US state privacy law update: what’s on the menu for 2024

By / January 19, 2024 / Business, Privacy

In this article, we’ll be taking a basic overview of the new state privacy laws becoming effective in 2024, what they have in common, and where they differ. Since the Utah Consumer Privacy Act (UCPA)was technically only in effect for one day in 2023, we’ve included it in this 2024 roundup as well.

2023 U.S. comprehensive state privacy recap

We started off 2023 with California’s amendment to the CCPA (California Consumer Privacy Act), the CPRA (the California Privacy Rights Act), going into effect simultaneously with the Virginia Consumer Data Protection Act (VCDPA) in January 2023. Colorado and Connecticut followed suit in July of 2023 as the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) entered into force. Finally, Utah rounded out the year with the Utah Consumer Privacy Act (UCPA) becoming effective on December 31, 2023. 

What’s on the menu for 2024

This July will be a busy one for privacy professionals as comprehensive consumer privacy legislation goes into effect in Florida (the Florida Digital Bill of Rights or FDBR), Texas (the Texas Data Privacy and Security Act or TDPS) and Oregon (the Oregon Consumer Privacy Act or OCPA) on the first of the month. October will see Montana joining the ranks as the Montana Consumer Data Privacy Act (MTCDPA) becomes effective. California businesses will also be required to recognize universal opt-out mechanisms like Global Privacy Control starting July 1, 2024.

Scope – who must comply with these laws?

Utah – The Utah Consumer Privacy Act (UCPA)

The UCPA applies to businesses conducting business in Utah or producing products or services targeted to Utah residents that have annual revenues of $25 million USD or more; AND (i) control or process the personal data of 100,000 or more Utah residents in a calendar year OR (ii) control or process personal data of 25,000 or more Utah residents and derive over 50% of their gross revenue from the sale of personal data.

Oregon – Oregon Consumer Privacy Act (OCPA)

The OCPA applies to businesses that do business in Oregon or that provide products or services to residents of Oregon, AND during a calendar year, control or process: (i) the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; OR (ii) the personal data of 25,000 or more consumers, while deriving 25% or more of theirannual gross revenue from selling personal data.

Texas – Texas Data Privacy and Security Act (TDPS)

The TDPA applies to businesses that conduct business in Texas or that generate products or services consumed by Texas residents AND that process consumer personal data AND that do not qualify as a small business within the meaning of the U.S. Small Business Administration definition of the term.

Montana – Montana Consumer Data Privacy Act (MTCDPA)

The MTCDPA applies to businesses that that conduct business in Montana, or produce products or services that are targeted to Montana residents AND that: (i) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; OR (ii) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Florida – the Florida Digital Bill of Rights (FDBR)

Most (but not all) of the requirements of the FDBR apply to only for-profit businesses with global gross revenues in excess of one billion dollars, who conduct business in Florida AND who: (i) derive 50 % or more of their revenue from online ad sales; (ii) operate a consumer smart speaker or voice command component service (excluding motor vehicle systems); OR (iii) operate an app store or digital distribution platform that offers at least 250,000 different software apps for consumers to download and install. 

Notable differences in scope from previous state privacy laws

Of the regulations listed above, Utah’s scope of business coverage is the most similar to existing state privacy laws in that it contains both revenue and data processing thresholds and applies to entities either doing business in the State of Utah or targeting Utah residents. The OCPA and TDPS take a broader approach to prescriptive jurisdiction with the OCPA applying to entities doing business in Oregon or who “provide” products or services to Oregon residents (as opposed to targeting them) and the TDPS applying to entities whose products or services are “consumed” by Texans in addition to those doing business in Texas. The TDPS veers further from the norm showing up to the party without a data processing threshold, while Oregon and Montana exclude “data controlled or processed solely for the purpose of completing a payment transaction” from their data processing thresholds. Additionally, the TDPS, the OCPA, and the MTCDPA break with their predecessors by eschewing revenue thresholds (though the TDPS does exempt entities that qualify as small businesses as defined by the U.S. Small Business Administration). 

