In today's world of online privacy rights, it’s important to keep up with the latest regulations. Looking to the year ahead we see three new requirements slated for the US. These are for Oregon, Texas and Montana. Businesses operating in Oregon, Texas and Montana should be aware of these regulations and ensure compliance. Crownpeak is working to ensure we provide a platform that allows our customers to meet the legal requirements for each of these new laws.
Oregon – July 2024
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA), taking effect on July 1, 2024, grants Oregon residents several key rights regarding their personal data collected by businesses. Here's a summary:
Who is covered?
• Businesses that meet one of these criteria:
o Do business in Oregon.
o Produce products or services targeted at Oregon residents.
o Have over $25 million in gross revenue annually and collect personal data from at least 25,000 Oregon residents (or derive over 50% of their revenue from selling personal data).
Consumer rights under the OCPA:
• Right to access: Request confirmation if your data is processed and obtain details about what data is collected and used.
• Right to correction: Request inaccuracies in your data be corrected.
• Right to deletion: Request deletion of your data under certain circumstances.
• Right to opt-out: Opt-out of the sale of your data, targeted advertising, and profiling used for significant automated decisions.
• Right to portability: Receive a copy of your data in a readily usable format.
Key obligations for businesses:
• Implement reasonable security measures to protect personal data.
• Respond to consumer requests within certain timeframes.
• Provide clear and conspicuous privacy notices.
• Not discriminate against consumers for exercising their rights.
Enforcement:
• The Oregon Attorney General has enforcement authority.
• There is no private right of action for individual consumers to directly sue businesses for violations.
Resources:
• Official text of the OCPA: https://www.whitecase.com/insight-alert/oregon-passes-comprehensive-data-privacy-law
• Oregon Attorney General's OCPA website: https://www.justice.gov/d9/2022-11/usms_pia_vrs_2022_final.pdf
It's important to note that this is just a summary and Crownpeak bears no responsibility for any inaccurate information. Businesses subject to the OCPA should carefully review the full text of the law and consult with legal counsel to ensure compliance.
Texas – July 2024
The Texas Data Privacy and Security Act (TDPSA), set to take effect on July 1, 2024, establishes data privacy rights for Texas residents and imposes obligations on businesses that collect their personal data. Here's a summary:
Who is covered?
• Businesses that:
o Conduct business in Texas.
o Conduct business through electronic means with Texas residents.
o Collect personal data from 50,000 or more Texas residents annually.
o Derive over 50% of their gross revenue from the sale of personal data and collect personal data from at least 25,000 Texas residents.
Consumer rights under the TDPSA:
• Right to access: Confirm whether your data is processed and access specific details about its collection and use.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to deletion: Request deletion of your data under certain circumstances.
• Right to opt-out: Opt-out of the sale of your data, targeted advertising, and profiling used for certain purposes.
• Right to portability: Receive a copy of your data in a readily usable format.
Key obligations for businesses:
• Implement reasonable security measures to protect personal data.
• Respond to consumer requests within certain timeframes.
• Provide clear and conspicuous privacy notices.
• Not discriminate against consumers for exercising their rights.
Enforcement:
• The Texas Attorney General has enforcement authority.
• Consumers cannot directly sue businesses for violations.
Similarities to other state laws:
• Shares similarities with the Virginia Consumer Data Protection Act (VCDPA).
• Borrows elements from the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Key differences from other state laws:
• Higher threshold for applicability based on data sale revenue.
• No private right of action for consumers.
• Requires data protection assessments for certain processing activities.
This is just a simplified overview. Businesses subject to the TDPSA should thoroughly review the full text of the law and consult with legal counsel to ensure compliance.
Additional resources:
• Official text of the TDPSA: https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm
It's important to note that this is just a summary and Crownpeak bears no responsibility for any inaccurate information. Businesses subject to the TDPSA should carefully review the full text of the law and consult with legal counsel to ensure compliance.
Montana – October 2024
The Montana Consumer Data Privacy Act (MTCDPA), set to take effect on October 24, 2024, grants Montana residents various rights regarding their personal data collected by businesses. Here's a summary:
Who is covered?
• Businesses that:
o Do business in Montana.
o Conduct business through electronic means with Montana residents.
o Collect personal data from 25,000 or more Montana residents annually.
Consumer rights under the MTCDPA:
• Right to access: Confirm whether your data is processed and access specific details about its collection and use.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to deletion: Request deletion of your data under certain circumstances.
• Right to opt-out: Opt-out of the sale of your data, targeted advertising, and profiling used for certain purposes.
• Right to portability: Receive a copy of your data in a readily usable format.
Key obligations for businesses:
• Implement reasonable security measures to protect personal data.
• Respond to consumer requests within certain timeframes.
• Provide clear and conspicuous privacy notices.
• Not discriminate against consumers for exercising their rights.
• Conduct data protection assessments for high-risk processing activities.
Enforcement:
• The Montana Attorney General has enforcement authority.
• Consumers cannot directly sue businesses for violations.
Unique features:
• First state privacy law to prohibit TikTok.
• Requires honoring global privacy controls (GPCs) implemented by users.
• Shorter compliance grace period compared to other state laws.
Similarities to other state laws:
• Shares similarities with the Connecticut Data Privacy Act (CTDPA) in terms of its provisions and requirements.
• Borrows elements from other state laws like CCPA and CPRA.
This is just a simplified overview and Crownpeak bears no responsibility for any inaccurate information. Businesses subject to the MTCDPA should thoroughly review the full text of the law and consult with legal counsel to ensure compliance.
Additional resources:
• Official text of the MTCDPA: https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf: https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf
Overview Comparison
Feature
|
Oregon Consumer Privacy Act (OCPA)
|
Texas Data Privacy and Security Act (TDPSA)
|
Montana Consumer Data Privacy Act (MTCDPA)
|
Effective Date
|
July 1, 2024
|
July 1, 2024 (except global opt-out provisions on Jan 1, 2025)
|
October 1, 2024
|
Applicability Threshold
|
100,000 residents OR 25,000 residents and 25% revenue from data sale
|
50,000 residents OR 25,000 residents and 50% revenue from data sale
|
25,000 residents
|
Consumer Rights
|
Access, correction, deletion, opt-out (sale, advertising, profiling), portability
|
Access, correction, deletion, opt-out (sale, advertising, profiling), portability
|
Access, correction, deletion, opt-out (sale, advertising, profiling), portability
|
Enforcement
|
Attorney General only
|
Attorney General only
|
Attorney General only
|
Key Differences
|
Lower applicability threshold, no private right of action, right to request third-party recipient list, unique right to privacy notice for profiling
|
Higher applicability threshold based on data sale revenue, no private right of action, requires data protection assessments for certain activities
|
Requires honoring global privacy controls (GPCs), shorter compliance grace period. No private right of action.
|
Overall Tone
|
More consumer-oriented with broader rights but limited enforcement options
|
More business-friendly with higher applicability threshold and limited enforcement options
|
More consumer-protective than TDPSA, unique provisions like GPC requirement
|