Next week marks one of the biggest days in American data privacy history. July 1st, 2024 will see not one, not two, but three state laws enter into effect as well as key wrinkles in Colorado and California’s privacy landscapes. 

We’ve seen an explosion in regulation passed since the start of 2023, with the U.S. going from five states with comprehensive data privacy laws to 20 in just an 18-month span. Of course, while regulation passing certainly puts the business community on notice, none of it matters until the rubber hits the road and the prospect of any law being enforced is crystallized. 

Texas, Florida, and Oregon will all see their laws–Texas Data Protection & Security Act, the Florida Digital Bill of Rights, and the Oregon Consumer Privacy Act, respectively–become effective on July 1st, the first batch of post-2022 states to come into play. The trio brings data rights to over 58 million Americans, as well as new and complex challenges to privacy programs as the American regulatory patchwork migrates from theory to practice.

Texas is the headliner, as the second most populous state and a major market for a variety of industries, and Texans have set the stage well (and somewhat against expectations). Texas Attorney General Ken Paxton revealed last week that his office sent letters of notice to over 100 companies over their failure to register as data brokers in compliance with Texas’s new data broker and data privacy laws. 

Coming out of the gate hot is a good indicator that companies will need to take these laws seriously, given that the companies notified were well-aware of the July 1, 2024 enforcement date. Too often organizations pay little mind to privacy laws–after all, historically data compliance has been an exercise in checking boxes–in the belief that they won’t impact the bottom line or simply aren’t serious regulation. 

While that may be true for Florida’s DBR (sorry, Florida, but it’s true!), Oregon's and Texas’s laws have enough in there that show they aren’t messing around.

[Quick side note, since you will likely see confusion about how many states have comprehensive state laws if browsing the various channels of the greater data privacy+protection community: Florida’s DBR is not considered a comprehensive law by many since its enforcement only targets Big Tech through its +$1 billion revenue threshold.

For the sake of simplicity and because it does grant Floridians data subject rights however, we here at MineOS choose to count it, which makes 20 states with data privacy laws after Rhode Island’s bill just passed.] 

Complying with TDPSA

The TDPSA will likely apply to more businesses since it takes a new approach to applicability thresholds:

• Conduct business in Texas or offer a product or service consumed by Texas residents
• Process or engage in the sale of personal data
• Is not a small business as defined by the U.S. Small Business Administration *(500 employees or fewer, revenue under $30 million)*

The way these are laid out is broad, and even with a standard long list of exemptions, including entity-level ones for HIPAA and GLBA to touch the health care and financial sectors, the name power the state carries and these parameters mean the default privacy program should be complying. 

Usual elements like 45-day data subject request handling timelines, data protection assessments, gaining opt-ins before processing sensitive data, and data processing agreements are required. 

A unique element of TDSPA is that although there is a 30-day indefinite cure period, businesses must include evidence of compliance and correction of alleged violations when notified by the state AG. This runs counter to protocol in most states that simply requires a response informing the AG the correction has occurred. 

Under TDPSA, organizations must acknowledge universal opt-out mechanisms by January 1, 2025, so they have an additional six months to comply there. Either way, with the size of Texas, expect more DSRs than ever, review privacy agreements to make sure they are clear and fair, and register as a data broker if you need to.

Complying with OCPA

The Oregon Consumer Privacy Act has more interesting wrinkles than either Texas’s or Florida’s law, for my money (and my money is not beaver skins, so I am unbiased). 

An important distinction here is that while data privacy and security is a bipartisan issue, with states on both sides of the aisle passing laws recently, the laws are often not created equal. Conservative states like Utah, Tennessee, and Florida tend to avoid passing laws and conditions that would be considered onerous to businesses, while more liberal Democrat-run states like Colorado, California, and Minnesota have been pushing the envelope to include stronger consumer protections and more compliance requirements for businesses.

This paints the picture broadly and of course there are some exceptions, but in the past year this distinction has gained traction as the most unique and demanding laws have all come from Blue states (Maryland, Delaware, New Jersey, Minnesota, etc.). 

Oregon, as a Blue state, helped start this trend with a few never before seen aspects of a data privacy law.

First off? Nonprofit organizations are not exempt from OCPA, meaning privacy programs across the country are going to be revving up as they now need to comply where they previously haven’t had to (although nonprofits get an extra year’s grace period, with their compliance date set for July 1, 2025). 

Secondly, OCPA handles sensitive data more progressively than any of the states before it. Beyond expanding the definition of what constitutes sensitive data, data protection impact assessment requirements are more demanding here. 

This primarily comes in the form of organizations needing to conduct DPIAs before processing sensitive data (which is not as strict as New Jersey’s law, which requires DPIAs to be done before any data processing begins, but still is a step up over the typical lax approach of conducting DPIAs on a general basis). Secondly, Oregonians have a new data right of seeing which third parties a controller has shared a consumer’s data with.

This right, which states like Delaware and Minnesota have been quick to adopt, means businesses will need both more transparency with consumers on data sharing practices than ever before, as well as increased data visibility into their own data stacks. If an organization does not know the precise types and amounts of data it is sending to third parties, July 1 is a major deadline, because this change should have significant reverberations on both how consumers approach data rights and regulators approach enforcement. 

The Other Parts of July 1 Compliance

Florida’s DBR might not mean your organization is at risk of getting targeted for enforcement (unless you, the reader, work for a FAANG company, in which case, hello and please fix your algorithms!), but as the state with the third biggest population in the country, the YoY increase in DSRs that is already happening is going to explode given the vast number of people in Florida and Texas alone.

Colorado’s CPA has two aspects coming online July 1, 2024.

• Companies must now acknowledge universal opt-out mechanisms (which makes DSRs easier for consumers, and amplifies the business need for competent consent management and DSR handling solutions)
• Companies must reacquire proper consent for any sensitive data collected before July 1, 2023 before further processing 

California also has news on its data broker registry that began on January 1, 2024. Thisis year one of an expansion of who needs to register, and July 1 is the yearly deadline for registered organizations to report and disclose their metrics to both the California Privacy Protection Agency and the public.

The disclosed metrics must cover the organization’s responses to Data Subject Requests, including the number of deletion requests the data broker received, complied with, and denied, as well the average number of days it took for the broker to fulfill requests. These metrics cover the previous year, so the stats you’ll see next week represent 2023. 

California has already shown its willingness to bring the hammer down on noncompliance, so if your organization operates in the Golden State and doesn’t have those metrics ready and easily readable, you have a few days to get that together.

All in all, while seeing so many laws pass has been a sight to behold on this side of the Atlantic, how days like July 1, 2024 go will determine how far data privacy makes it into the national consciousness. Enforcement is here. Are you ready?

If you're nervous about your organization’s preparedness, come see how MineOS makes compliance and data governance seamless with a personalized demo.