Like the TDPS, FDBR also has no data processing threshold, but it raises the revenue threshold bar to one billion USD, blowing existing thresholds out of the water. In fact the scope of the FDBR’s comprehensive privacy protections is primarily tailored to apply to very large tech and social media companies. However, the FDBR contains child safety provisions called the “Protection of Children in Online Spaces” which are more broadly applicable, covering online platforms that provide online services, games or other features likely to be predominantly accessed by children. Notably, the FDBR defines a child as anyone under the age of 18. Its Protection of Children in Online Spaces provisions are more akin to those of the California Age-Appropriate Design Code Act and the other state laws specifically addressing the safety of children online. We’ll be bringing you more information about these later.

Notable coverage exemptions at entity level and data level

Most comprehensive state privacy laws exempt government agencies, non-profits and entities already subject to certain federal privacy laws such as HIPAA and the GLBA at the entity level. At the data level, most state privacy laws exempt employment-related data, B2B data and data regulated by HIPAA, the GLBA, the Fair Credit Reporting Act and the Driver’s Privacy Protection Act. At the entity level, Utah, Montana, Florida and Texas also exempt institutions of higher education. Texas additionally excludes electrical utilities companies and Montana exempts registered national securities associations. At the data level, Oregon also exempts deidentified data and data that is widely available to the public. Utah excludes DPPA and GLBA-regulated data only if the covered entity is GLBA and/or DPPA compliant. Additionally, Oregon notably exempts only nonprofits that are established to detect and prevent insurance fraud and the non-commercial activity of non-profits that provide programming to radio and television networks. Moreover, rather than having an entity level exemption that excludes entities subject to certain enumerated federal privacy laws, Oregon only provides a data level exemption, excluding data collected and processed under HIPAA, the GLBA, the FCRA, FERPA and the DPPA. 

Consumer rights

In the US, the most common consumer rights provided by the comprehensive state privacy laws currently in force are the right to access to data, right to data portability, right to delete data, right to correct data and the right to opt out of sales of data and other types of data processing such as profiling and targeted advertising. 

Utah

The UCPA provides consumers with the following rights:

  1. The right to access.
  2. The right to a portable copy of data. 
  3. The right to deletion. 
  4. The right to opt out of targeted ads. 
  5. the right to opt out of sales. 

Notable deviations from other privacy laws:

Utah does not provide consumers with a right to correct their data nor do Utah consumers have a right to opt out of profiling or the right to appeal a business’ decision not to provide information in response to a consumer request. Utah consumer’s rights to deletion and a copy of their personal data are limited only to the information that the consumer has provided the covered entity. Additionally, Utah’s definition of sales as it relates to consumer personal data is narrower than most other privacy laws being limited to monetary consideration. Finally, Utah does not permit authorized agents to make requests on behalf of consumers.

Montana

The MTCDPA provides the following consumer rights:

  1. The right to access (provided that the covered entity can withhold to personal information where necessary to protect trade secret). 
  2. The right to a portable copy of data. 
  3. The right to deletion of all personal information a covered entity has about the consumer (including information received from a third party).
  4. The right to correct personal data inaccuracies.
  5. The right to appeal a covered entities’ response.
  6. The right to opt out of targeted ads. 
  7. the right to opt out of sales (where “sales” means monetary consideration and other valuable consideration).
  8. the right to opt out of profiling based on automated decision-making that leads to legally significant effects.

Notable deviations from other privacy laws:

Montana permits covered entities to withhold consumer personal data where necessary to protect a trade secret. 

Texas

The TDPS provides consumers with:

  1. The right to confirm whether a controller is processing their data and the right to access that data (both consumer provided data and data otherwise obtained).
  2. The right to correct inaccuracies.
  3. The right to deletion of all personal data held by the covered entity about the consumer.
  4. The right to obtain a portable copy of all data (consumer provided data only)
  5. The right to appeal a covered entities’ response.
  6. The right to opt out of targeted ads.
  7. The right to opt out of sales of personal data (sale means monetary or other valuable consideration).
  8. The right to opt out of profiling.
  9. The right to appeal a controller’s refusal to take action after a consumer request.

