The 3 new privacy laws coming in 2024: What website owners need to know

Another year, another batch of new privacy laws to address. 

Three new privacy laws are going into effect in 2024 that businesses and website owners need to know about. While not quite as jarring as the six laws that went into effect in 2023, it’s still more than businesses have had to deal with in years past. 

Protecting a person’s online privacy has become a massive talking point for governments across the globe and this new batch of privacy laws is the latest example of that. To prove they’re taking things more seriously, you just need to look at the drastic rise in privacy-related fines and lawsuits.

Statista found that an estimated €2.1 billion in fines were reported in 2023 for GDPR – about the same as 2020, 2021, and 2022 combined. That’s just one of 13 active privacy laws small business owners need to be aware of (with another 7 coming over the next few years). 

So, what are these laws and how do they apply to you and your website? Glad you asked. Here’s a quick overview of the three privacy laws going into effect this year:

Oregon SB619

Effective date: July 1, 2024

The privacy rights provided to residents of Oregon

The purpose of Oregon SB619 is to protect the privacy of residents of the state and this purpose is achieved through providing individuals residing in Oregon with the following privacy rights: 

1. The right to confirm whether the controller is processing or has processed the consumer’s personal data and the categories of personal data which have been processed; 
2. The right to obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data or any personal data; 
3. The right to receive a copy of all of the consumer’s personal data that the controller has processed or is processing; 
4. The right to correct inaccuracies in the personal data about a consumer; 
5. The right to delete personal data; 
6. The right to opt out of the processing of personal data for the purpose of targeted advertising; 
7. The right to opt out of the sale of personal data; 
8. The right to opt out of the processing of personal data for the purpose of profiling the consumer; 
9. The right to request a copy of personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance; 
10. The right to not be discriminated against based upon the exercise of privacy rights; 
11. The right to appeal a privacy rights decision. 

Organizations subject to this privacy law will have 45 days to respond to a consumer privacy rights request, though this time period may be extended by an additional 45 days if necessary. 

Who needs to comply with Oregon’s privacy law? 

Oregon’s privacy law applies to any person who conducts business in Oregon or who provides products or services to residents of Oregon and that, during a calendar year: 

1. Processors or controls the personal data of 100,000 or more residents of Oregon; or 
2. Processors or controls the personal data of 25,000 or more residents of Oregon and derive 25% or more of annual gross revenue from the sale of personal data. 

The law specifically exempts nonprofits that are established to detect or prevent fraudulent acts in connection with insurance and nonprofits that provide programming to radio or television networks. It is important to note that Oregon SB619 applies to businesses that meet the criteria above regardless of whether they are actually located in Oregon.

The Privacy Policy requirements of Oregon SB619

Organizations that need to comply with Oregon’s privacy law will also need to have a comprehensive and up-to-date Privacy Policy that includes the following disclosures: 

1. The categories of personal data that the controller processes; 
2. The purposes for which personal data is collected and processed; 
3. A description of how consumers can exercise their privacy rights and appeal a privacy rights decision; 
4. All categories of personal data that is shared with third parties; 
5. The categories of third parties with whom personal data is shared; 
6. An email or other online method by which a consumer can contact the controller that the controller actively monitors; 
7. Identification of the controller; 
8. A description of any processing of personal data for the purpose of targeted advertising or profiling and how a consumer can opt out of this type of processing. 

Penalties for failure to comply with Oregon’s privacy law 

Oregon SB619 will be enforced by the Oregon Attorney General who can investigate any violations of the law. The Oregon Attorney General can seek a civil penalty of not more than $7,500 per violation. In this case, “per violation” may mean per website visitor whose privacy rights were infringed upon, which can lead to high fines.

Texas Data Privacy and Security Act

Effective date: July 1, 2024

What privacy rights are provided to residents of Texas by the TDPSA? 

This Texas privacy law was passed to protect the privacy of residents of the State by providing them with the following privacy rights: 

1. Confirm whether a controller is processing the consumer’s personal data and to access that personal data; 
2. Correct inaccuracies in the consumer’s personal data; 
3. Delete personal data provided by or obtained about the consumer; 
4. If the data is in a digital format, obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; 
5. Opt out of the processing of personal data for targeted advertising; 
6. Opt out of the sale of personal data; 
7. Opt out of the processing of personal data for profiling; 
8. Right to not be discriminated against for exercising privacy rights; 
9. Right to appeal a decision made with regard to privacy rights.

Who needs to comply with this new Texas privacy law? 

The Texas Data Privacy and Security Act is similar to other privacy laws in the sense that a business does not need to be located in the State for the law to apply. The TDPSA applies to any person that conducts business in Texas or produces a product or service consumed by residents of Texas and that processes or engages in the sale of personal data. 

It is important to note that a few types of organizations will not be subject to this law, including: 

1. Nonprofit organizations; and 
2. Small businesses, as defined by the United States Small Business Administration. The Small Business Administration defines “small business” as either an independent business with less than 500 employees or a business that makes under a certain amount of gross revenue per year. While small businesses are exempt from most of the requirements of the TDPSA, according to the law, small businesses may not engage in the sale of sensitive personal data without receiving prior consent from the consumer. 

