Beginning July 1, 2024, Texas and Oregon will join the growing list of states with active consumer privacy laws, with Montana joining them on October 1. The new laws are similar to existing state data privacy laws in that they grant protections for consumers and impose requirements on companies collecting consumer personal data. While companies whose privacy programs already comply with existing data privacy laws will not have to make significant changes, companies considering data privacy laws for the first time will need to update their privacy policies and develop and implement new processes before July 1 to comply.
At their base, these laws apply to companies that collect and use the personal data of traditional consumers (e.g., individuals who purchase products or services from a company), but each law has a distinct threshold of applicability.
The Texas Data Privacy and Security Act (TDPSA) applies to anyone who (1) conducts business in Texas or produces products or services consumed by Texans and (2) engages in the processing or sale of personal data. [1] Importantly, the TDPSA differs from many other data privacy laws because companies outside the state can be subject to the law even if they do not target Texas consumers, and there is no minimum number of Texas residents whose data is processed before a business is subject to the requirements of the law.
The TDPSA does not apply to everyone that processes consumer data, however. Small businesses are exempt unless they sell sensitive data (in which case they must obtain prior consumer consent), [2] and electric utilities, retail electric providers, institutions of higher education, nonprofits, and institutions subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA) are likewise exempt. [3]
The Oregon Consumer Privacy Act (OCPA) applies to any company that conducts business in Oregon or produces products or services targeted to Oregon residents and, during a calendar year, controls or processes the personal data of at least 100,000 Oregon residents or controls or processes the personal data of at least 25,000 Oregon residents while deriving more than 25% of its gross revenue from the sale of personal data. [4] It does not apply to information subject to HIPAA or the GLBA or to personal data processed solely for the purpose of completing a payment transaction. [5]
The Montana Consumer Data Privacy Act (MCDPA) applies to anyone that conducts business in Montana or produces products or services targeted to Montana and either controls or processes the personal data of at least 50,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) or controls or processes the personal data of at least 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data. [6] However, similar to the TDPSA, it does not apply to institutions subject to HIPAA and the GLBA. [7]
Under the new laws, companies are required to
Additionally, the TDPSA requires that companies include a separate notice stating that they may sell sensitive data, whereas the OCPA and MCDPA simply require that companies include such disclosures in their privacy policies. [10] The TDPSA and MCDPA also prohibit companies from using dark patterns, which are user interfaces crafted to deceive consumers and subvert user autonomy. [11]
The new laws also grant several rights to consumers in these states, specifically the right to access and request a copy of the personal data the company has about them; the right to correct inaccuracies in their personal data; the right to request deletion of their personal data, subject to certain limitations; and the right to opt out of targeted advertising or the sale of their personal data. [12]
The new Texas, Oregon, and Montana consumer privacy laws are “Virginia-Style” laws in that they are similar in nature and scope to the consumer privacy law currently in effect in Virginia (as well as Colorado and Connecticut). As such, for companies already in compliance with these existing laws, complying with the new laws will be straightforward. These businesses will need to accept data privacy requests from consumers residing in those states and update their process for managing privacy requests to include them.
On the other hand, companies dealing with these data privacy laws for the first time will need to create new policies and processes to ensure compliance, which will take time and could entail significant work. Businesses can start by focusing on satisfying the fundamental requirements that these data privacy laws share in common. For example, given that the collection of personal data must be limited to what is necessary to achieve the purpose for which it was collected, companies should consider what data they actually need to collect and then develop a data retention policy with a clear data retention period to ensure personal data is not retained longer than needed.
Businesses must prepare and post a conspicuous privacy policy that explains to consumers what personal data is collected, how it is used, with whom it is shared, and how they can exercise their privacy rights. Businesses will then need to devise clear and reliable processes for receiving and responding to the consumer privacy requests. Businesses that are collecting sensitive personal data must ensure that they are obtaining consent prior to collecting such data and that they have completed a data protection assessment addressing the uses of the data.
Additionally, even where sensitive data is not implicated, a data protection assessment will still be required for many other types of processing, such as for targeted advertising. Lastly, companies should make sure that they have a formal agreement with entities processing personal data on their behalf that sets forth clear instructions for the processing and protection of personal data.
Morgan Lewis has an extensive background advising clients on compliance with all aspects of consumer data privacy laws. We routinely advise companies across many industries on these issues.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] Tex. Bus. & Com. Code § 541.002.
[2] Id. § 541.107.
[3] Id. § 541.002.
[4] ORS 180.095 § 2.
[5] Id.
[6] MCDPA § 30-14-2803.
[7] Id. § 30-14-2804.
[8] The laws define “sensitive data” to include racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data. Tex. Bus. & Com. Code § 541.001; ORS 180.095 § 1. The OCPA also includes status as transgender or non-binary and status as a victim of a crime within its definition of “sensitive data.” ORS 180.095 § 1.
[9] Tex. Bus. & Com. Code §§ 541.101-102, 541.104-105; ORS 180.095 §§ 5, 6, 8, and 12; MCDPA §§ 30-14-2812–2814.
[10] Tex. Bus. & Com. Code § 541.102; ORS 180.095 § 12; MCDPA § 30-14-2812.
[11] Tex. Bus. & Com. Code § 541.001; MCDPA § 30-14-2802.
[12] Tex. Bus. & Com. Code § 541.051; ORS 180.095 § 3; MCDPA § 30-14-2808.