Utah: In March 2022 Utah became home to the fourth data privacy law to pass in the U.S. with its Utah Consumer Privacy Act (UCPA). The law is set to go into effect on Dec. 31, just a day shy of the new year. For data privacy attorneys, the statute was the first to break from the mold its predecessors had set, laying the groundwork for a more business-friendly approach to data privacy compliance, with features such as exemptions for employee data and business-to-business (B2B) data, and doing away with highly contested consumer rights. "Some of the reasons why I think there has been difficulty in passing [data privacy] laws in other states is that really key issues have strong opinions on both sides and they are not able to pass because the fight continues," said Cassandra Gaedt-Scheckter, a partner at Gibson, Dunn & Crutcher. "This [fight] could be regarding the private right of action or the more onerous obligations on businesses, so we might see more states go down this path [of fewer obligations] because it's something both sides end up agreeing on."

Salt Lake City, Utah. Photo: David Crowther/Adobe Stock

Oregon: Oregon passed its own data privacy law, the Oregon Consumer Privacy Act (OCPA) in July, and is preparing for it to go into effect on July 1, 2024. For data privacy experts, the OCPA seemed most similar to Delaware and Colorado's data privacy statutes, albeit with some new provisions of its own. For example, the OCPA places data specific to individuals' transgender and nonbinary status, along with citizenship and immigration status, under the umbrella of sensitive data. Additionally, it incorporates a new category under this data type: status as a victim of crime. The OCPA also cuts back on entity-level exemptions for organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), but does include data-level exemptions for these organizations. "I think that is a nuance that will require organizations to have to closely examine the data they hold to make sure that they're applying those exemptions properly," said Lynn Dupree, leader of Finnegan, Henderson, Farabow, Garrett & Dunner's privacy practice.

Portland, Oregon

Texas: In June, Texas tossed its hat in the data privacy regulation ring with perhaps one of the strictest standards for compliance with the passage of its Texas Data Privacy and Security Act (TDPSA). The statute, which exempts "small businesses," is set to go into effect on July 1, 2024. "The Texas one takes a different approach, and it's something that we haven't seen anywhere else before, which is that it pegs the definition of a small business to the U.S. Small Business Administration's definition, which is not actually that easy to understand intuitively, whether somebody's going to be covered or not," said Ben Rossen, special counsel at Baker Botts and former senior attorney at the Federal Trade Commission. But the "small business" compliance exemption withers when it comes to what the SBA identities as "sensitive data," Rossen noted. The law requires all businesses regardless of size or revenue to obtain opt-in consent from subjects before engaging in the sale of sensitive data. Rossen added: "That's a unique provision in Texas that is going to be potentially burdensome for companies to comply [with] and it really is going to raise the cost of compliance there. … But it shows the strong emphasis on protecting this kind of information that reveals sensitive characteristics."

Credit: Stephen Finn/Adobe Stock

Florida: In June, Gov. Ron DeSantis signed Florida's Digital Bill of Rights into law, making it the 10th U.S. state to join the data privacy patchwork. The law, set to go into effect on July 1, 2024, is considered by some observers to be an outlier from its cohorts. "It's very comprehensive in what it is requiring, but it is very narrow in its applicability about most of those requirements," said Brandon Robinson, a partner at Balch & Bingham. Most significantly, the law puts forth a unique definition of "controller," referring to a for-profit corporation that conducts business in Florida, collects personal data about consumers, makes in excess of $1 billion in global gross revenue, derives 50% of its revenue from the sale of advertising, and operates a smart speaker or runs an app store with at least 250,000 applications. Additionally, the statute also limits government's ability to regulate political content online, forbidding a government entity from communicating with a social media platform to remove content or accounts from their platform, and from having a working relationship with social media platforms for purposes of content moderation.

Credit: Maxim/Adobe Stock

Montana: The Montana Consumer Data Privacy Act (MCDPA) was signed by Gov. Greg Gianforte in May, and is set to go into effect on Oct. 1, 2024. For data privacy experts and observers, the state stood out from its counterparts in that it had a relatively lower compliance threshold, targeting companies processing the personal information of 50,000 or more state consumers or processing the data of 25,000 or more consumers and deriving 25% of gross revenue from the sale of that data. However, observers noted that the threshold is proportionate to the state's size. The law also gives businesses one of the shortest windows to prepare for compliance at 16 months between passage and deadline. In addition to the MCDPA, the state is also pushing a ban on TikTok as well as other social media-specific companies.

Credit: mandritoiu/Adobe Stock