June 30, 2023
Montana, Texas, and Oregon Legislatures Pass Comprehensive Data Privacy Laws
In May and June, three new states enacted comprehensive consumer data privacy laws. On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act into law, which takes effect on October 1, 2024. On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act into law, with most of its provisions taking effect on March 1, 2024. In June 2023, the Oregon legislature passed the Oregon Consumer Privacy Act. It is currently awaiting Governor Tina Kotek's signature. Assuming the Oregon bill becomes law, it will take effect on July 1, 2024. These are the newest states to enact comprehensive data privacy laws, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, and Tennessee.
The Montana, Oregon, and Texas privacy laws generally impose similar obligations to those provided for under the comprehensive privacy laws that other stated have passed. However, there are key distinctions in these laws that can impact a business's data processing. Accordingly, potentially covered businesses should carefully evaluate each law's applicability, disclosure obligations, specific requirements related to opt-out rights, and data protection assessment requirements.
The Montana Consumer Data Privacy Act generally applies to entities that both:
- conduct business in Montana or produce products or services that are targeted to the residents of Montana; and
- control or process the personal data of:
- at least 50,000 consumers; or
- at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
The Oregon Consumer Privacy Act applies to any person that conducts business in Oregon or provides products or services to Oregon residents that:
- controls or processes data of 100,000 or more consumers (except to the extent such data is processed solely for the purpose of completing a payment transaction); or
- derives 50% of revenue from selling the data of more than 25,000 consumers.
Unlike the revenue and data volume thresholds in the Montana and Oregon laws, The Texas Data Privacy and Security Act has a small business exclusion. The Texas law generally applies to persons that conduct business in Texas or produce products or services consumed by residents of Texas and excludes small businesses as defined by the U.S. Small Business Administration (which applies to businesses with fewer than 500 employees). Further, while the Texas law does not apply broadly to small businesses, it does include a provision prohibiting small businesses from engaging in the sale of sensitive data without receiving prior consent from the consumer. All three new consumer data privacy laws include a number of exemptions including for financial institutions subject to the Gramm-Leach-Bliley Act.
The Texas and Montana privacy laws impose separate responsibilities on "controllers" and "processors." Both acts define a controller as individual or legal entity that, "alone or jointly with others, determines the purpose and means of processing personal data." A processor "processes personal data on behalf of a controller." Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination. A processor must adhere to the instructions of a controller and assist the controller in meeting its obligations, including obligations related to data security and breach notification, as well as providing necessary information to enable the controller to conduct and document data protection assessments.
Both the Montana and Texas privacy laws subject controllers to purpose specification and limitation requirements, data security requirements, disclosure requirements, non-discrimination requirements, data protection assessment requirements, and opt-in consent requirements for sensitive data.
All three consumer data privacy laws provide consumers with a number of rights related to their personal data. Consumers, by submitting a request to the controller, have the right to know whether the controller is processing the consumer's personal data, the right to correct inaccuracies, the right to delete their personal data, the right to receive access to the data, and the right to opt out from a controller's processing of personal data used for the sale, targeted advertising, or certain profiling.
The Oregon Consumer Privacy Act contains heightened protections (i.e., a requirement that data may not be processed without a consumer's affirmative "opt in" consent) for "sensitive data." This includes personal data revealing racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, gender identity, crime victim status, or citizenship or immigration status, genetic or biometric data, and precise geolocation data. The Oregon Consumer Privacy Act also requires controllers to provide a comprehensive privacy notice.
Notably, none of the three new consumer data privacy laws provide consumers with a private right of action. The attorney general in each state holds the exclusive authority to enforce the law. In Texas and Montana, the attorney general must provide written notice that includes the specific provisions that have been violated and an opportunity to cure the violation. The attorney general must provide 30 days' written notice in Texas and 60 days' written notice in Montana. If the controller or processor fails to cure the violation within the time period, the attorney general may initiate an enforcement action. In Oregon and Texas, the attorney general can seek civil penalties of up to $7,500 for each violation.