Notable deviations from other privacy laws:

Texas’ right of portability covers only consumer provided information.

Oregon

The OCPA provides consumers with:

  1. The right to confirm whether a covered entity has processed their information and a list of categories of personal information being processed and, at the covered entities’ option, a list of specific third parties with whom they’ve shared the consumer’s personal data (provided that the covered entity can withhold to personal information where necessary to protect trade secret).
  2. The right to correct inaccuracies in the consumer’s personal data.
  3. The right to delete data (includes consumer provided data, data provided by third parties and derived data, though derived data is not defined).
  4. The right to appeal a covered entities’ response.
  5. The right to opt out of targeted ads.
  6. The right to opt out of sales of personal data (sale means monetary or other valuable consideration).
  7. The right to opt out of profiling.

Notable deviations from other privacy laws:

Oregon’s right to confirmation and access are slightly different than the norm with consumer having the right to confirmation of the list of categories of personal data being processed. Covered entities have the option of whether to disclose a list of specific third parties with whom they have shared the consumer’s personal data. Oregon also permits covered entities to withhold access to personal information where necessary to protect a trade secret. Finally, Oregon’s right of deletion includes consumer provided data, data provided by third parties and derived data. However the OCPA does not define “derived data.”

Florida

The FDBR provides consumers:

  1. The right to confirm whether a controller is processing their data and the right to access that data (both consumer-provided data and data otherwise obtained).
  2. The right to correct inaccuracies.
  3. The right to deletion of personal data held by the covered entity about the consumer (whether provided by consumer or otherwise obtained).
  4. The right to obtain a portable copy of all data (consumer provided data only).
  5. The right to appeal a covered entities’ response.
  6. The right to opt out of targeted ads.
  7. The right to opt out of sales of personal data (sale means monetary or other valuable consideration).
  8. The right to opt out of profiling.
  9. The right to opt out of collection of sensitive personal information including precise geolocation.
  10. The right to opt out of collection of personal information via voice or facial recognition features.

Notable deviations from other privacy laws:

The FDBR adds a new opt out right to the mix, requiring covered entities to provide consumers with the ability to opt out of the collection of personal information via voice or facial recognition features and collection. 

Business obligations

Notice/Transparency

All of these laws require covered businesses to have privacy notices informing consumers of their practices related to the processing of consumer personal data including (i) the categories of personal data to be processed including any sensitive data (ii) purpose of the processing, (iii) how consumers may exercise their rights and appeal refusals, (iv) categories of data shared with third parties, (v) categories of third parties with whom data is shared and (vi) at least two methods for consumers to make requests

The OCPA requires that a covered entity’s privacy notice include all other business names under which it is registered with the Secretary of State and any assumed business names that it uses in the State of Oregon.

The TDPS and the FDBS additionally require the following special notices for covered entities that sell sensitive data “Notice: We may sell your sensitive data” or biometric data (“Notice: we may sell your biometric data”). Notably, apart from the consumer right to opt out of the sale of all personal information, and the requirement that consumers opt in before sensitive information is collected, these laws do not require covered entities to obtain consumer opt-in prior to the sale of sensitive or biometric data. 

Opt-in defaults

  • Montana requires consent prior to the collection of sensitive information (including child personal data) and targeting advertising to consumers between 13 and 15 years of age.
  • Utah does not require opt-ins prior to the processing of sensitive information by default. Instead the UCPA requires that covered entities provide notice of collection of sensitive information and a means for consumers to opt out.
  • Texas requires consumer opt-in prior to the collection of sensitive information (the personal data of children under the age of 13 is included in the definition of sensitive information. 
  • Oregon requires opt-ins prior to the collection of sensitive information and the personal data of children between the ages of 13 and 15.  
  • Florida requires opt-ins prior to the collection of sensitive information and the personal data of children where a child is anyone under the age of 18.

Risk assessments

The UCPA is the only law out of this bunch that doesn’t require any manner of risk assessment related to the processing of personal data.

Prohibitions on discrimination

All of these laws prohibit covered entities from discriminating against consumers for exercising their rights. Texas and Oregon take the additional step of prohibiting covered entities from processing personal information in violation of state or federal laws prohibiting unlawful discrimination.