Texas Data Privacy and Security Act Privacy Policy requirements

One of the obligations that the TDPSA places upon businesses is to provide consumers with a reasonably accessible and clear Privacy Policy that includes the following disclosures: 

1. The categories of personal data processed; 
2. The purpose for processing the personal data; 
3. How consumers can exercise their consumer rights, including how to appeal a privacy rights decision; 
4. The categories of personal data shared with third parties, if any; 
5. The categories of third parties with whom the data is shared, if any; 
6. If a controller engages in the sale of sensitive personal data: “NOTICE: We may sell your sensitive personal data”; 
7. If a controller engages in the sale of biometric personal data: “NOTICE: We may sell your biometric personal data”; 
8. If a controller sells personal data or processes personal data for targeted advertising, the Privacy Policy must state this fact and how a consumer may opt out of such use or sale. 

Businesses that need to comply with this law will need to ensure that their Privacy Policy is updated to reflect these new disclosure requirements prior to the law’s effective date. 

Penalties for not complying with Texas’ new privacy law

The TDPSA will be enforced by the Texas Attorney General who can issue a civil penalty of up to $7,500 per violation. In this case, “per violation” can mean per website visitor whose privacy rights were infringed upon, meaning that fines for non-compliance can add up very quickly.

Montana Consumer Data Privacy Act (MCDPA)

Effective date: October 1, 2024

What privacy rights are provided to residents of Montana by the MCDPA? 

Montana’s privacy law was passed to provide protections to residents of Montana by providing them with the following privacy rights: 

• The right to confirm whether a controller is processing the individual’s personal data and access their data; 
• The right to correct inaccuracies in the consumer’s personal data; 
• The right to delete the consumer’s personal data; 
• The right to obtain a copy of the consumer’s personal data in a portable format that allows the consumer to transmit the personal data to another controller; 
• The right to opt out of targeted advertising; 
• The right to opt out of the sale of the consumer’s personal data; 
• The right to opt out of the use of the consumer’s personal data for profiling in furtherance of solely automated decisions that produce legal similarly significant effects concerning the consumer;
• The right to not be discriminated against for exercising privacy rights. 

Businesses that need to comply with this law will have 45 days to respond to consumer privacy rights requests, which may be extended by an additional 45 days if needed. Consumers will also have the right to appeal any decision made by the business with regard to a privacy rights request.

Who needs to comply with Montana’s new privacy law? 

Similar to other privacy laws, the MCDPA has a broad reach and can apply to businesses outside of Montana. The MCDPA applies to persons that do business in Montana or that produce products or services that are targeted to residents of Montana and meet one or more of the following factors: 

• Control or process the personal data of not less than 50,000 Montana residents (excluding personal data controlled or processed solely for completing payment transactions); or 
• Control or process the personal data of not less than 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data.

Montana Consumer Data Privacy Act Privacy Policy requirements

Montana’s new privacy law requires businesses that need to comply with the law to have a Privacy Policy that includes the following disclosures: 

• The categories of personal data processed; 
• The purpose of processing the personal data; 
• The categories of personal data shared with third parties, if any; 
• The categories of the third parties, if any, with whom the personal data is shared; 
• An active e-mail address or other contact method which consumers can use to contact the controller; 
• How consumers may exercise their privacy rights; 
• How consumers may appeal a decision with regard to their privacy rights requests. 

Businesses will need to ensure that their Privacy Policy is updated with these new disclosures prior to the law’s effective date. 

Penalties for failure to comply with Montana’s new privacy law 

Montana SB384 does not provide a private right of action but will instead be enforced by the Montana Attorney General. Companies will receive a 60 day period in which they can cure a violation of the law, which will end on April 1, 2026. 

Honorable Mention: Utah Consumer Privacy Act

Effective Date: December 31, 2023

Utah’s privacy law barely squeezed itself into the year 2023, but it’s still worth a mention in case you missed it.

You can read the full UCPA compliance guide here.

Do these laws apply to small businesses?

When looking at the criteria listed above, it may seem like some of these laws only apply to larger businesses, but that’s not necessarily the case. These laws can apply to businesses that do not meet the criteria above if they have signed a contract for the processing of data with a company that does need to comply with this law.

It’s also important to note that in cases like Montana’s new bill, numbers like 25,000 and 50,000 may seem like a large number, but many small businesses have website traffic far above those numbers. It’s important to remember that most modern websites collect data like IP addresses from every person who visits the website.

How Termageddon will handle Privacy Policy updates for these new laws? 

We have been tracking these laws from their inception and will continue to track them for any amendments, rules, and regulations that change the requirements of this law.

Prior to their effective dates, we will email our customers to let them know of the updates that we have made to their Privacy Policies to reflect these new requirements.

If you currently do not have a Privacy Policy or do not have a strategy to keep your Privacy Policy up to date with changes such as these, make sure to check out the Termageddon Privacy Policy generator today.