The 6 Most Recent State Privacy Laws & What They Mean
With the prospect of a federal data privacy law still uncertain, states across the US are passing their own regulations. Many of these new state privacy laws contain somewhat similar language and requirements. However, each state’s legal guidelines differ enough to make a difference. Today, we’re looking at six recently passed privacy laws that promise to have a significant impact on the business world this year.
The Texas Data Privacy and Security Act (TDPSA)
On June 18, 2023, Texas became the second-largest state after California to enact a comprehensive data privacy law. Enforcement of the Texas Data Privacy and Security Act (TDPSA) begins on July 1, 2024.
The new state privacy law targets organizations and businesses that:
- Have clients in Texas
- Produce items or services “consumed” by Texans. (The term “consumed” is unique to the TDPSA, as most similar privacy laws explicitly apply to companies “targeting” residents.)
- Process and/or sell personal data
- Do not meet the US Small Business Administration’s definition of a small business
Businesses affected by this new law:
- May not collect personal data without disclosing the reason for collection to the consumer
- May not process data that could lead to illegal discrimination against a client
- May not process sensitive information without client consent
- May not process children’s data unless their practices align with COPPA
- Must respect customers’ rights to request a copy of their personal data, correct errors in their data, request deletion of data, and confirm if their data is being processed
- Must include additional, easy-to-see disclosures of data sale
- Must provide straightforward opt-out mechanisms
- Must resolve any violations within 30 days of being informed or pay $7500 for each violation
The Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA) was signed into law by Governor Tina Kotek in July 2023. The law takes full effect on July 1, 2024, the same day as the TDPSA. Non-profits are not exempt, but do have more time to prepare, with compliance kicking in for them on July 1, 2025.
The OCPA applies to:
- Businesses that conduct business in Oregon
- Provides products and services to Oregon residents AND:
- Controls or processes 100,000 or more consumers’ personal data in a year (excepting data used solely for a payment)
- Controls or processes 25,000 or more consumers’ personal data and receives at least 25% of its annual revenue from the sale of personal data
Businesses subject to certain data privacy laws, most notably HIPPA or the GLBA, are often exempt from laws like this. However, the OCPA is an exception. Under Oregon’s law, the data covered under HIPPA and the GLBA is exempt, but any other data the businesses in question may process is not.
Organizations subject to this new state privacy law must:
- Provide an easily accessible, easily understandable privacy notice that goes over the company’s data processing practices in detail
- Conduct data protection assessments for any processing activity that could present a greater risk to consumers. Examples include processing sensitive data or data processing for targeted ads.
- Establish and sustain safeguards of personal data
- Allow for a consumer to revoke consent easily (the law requires that the process be “at least as easy as the means by which the consumer or authorized agent provided consent”)
- Receive consent to process the sensitive data of children
- Receive consent to process consumers’ sensitive data. The OCPA’s definition of sensitive data extends beyond similar laws to include:
- Ethnicity
- Country of origin
- Sexual orientation
- Sexual identity (if transgender or nonbinary)
- Religious beliefs
- Medical diagnoses (mental or physical)
- Citizenship or immigration status
- Genetic or biometric information
- Status as a victim of a crime
- Any information that pinpoints someone’s past or present location within 1750 feet
- Resolve violations within 30 days (at the discretion of the attorney general) or pay $7500 per violation. The 30-day grace period sunsets on January 1, 2026.
The Tennessee Information Protection Act (TIPA)
The Tennessee Information Protection Act (TIPA) was signed into law in May 2023 and takes full effect on July 1, 2025.
TIPA applies to businesses that:
- Control or process the personal information of 175,000 or more consumers in a year
- Control or process the personal information of 25,000 consumers in a year and depends on the sale of personal data for 50% or more of its annual revenue
Exceptions include state agencies, financial institutions, insurance companies, non-profits, higher education centers, and entities subject to HIPPA or the GLBA. The law’s definition of personal data also specifically excludes de-identified information.
Organizations subject to the new state privacy law must:
- Respect customers’ rights to delete their personal data, correct errors, request copies of their data, confirm how the data is being processed, and opt out of data processing
- Practice data minimization
- Process sensitive data only with consent
- Enact security practices at every level
- Avoid processing information that could lead to discrimination
- Conduct data protection assessments for certain potentially risky marketing activities, such as processing data for targeted advertisements
- Provide a clear, easily accessible privacy notice to customers
New Hampshire: SB255
New Hampshire’s SB255 was signed into law on March 6, 2024, and will take full effect on January 1, 2025.
Businesses subject to the new law include:
- Companies with customers in New Hampshire
- Companies producing products or services targeted to New Hampshire residents
- Companies that control or process more than 35,000 people’s personal data
- Companies that control or process more than 10,000 people’s personal data and earn more than 25% of their annual revenue from data sales
Under the new requirements, businesses subject to the new state privacy law must:
- Provide a clear and easily accessible privacy notice that explains the company’s data collection and processing practices in detail, and includes an active email address for contact
- Conduct data protection assessments for potentially risky data processing, such as processing for targeted marketing
- Respect customers’ rights to request access to their personal data, correct errors, request data deletion, confirm how their data is being processed, and opt out if desired
- Correct any violations within 60 days. This grace period expires on December 31, 2025.
New Jersey: SB332
New Jersey’s SB332 was signed into law by Governor Philip Murphy on January 16, 2024, and will take full effect exactly one year later.
Businesses covered by the new state privacy law include:
- Companies that control or process 100,000 people’s personal data (excluding data used for payments)
- Companies that control or process at least 25,000 people’s personal data and receive payment, either in revenue or in discounts on goods and services, from selling personal data
Organizations subject to the law must:
- Provide a clear and easily accessible privacy notice that explains their data collection and processing practices in detail, and includes an active email address or other online contact method for questions
- Respect consumers’ rights to access, correct, delete, or transfer their personal data, as well as opt out of data processing
- Conduct data protection assessments for data processing that presents a “heightened risk”, such as processing for targeted advertisements
- Resolve any violations within 30 days
The Kentucky Consumer Privacy Act (KCPA)
The Kentucky Consumer Privacy Act (KCPA) became law on April 4, 2024, and will take full effect on January 1, 2026.
Companies subject to the new state privacy law include:
- Businesses that control or process at least 100,000 people’s personal data in a year
- Businesses that control or process at least 25,000 people’s personal data in a year and receive more than 50% of their annual revenue from data sales
Exceptions include city or state agencies, higher education centers, organizations subject to HIPPA or the GLBA, non-profits, and financial institutions.
Under the KCPA, businesses must:
- Respect consumers’ rights to access, correct, delete, or transfer their personal data, as well as opt out of data processing
- Obtain consent before data processing
- Process sensitive data on an opt-in basis only
- Provide a clear and easily accessible privacy notice that explains the company’s data collection and processing practices in detail
- Conduct data privacy assessments for specific activities, including but not limited to:
- Targeted advertising
- Selling personal data
- Processing sensitive data
- Processing for profiling, where the profiling could lead to discrimination, injury to the customer, or intrusions upon their private lives
Varying Privacy Laws
As more and more states put forth their own privacy laws, keeping up with all the new requirements is more important than ever. The last thing any business wants is to pay a fine because they missed one law’s grace period while keeping track of all the others. And with 4Comply, staying compliant has never been easier. Track data privacy requirements, grace periods, and marketing activity all in one convenient place.
To schedule a demo, contact our team today.