This Year’s Consumer Privacy Laws in Texas, Oregon, and Montana Burst onto the Scene Starting July 1: What Is Unique and Special About Them?

Just in time for the Fourth of July, a new wave of state consumer privacy laws, each containing something to pique your interest, is set to launch.

The Texas Data Privacy and Security Act and the Oregon Consumer Privacy Act will take effect on July 1, 2024, with the Montana Consumer Data Privacy Act taking effect later in the year on October 1, 2024. With five other U.S. state consumer privacy laws already in force (California, Colorado, Connecticut, Utah, and Virginia), it is essential for businesses to understand how these three new laws add to the existing tapestry.

Below we summarize what businesses need to know about the Texas, Oregon, and Montana privacy laws taking effect this year, zeroing in on their provisions that are unique or special.

Privacy Notices and Transparency Requirements

• The Oregon law requires that a business’s privacy notice include how each third party with which the business shares personal information may process such personal information.
• The Oregon law requires that the privacy notice include the business’s name as registered with the Oregon Secretary of State and any assumed business name that the business uses in Oregon.
• The Texas law requires that businesses provide an additional notice to consumers using specific wording if the business engages in the sale of biometric data or other sensitive personal information. The notice must be posted in the same location and in the same manner as the main privacy notice.

Consumer Rights

• Under the Oregon law, consumers have the right to request a list of specific third parties, other than natural persons, to which the business has disclosed personal information. The law allows the business to choose whether to provide a list of third parties to which the business has disclosed (i) the specific requesting consumer’s personal information; or (ii) personal information of consumers generally.
• In all three states, businesses must examine user interfaces for dark patterns used when obtaining consumer consent and remove such dark patterns. Consents obtained using dark patterns will not be effective.
• Under the Texas, Oregon, and Montana laws, authorized agents of a consumer can make requests to opt out of the business’s sale of personal information, targeted advertising, and profiling, but not make other sorts of requests.
• In all three states, consumers must be given a reasonable amount of time to appeal a business’s decision not to honor a consumer request. The business must respond to the appeal within 45 days in Oregon or 60 days in Texas and Montana.
• Under the Texas, Oregon, and Montana laws, businesses that sell or share personal information for targeted advertising must recognize and honor opt-out preference signals, such as the Global Privacy Control. This will be effective July 1, 2024 in Oregon and January 1, 2025 in Montana and Texas.

Special Considerations for Teens

• Under the Oregon law, if a business knows or should know a person is between the ages of 13 and 15, it must obtain consent to sell their personal information or to use their personal information to engage in targeted advertising or make important automated decisions about them.
• Under the Montana law, if a business knows a person is between the ages of 13 and 16, it must obtain consent to sell their personal information or to use it to engage in targeted advertising.
• Given these requirements, businesses should examine whether they “willfully disregard” that a user is under 16 years of age.

Information Security

• The Oregon law specifically requires businesses to implement certain administrative, technical, and physical safeguards for personal information (as listed in the Oregon Revised Statutes Section 646A.622), unless they already comply with a state or federal law that provides equal or greater protection.
• The Montana and Texas laws both contain a requirement that a processor must assist a controller in carrying out the controller’s breach notification duties in the event of a data breach.
• Under the Texas and Montana laws, a data processor for a controller, instead of succumbing to the controller’s audit, is allowed to arrange for a qualified and independent assessment of its policies and technical and organizational measures in support of its cybersecurity obligations under the law. Such assessment would have to use an appropriate and accepted procedure and control standard or framework. A report of the assessment must be provided to the controller upon its request.

Consumer Consent

• The Texas, Oregon, and Montana laws each require a business to obtain consent from individuals before processing their sensitive personal information, with some exceptions. In Oregon and Montana, the consent must be revocable via a mechanism that is at least as easy as the mechanism by which the consumer provided the original consent. Once revoked, the business must discontinue processing the sensitive personal information (unless allowed under the exceptions) within 15 days in Oregon or 45 days in Montana.

Data Protection Assessments

• Under the Texas, Oregon, and Montana laws, a business must conduct a data protection impact assessment if the business processes sensitive personal information, sells personal information, or uses personal information for targeted advertising. The data protection impact assessment must be made available to the attorney general if requested, and, in Oregon, must be retained for five years.

Businesses covered by these laws should complete a comprehensive review of the laws to ensure their business practices are ready for the compliance dates. We will continue to monitor developments related to these state privacy laws, and in the interim, please visit MoFo’s U.S. State Privacy Laws Resource Center.

Carson Martinez, associate, contributed to the drafting of this alert.