New State Privacy Laws – July 2024: Stricter Regulations on Sensitive Data Across Oregon, Texas, and Montana

Starting July 1st, 2024, new privacy laws in Oregon and Texas, followed by Montana on October 1st, will impose stringent regulations on sensitive data. Businesses must identify and protect sensitive data to comply with these regulations, avoid fines, and maintain consumer trust. Act now to ensure your business is protected. Read more to ensure your compliance and protect your business.

As we step further into 2024, businesses that collect or receive consumer data must brace for increasing regulation. Starting July 1st, 2024, Oregon and Texas will enforce new privacy laws, with Montana joining shortly after. These changes introduce more stringent regulations, particularly concerning sensitive data, affecting companies operating across the country. Notably these laws apply not just to the companies collecting the data, but companies that receive the data from business partners, as well. The first and most crucial step is correctly identifying what constitutes sensitive data within your organization.

Here’s a comprehensive guide to understanding these new laws, what they entail, and the necessary steps companies must take to ensure compliance.

What’s Changing?

The new privacy laws in Oregon, Texas, and Montana aim to enhance consumer privacy protections and give individuals more control over their personal information. These laws introduce stricter regulations on data collection, usage, and storage practices, emphasizing transparency, consent, and accountability.

The laws continue to set a higher bar for data that is considered “sensitive,” setting rigorous standards for how such data is collected and maintained. Correctly identifying what constitutes sensitive data within your organization is the critical first step to ensuring compliance and maintaining consumer trust. 

New Laws in Summary

Oregon Privacy Law:

  • Transparency: Companies must provide clear and concise privacy notices, detailing what data is collected, how it’s used, and with whom it’s shared.
  • Consent: Explicit consent is required for collecting and processing sensitive data.
  • Data Access and Deletion: Consumers have the right to access their data and request its deletion.
  • Data Security: Businesses must implement robust security measures to protect personal data.

Texas Privacy Law:

  • Data Minimization: Collect only necessary data for specified purposes.
  • Purpose Limitation: Use data solely for the purposes disclosed at the time of collection.
  • Data Protection Impact Assessments (DPIAs): Conduct DPIAs for processing activities that pose high risks to consumer privacy.
  • Third-Party Contracts: Ensure third-party data processors adhere to similar privacy standards.

Montana Privacy Law (Effective October 1, 2024):

  • Consumer Rights: Expanded rights for consumers to correct inaccuracies in their data.
  • Breach Notification: Stricter timelines and requirements for notifying consumers of data breaches.
  • Automated Decision-Making: Transparency around the use of automated decision-making and profiling.

State-Specific Definitions of Sensitive Data

Understanding what constitutes sensitive data under these new laws is crucial for compliance. Here’s how each state defines sensitive data:

Oregon: Sensitive data includes racial or ethnic origin, religious or philosophical beliefs, sexual orientation, health data, genetic data, and biometric data for identification purposes.

Texas: Sensitive data encompasses racial or ethnic origin, religious or philosophical beliefs, health data, genetic data, biometric data for identification, sexual orientation, and precise geolocation.

Montana: Sensitive data refers to racial or ethnic origin, religious beliefs, health data, genetic data, biometric data for identification, sexual orientation, and data concerning a person’s sex life.

Applicability of the Laws

These laws apply not only to companies that collect data but also to any entity that receives data from the collecting company. This includes third-party service providers, partners, and affiliates who process or store consumer data.

The Critical First Step: Identifying Sensitive Data

Correctly identifying sensitive data within your organization is the foundational step toward compliance. Sensitive data requires more rigorous handling, protection, and explicit consent compared to other types of personal information.

Companies that collect or receive data from consumers must adapt to these new regulations to avoid legal repercussions and maintain consumer and business partner trust. Here’s what businesses need to know, especially concerning sensitive data:

Steps to Take for Compliance

  1. Data Mapping and Classification: Conduct thorough data audits to map and classify all data collected, identifying sensitive data accurately.
  2. Review and Update Privacy Policies: Ensure privacy policies are comprehensive, transparent, and easily accessible to consumers, detailing how sensitive data is handled.
  3. Obtain or Confirm Explicit Consent: Implement mechanisms to obtain and document explicit consent for processing sensitive data.
  4. Enhance Data Security: Invest in advanced security measures to protect sensitive data from breaches and unauthorized access.
  5. Educate and Train Staff: Train employees on the importance of data privacy and the specific requirements of the new laws, particularly regarding sensitive data.
  6. Perform Impact Assessments: Regularly conduct data protection impact assessments to identify and mitigate privacy risks.
  7. Update Third-Party Contracts: Ensure all third-party data processors comply with the new regulations.

Risks to Companies Receiving Data

Companies that receive data from collecting companies must also comply with these new laws. Failing to do so can result in severe consequences, including:

  • Fines and Penalties: Regulatory bodies can impose significant fines for non-compliance.
  • Legal Actions: Consumers may file lawsuits against companies for privacy violations.
  • Reputational Damage: Non-compliance can lead to loss of consumer trust and damage to the company’s reputation.
  • Operational Disruptions: Data breaches or regulatory investigations can disrupt business operations and lead to additional costs.

Conclusion

The new privacy laws in Oregon, Texas, and Montana further the shift towards greater consumer privacy protection. As it relates to sensitive data, correctly identifying what data within your organization is considered sensitive is the critical first step to ensuring compliance. By doing so, you can take proactive steps to comply with these regulations. By updating privacy policies, securing explicit consent, enhancing data security, and conducting regular audits and assessments, businesses can navigate these changes effectively and maintain consumer trust.