayo@pkfod.com | 646.449.6353
Robert Gaines, CISSP, CECI, CCFI, CIPP/US
Director
Cybersecurity and Privacy Advisory
rgaines@pkfod.com | 425.518.1974
Keith Hartigan
Manager, Cybersecurity and Privacy Advisory
khartigan@pkfod.com | 301.652.3464
Sasha Christian
Manager, Cybersecurity and Privacy Advisory
schristian@pkfod.com | 215.809.9542
References
- Texas Data Privacy And Security Act | Office of the Attorney General
- Are You Ready For the Texas Data Privacy and Security Act? | The National Law Review
- Online Personal Data Protection Law Takes Effect in Texas | Civil Society | The Texan
- CS/CS/SB 262 — Technology Transparency | The Florida Senate
- Rhode Island Legislature Passes Consumer Data Privacy Act | Byte Back | Husch Blackwell
- No Longer Adrift in the Ocean State: Rhode Island Enacts Consumer Data Privacy Law | The National Law Review
- Montana Consumer Data Privacy Act Signed Into Law | Davis Wright Tremaine LLP
- Oregon Passes Comprehensive Privacy Law | Reuters
- Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20? | Squire Patton Boggs
- US State Privacy Legislation Tracker 2024 | iapp