In May and June, three new states enacted comprehensive consumer data privacy laws. On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act into law; the act takes effect on October 1, 2024. On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act into law, with most of its provisions taking effect on July 1, 2024. And on July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act into law; it will take effect on July 1, 2024. These are the newest states to enact comprehensive data privacy laws, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, and Tennessee.
The Montana, Oregon, and Texas privacy laws generally impose similar obligations to those provided for under the comprehensive privacy laws that other states have passed. However, there are key distinctions in these laws that can have a large impact on a business’s data processing. Accordingly, potentially covered businesses should carefully evaluate the law’s applicability, disclosure obligations, specific requirements related to opt-out rights, and data protection assessment requirements.
The Montana Privacy Act generally applies to entities that both:
- conduct business in Montana or produce products or services that are targeted to the residents of Montana; and
- control or process the personal data of:
- at least 50,000 consumers; or
- at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
The Oregon Consumer Privacy Act applies to any person that conducts business in Oregon or provides products or services to Oregon residents that in a calendar year:
- controls or processes data of 100,000 or more consumers (except to the extent such data is processed solely for the purpose of completing a payment transaction); or
- controls or processes data of 25,000 or more consumers, while deriving 25% or more of the person’s annual gross revenue from selling personal data.
Unlike the revenue and data volume thresholds in the Montana and Oregon laws, the Texas Data Privacy and Security Act has a small business exclusion. The Texas Data Privacy and Security Act generally applies to persons that conduct business in Texas or produce products or services consumed by residents of Texas and excludes small businesses as defined by the U.S. Small Business Administration (which applies to businesses with fewer than 500 employees). Further, while the Texas Data Privacy and Security Act does not apply broadly to small businesses, it does include a provision prohibiting small businesses from engaging in the sale of sensitive data without receiving prior consent from the consumer. All three new consumer data privacy laws include a number of exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act.
The Texas and Montana privacy laws impose separate responsibilities on controllers and processors. Both acts define a controller as an individual or legal entity that, “alone or jointly with others, determines the purpose and means of processing personal data.” A processor “processes personal data on behalf of a controller.” Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination. A processor must adhere to the instructions of a controller and assist the controller in meeting its obligations, including obligations related to data security and breach notification, as well as providing necessary information to enable the controller to conduct and document data protection assessments.
Both the Montana and Texas privacy laws subject controllers to purpose specification and limitation requirements, data security requirements, disclosure requirements, nondiscrimination requirements, data protection assessment requirements, and opt-in consent requirements for sensitive data.
All three consumer data privacy laws provide consumers with a number of rights related to their personal data. Consumers, by submitting a request to the controller, have the right to know whether the controller is processing the consumer’s personal data; the right to correct inaccuracies; the right to delete their personal data; the right to receive access to the data; and the right to opt out from a controller’s processing of personal data used for the sale of the data, targeted advertising, or certain profiling.
The Oregon Consumer Privacy Act contains heightened protections (i.e., a requirement that data may not be processed without a consumer’s affirmative “opt-in” consent) for “sensitive data.” This includes personal data revealing racial or ethnic background; national origin; religious beliefs; mental or physical condition or diagnosis; sexual orientation; gender identity; crime victim status; citizenship or immigration status; genetic or biometric data; and precise geolocation data. The Oregon Consumer Privacy Act also requires controllers to provide a comprehensive privacy notice that includes: the categories of data processed; purposes for processing data; how to exercise consumer rights; categories of data shared with third parties and categories of third parties receiving data; and contact information.
Notably, none of the three new consumer data privacy laws provide consumers with a private right of action. The attorney general in each state holds the exclusive authority to enforce the law. In Texas and Montana, the attorneys general must provide written notice that includes the specific provisions that have been violated and an opportunity to cure the violation. The attorney general must provide thirty days’ written notice in Texas and sixty days’ written notice in Montana. If the controller or processor fails to cure the violation within the time period, the attorney general may initiate an enforcement action. In Oregon and Texas, the attorneys general can seek civil penalties of up to $7,500 for each violation.