Purpose processing limitations

Texas limits the permissible processing of data to data that is relevant and reasonably necessary for the stated purpose. Oregon and Montana add the term “adequate” in their processing limitation language. 

Utah does not include specific purpose processing limitations. Florida additionally prohibits the use of certain technologies for surveillance when features aren’t activated by the consumer including, voice recognition, facial recognition, video recording, audio recording, any other electronic features, any other visual features, thermal features or olfactory features. 

Security

In Texas, Florida and Montana, covered entities must implement and maintain reasonable administrative, technical and physical safeguards for protecting the confidentiality and integrity of personal data that are appropriate to the volume and nature of the personal data at issue. Utah and Oregon additionally require that covered entities reasonably reduce the foreseeable risk of harm to consumers in an appropriate way considering the covered entities’ business size, scope, type and the volume and nature of the personal data. 

Definitional anomalies

Personal data 

The definitions of personal data in the Florida and Texas statues include “pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”

Sensitive information

In Florida, Montana and Texas sensitive information includes the data of a known child.

The FDBR defines a child as anyone under the age of 18, while under the TDPS “known child” means “a child under the age of 13 that the covered entity has actual knowledge of or willfully disregards the child’s age.”

The UCPA excludes information about a consumer’s race where the information is processed by a video communications company from the scope of sensitive information and the OCPA includes status as victim of a crime, or transgender or nonbinary status.

Consent

Montana prohibits dark patterns when obtaining consent, while in Texas and Florida the following forms of consent are not recognized: acceptance of general terms of use or similar documents containing other information unrelated to privacy, (ii) hovering over, muting, pausing or closing a given piece of content; any consent obtained via dark patterns.

Processor agreements

All of these laws require service providers who process consumer personal information on behalf of a covered entity to have written contractual agreements with terms that are standard to other state privacy laws currently in force.

Enforcement

All of the comprehensive state privacy laws going into effect in 2024 (and Utah’s late 2023 law) are to be enforced by the Attorney General of the relevant state. None of these laws provides a private right of action. 

Cure periods 

Montana provides covered entities with a generous but temporary cure period of 60 days, which sunsets on April 1, 2026, after which the Montana Attorney General will be permitted to bring enforcement actions without notice even where violations have been corrected. Texas, Utah and Oregon all allow a 30-day cure period for violations with the Texas and Utah cure periods having no sunset and Oregon’s cure period sunsetting on January 1, 2026. Florida provides a 45-day cure period which is at the discretion of the Florida Attorney general. 

Penalties

As penalties go, Montana is on one end of the spectrum having no stipulated penalties and Florida is on the other end with penalties of up to $50,000 USD per violation which may be tripled under certain circumstances such as willful disregard of a consumer’s age. Texas, Utah and Oregon all land in the middle, providing for penalties per violation of up to $7,500 USD. 

Looking forward to 2025

In January of 2025, the provisions of the MTCDPA and TDSP requiring recognition of universal opt-out mechanisms like Global Privacy Control will go into effect (the similar provision of the OCPA will become effective in January 2026). Also entering force in 2025 are the comprehensive state privacy laws of Iowa (the Iowa Consumer Data Protection Act or ICDPA), Indiana (Indiana Consumer Data Protect Ac or INCDPA), Delaware (the Delaware Personal Data Privacy Act or DPDPA) and Tennessee (the Tennessee Information Protection Act or TIPA). States could also propose and pass additional new laws this year.

Michele Robichaux

Michele is an attorney at Odin Law and Media. Her transactional law experience has led her to specialize in the legal issues that affect creators of all kinds. With an extensive background as a Big Law associate, In-house counsel for US and European social media and entertainment companies, and as legal and business advisor to clients in both the US and Europe, she brings not only skill and know-how but also diverse experience and perspective to her clients. She can be reached at michele at odin law dot com.

Contact Us

Address:

4600 Marriott Drive, Suite 520
Raleigh, NC 27612

Phone:

(919) 813-0090

Email:

info@odinlaw.com