Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.
Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.
The UCPA (effective December 31, 2023), is one of the more business-friendly data privacy laws passed to date. The law, which is based on the Washington Privacy Act (WPA) model, has one of the highest applicability thresholds of any consumer data privacy law, applying to controllers or processors that (1) conduct business in Utah, (2) have annual gross revenues of $25,000,000 or more, and (3) either process the personal data of 100,000 or more state residents in a calendar year or derive 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah residents.
Unlike many of the other state data privacy laws, the UCPA does not require consent to process sensitive data but rather requires only notice and an opportunity to opt out. It also does not require controllers to conduct data protection assessments for high-risk processing activities. For more information on the UCPA, see our on-demand webinar.
For more background on all of the consumer data privacy laws passed to date, see our comparison chart.
In Oregon, HB 2052 – enacted in July 2023 – requires data brokers to register with the Department of Consumer and Business services as of January 1, 2024. The Department published temporary rules in late November. The law defines “data broker” as “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.”
In addition, as of January 1, 2024, data brokers will be required to register with the California Privacy Protection Agency (CPPA) instead of the California Attorney General’s Office. This is one of the changes made to California’s existing data broker law by last year’s Delete Act. Data brokers must register with the CPPA by January 31, following each year in which they meet the definition of a data broker. We wrote more about the Delete Act here.
While on the subject of data broker laws, in case you missed it, Texas’ data broker law (SB 2105), which passed in June 2023 and went into effect September 1, 2023 requires, among other things, a data broker to register with the Secretary of State and post a website notice notifying consumers that it is a data broker. Implementation rules from the Secretary of State are available here. Registration information is available here. The law defines “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.”
Finally, on December 28, 2023, the Colorado Attorney General’s Office published its list of recognized universal opt-out mechanisms (UOOMs). Colorado Privacy Act Rule 5.07 required the Office to publish a public list of recognized UOOMs by January 1, 2024. Controllers subject to the Colorado Privacy Act must recognize those UOOMs by July 1, 2024. The Office’s list identifies one UOOM – the Global Privacy Control. The Office also noted that the “UOOMs on this list are recognized in so far as the UOOM or any authorized implementations meet the requirements of C.R.S. § 6-1-1313 and 4 CCR 904-3, Part 5.”
Utah’s Social Media Regulation Act went into effect on May 3, 2023, but its requirements go into effect on March 1, 2024. In October 2023, the Utah Division of Consumer Protection published proposed implementing rules, which the public can comment on until February 5, 2024. In December, NetChoice filed a lawsuit in Utah federal district court, claiming the law is unconstitutional. NetChoice filed a motion for preliminary injunction on December 20, 2023. For more background on the law, see our blog post here.
On March 29, 2024, the CPPA will be able to enforce the new CCPA regulations that were finalized on March 29, 2023. This comes as a result of a June 2023 trial court ruling that enforcement of any final regulation the CPPA publishes must be stayed for a period of 12 months from the date the regulation becomes final.
March also will be a busy month for consumer health data privacy. The Washington My Health My Data Act’s (MHMD) provisions go fully into force for regulated entities as of March 31, 2024 (with small businesses deferred until June 30, 2024). Although MHMD was effective as of July 23, 2023, many of MHMD’s requirements were delayed until March 31, 2024. For more information on MHMD, see our articles here and here. As we have previously emphasized, businesses need to understand that MHMD is much broader than a typical health data privacy law. For example, MHMD applies to the collection of biometric data and its definition of “consumer health data” is very broad, potentially sweeping in many types of data elements that are not traditionally thought of as being health data. The law also has a private right of action, which significantly increases the risk of noncompliance.
Nevada’s consumer health data privacy law (SB 370) also goes into effect on March 31, 2024. The Nevada law is a more business-friendly version of Washington’s MHMD. For example, the Nevada law does not have a private right of action and contains a narrower definition of consumer health data.
As noted, Washington’s MHMD will fully apply to small businesses as of June 30, 2024.
July will be another busy month for compliance.
First, new consumer data privacy laws will go into effect in Texas, Oregon, and Florida on July 1, 2024.
The Texas Data Privacy and Security Act (HB 4) is based on the WPA model but with some notable differences from other WPA variants. For example, the law contains a unique applicability standard and applies to persons that (1) conduct business in Texas or produce products or services consumed by Texas residents, (2) process or engage in the sale of personal data, and (3) are not small businesses as defined by the United States Small Business Administration. The law also contains unique disclosure requirements for controllers that sell sensitive personal data or biometric data. For more information on the Texas law, see our article here.
