Three New Privacy Laws Go Into Effect, Including Texas and Oregon

Privacy Legislation News for the Week of Jun 17, 2024

Below are summaries of 3 new privacy laws in the news this week.    The first two in Texas and Oregon are going into effect soon –  on July 1, 2024.  However, enforcement comes later.  See more below. 

The New York Safe for Kids act, was just enacted and the exact date it will go into effect is TBD. 

One of the key parts of this NY law is stopping addictive feeds and this applies mainly to social media sites. 

The second part of the New York law is the  New York Child Data Protection Act. This part is relevant for us as it calls for prohibiting online sites from collecting, using, sharing or selling personal data of anyone under the age of 18.  It’s not yet clear what is needed for compliance with the New York act,  because it involves getting and verifying the age of children.  We might consider adding another button or layer to our consent banner (CMP)  to “Confirm you are over 18” or other means to give sites a tool to comply with this law.  We need legal guidance on what controls are acceptable for compliance. 

The summaries below include text I have copied and or generated with AI.  These are all fairly complex regulations with work to determine how to comply. It really takes some time to understand and digest each of these.   I recommend that if we do any blog posting about these, we limit it to “How To Comply” in order to make it actionable for the reader.  In general, compliance for the Texas and Oregon acts includes giving the proper notice and consent to users, options to opt out, and request for data subject rights.  More work is need to decide how to comply with the new NY law.  

The Texas Data Privacy and Security Act (TDPSA)   

The Texas privacy act goes into effect on July 1, 2024 and gives residents a number of familiar rights, including the right to:  

  • Confirm whether a controller is processing personal data and access the personal data. 
  • Correct inaccuracies in their personal data. 
  • Delete personal data provided by or obtained about the consumer. 
  • Obtain a copy of their personal data, if available, in a portable and readily usable format. 
  • Opt out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.  

While the TDPSA takes effect July 1, 2024, businesses will have a slightly longer grace period to comply with the global opt-out technology provision, which takes effect Jan. 1, 2025. After this point, businesses will have to recognize universal opt-out signals, such as the Global Privacy Control.

TDPSA applies to entities that process or sell personal data, conduct business in Texas, or produce products or services consumed by Texas residents. Entities that are not considered small businesses by the U.S. Small Business Administration are also subject to the TDPSA. 

Here are some ways to comply with the TDPSA:

Privacy notice: Publish a clear and accessible privacy notice on your website that includes the following information:

  • Categories of personal data processed, including sensitive data
  • Purposes for processing personal data
  • Methods for consumers to exercise their rights
  • Categories of personal data shared with third parties
  • Categories of third parties that receive personal data
  • Methods for consumers to opt out of personal data processing or sale
  • Data processing agreements: Sign data processing agreements with third-party data processors that outline the rights and obligations of each party. The agreement should also require the data processor to impose the same obligations on any sub-processors.
  • Opt-out options: Add opt-out options to cookie consent banners and recognize global opt-out signals.
  • Data protection assessments: Conduct data protection assessments as needed
  • Consumer consent: Do not process sensitive data without the consumer’s opt-in consent
  • Personal data: Verify and access personal data processed by a controller, and remove any personal information that a customer has provided or that you have learned about them. If available, provide the consumer with a portable copy of their personal data. 

The TDPSA also includes a provision to protect consumers from discrimination and retaliation when they exercise their rights. If a Texas resident has a grievance, they can file a complaint with the Texas Attorney General’s office.

https://www.jdsupra.com/legalnews/the-texas-data-privacy-and-security-act-3184143

The Oregon Data Privacy Act

Oregon Senate Bill 619, passed and signed during the 2023 legislative session, gives Oregonians new rights to demand more information about how much of their personal data is being used by specific companies, and how those companies are using that data. Similar laws have been passed in several other states and the European Union, which is part of why it’s become much more common in recent years for websites to send cookie permission requests.

Under the Oregon law, consumers can ask a company to confirm if it’s collecting their data, request a list of categories of data being collected, request a list of third parties with whom the data has been shared, and receive a copy of their personal data. Companies will also be required to correct certain inaccuracies in the data or delete the data. 

The law also gives consumers the right to opt out of having their data used for targeted ads or profiling, or being sold, although that provision won’t take effect until Jan. 1, 2026.

Companies will be required to give privacy notices that specify what data is being collected, how it may be used and who it may be shared with, and how consumers can exercise their rights. Companies have to make it so consumers can revoke consent for their data use just as easily as they can give consent.

Aside from the opt-out provision, the rest of the law takes effect July 1 of this year, although nonprofits are exempted for another year. Once the law goes into effect, the Oregon Attorney General can investigate and fine violators for up to $7,500.

A more complete description is available here:  

Florida Digital Bill of Rights Act

We’re including this law in our list because it will likely protect a wide range of consumers, however, the number of actual companies that the law applies to is quite limited in scope. The Florida Digital Bill of Rights (FDBR), set to take effect on July 1, 2024, is a data privacy law that brings changes to how personal data is handled in the Sunshine State. Enacted as Senate Bill 262, this legislation zeroes in on major tech players—those with over $1 billion in global revenues—that do business in Florida. Whether these companies earn significant revenue from online ads, operate consumer smart speakers, or run large app stores, they’re now under the microscope.

What makes the FDBR stand out is its robust protection of consumer rights. Floridians can now opt out of data sharing for targeted ads, and they gain the power to access, correct, and delete their personal data. For companies, this means new obligations: they must implement clear data retention schedules and be transparent about their practices, especially when it comes to selling sensitive or biometric data.

The law’s scope is broad, addressing key issues like online child protection and government use of social media. It sets out strict guidelines for how personal data should be processed, with special provisions for safeguarding children under 18. Additionally, it prohibits government employees from using state resources to influence social media content moderation.

However, while the FDBR is comprehensive, its reach is somewhat limited. It primarily targets the largest tech companies, leaving smaller businesses and certain types of data—like health records and employment-related information—outside its purview. Despite this, the FDBR represents a significant step forward in the fight for data privacy, signaling that Florida is serious about protecting its residents in the digital age.

NY SAFE for Kids Act    

The SAFE for Kids Act requires social media companies to restrict addictive feeds on their websites for users under 18.  Addictive feeds can be allowed when parental consent is granted.  Users may still search for specific topics of interest. The bill also prohibits social media platforms from sending notifications regarding addictive feeds to minors from 12 a.m. to 6 a.m. without parental consent. The legislation will authorize the Office of the Attorney General (OAG) to bring an action to enjoin violations of the new law as well as seek civil penalties of up to $5,000 per violation, among other remedies. And finally, it calls for the establishment of acceptable age verification and parent consent methods, to be determined by the OAG as part of a rulemaking process once the legislation is enacted.

The Act will take effect 180 days after New York’s attorney general promulgates the necessary rules and regulations to effectuate the Act’s provisions. Companies that fail to comply with the Act could be subject to penalties of up to $5,000 per violation.

The New York Child Data Protection Act

This act prohibits online sites from collecting, using, sharing or selling personal data of anyone under the age of 18, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website. It also authorizes the OAG to enforce the law and enjoin and seek damages or civil penalties of up to $5,000 per violation. 

More: 
https://www.theverge.com/2024/6/20/24182396/new-york-governor-social-media-law-parental-consent-algorithms

https://www.huntonak.com/privacy-and-information-security-law/ny-state-legislature-passes-bill-addressing-childrens-use-of-social-media-platforms-pending-governors-signature

Related Resources