The Oregon Consumer Privacy Act (SB 619) also is based on the WPA model and, like Texas, contains some notable differences from other WPA variants. For example, the law contains a unique financial institution entity-level exemption that relies on Oregon state law and not the broader definition of a financial institution found in the Gramm-Leach-Bliley Act (GLBA). The Oregon law also contains a unique definition of biometric data and expands the types of information covered under its definition of sensitive data. Perhaps the most significant distinction is that Oregon residents will be able to obtain, at the controller’s option, “a list of specific third parties, other than natural persons, to which the controller has disclosed: (i) The consumer’s personal data; or (ii) Any personal data.” No other law requires the identification of specific third parties, only the categories of third parties. Starting in July 2025, the law also will apply to nonprofits. For more information on the Oregon law, see our article here.
The Florida “Digital Bill of Rights” (SB 262) has a much narrower applicability than the other state consumer privacy laws and will not apply to the vast majority of businesses. For further analysis of the Florida law, including its unique children’s privacy provisions, see Future of Privacy Forum’s article here.
Louisiana’s social media law also is set to go into effect on July 1, 2024. The law contains provisions similar to the ones found in the Utah Social Media Regulation Act, which, as noted above, is now facing a constitutional challenge in Utah federal court. Louisiana’s law could face a similar challenge before its effective date.
California’s Age Appropriate Design Code Act (AADC) also would have gone into effect on July 1, 2024; however, last September, a California federal district court ruled the AADC is unconstitutional and enjoined it from going into effect. The California Attorney General appealed the ruling to the Ninth Circuit.
In addition, July 1, 2024, is the deadline for two Colorado Privacy Act obligations. First, controllers subject to the Colorado Privacy Act (CPA) must recognize the approved list of universal opt-out mechanisms by this date (i.e., Global Privacy Control). Controllers not only need to recognize this UOOM but CPA Rule 6.03A.4.e also requires controllers to, as of July 1, 2024, provide “an explanation of how requests to opt out using Universal Opt-Out Mechanisms will be processed” in their privacy notices. Second, July 1, 2024, is the deadline for controllers to obtain consent to process sensitive data for any sensitive data the controller collected without valid consent prior to the CPA’s July 1, 2023, effective date.
On September 1, 2024, Texas’ Securing Children Online through Parental Empowerment (SCOPE) Act (HB 18) goes into effect. Among other provisions, the law requires “digital service providers” to register an individual’s age before allowing them to open an account and to develop “and implement a strategy to prevent the known minor’s exposure to harmful material and other content that promotes, glorifies, or facilitates: (1) suicide, self-harm, or eating disorders; (2) substance abuse; (3) stalking, bullying, or harassment; or (4) grooming, trafficking, child pornography, or other sexual exploitation or abuse.”
Last year, Texas lawmakers also passed HB 1181, which requires age verification to view pornographic websites. However, a Texas federal district court found the law unconstitutional and enjoined it from going into effect. The Fifth Circuit subsequently stayed the injunction pending an expedited ruling.
The Montana Consumer Data Privacy Act (SB 384) goes into effect on October 1, 2024. The Montana law closely aligns with the Connecticut Data Privacy Act. Montana was the first Republican-controlled legislature to pass a consumer data privacy bill requiring controllers to recognize universal opt-out mechanisms, providing additional rights for children, sunsetting the right to cure, and adjusting the applicability threshold to take into account a state’s smaller population. For more information on the Montana law, see our article here or Keir Lamont’s summary here.
October 1, 2024 also is the effective date for Connecticut’s first-in-the-nation children’s privacy law (SB 3). The 2023 Connecticut children’s privacy law supplements the 2022 Connecticut Data Privacy Act to provide additional privacy protections for children 13 to 17 years of age. For more information on the children’s privacy law, see our summary here.
On December 31, 2024, the right to cure violations under the Connecticut Data Privacy Act expires.
New consumer data privacy laws are scheduled to go into effect in Delaware and Iowa on January 1, 2025.
Delaware’s law (HB 154) largely tracks Connecticut’s law but with some notable differences. For example, the law applies to nonprofits (joining Colorado and Oregon) and contains a higher age requirement (under 18 versus under 16) for controllers to obtain opt-in consent for the sale of personal data and targeted advertising. For more information on the Delaware law, see our article here.
Iowa’s law (SF 262) is one of the most business-friendly passed to date. The law does not require controllers to provide for the right to correct and it is unclear if it requires controllers to provide a right to opt out of targeted advertising. Like Utah, the Iowa law does not require controllers to obtain consent to collect sensitive data but rather requires only notice and an opportunity to opt out. It also does not require controllers to conduct data protection assessments. For more information on the Iowa law, see our article here.
On January 1, 2025, the right to cure violations under the Colorado Privacy Act expires.
Connecticut, Texas, and Montana
Finally, on January 1, 2025, the Connecticut, Texas, and Montana requirements for controllers to recognize universal opt-out mechanisms will trigger.