As July 1 approaches, businesses need to be prepared to comply with three new state data privacy laws that will become effective: the Tennessee Information Protection Act (TIPA), the Texas Data Privacy and Security Act (TDPSA), and the Oregon Consumer Privacy Act (OCPA).
Tennessee Information Protection Act (TIPA) and Oregon Consumer Privacy Act (OCPA)
The TIPA and the OCPA have thresholds that align with most other state data privacy laws currently in effect. These laws apply to all persons or entities who do business in the respective state and process the personal information of over 100,000 residents of that state or over 25,000 residents if the person or entity derived a certain percentage of their gross revenue from the sale of personal information.
TIPA and OCPA provide exemptions for information collected by a business from its employees, but notably, OCPA does not contain a blanket exemption for nonprofit organizations. Neither TIPA nor OCPA provides a private right of action, as both laws provide for exclusive enforcement authority by the states' respective Attorneys General.
Texas Data Privacy and Security Act (TDPSA)
The TDPSA, on the other hand, sets significantly broader applicability thresholds compared to other state data privacy laws. Businesses are subject to Texas's law if they process or engage in the sale of personal data of any Texas residents and are not small businesses, as defined by the U.S. Small Business Administration.
Unlike other state laws, TDPSA does not set a minimum revenue threshold or a minimum number of consumers from whom an entity must gather personal data to be subject to the law. This means that many businesses are likely to find themselves within the scope of the new Texas law. TDPSA, like TIPA and OCPA, does not afford a private right of action, and the law may only be enforced by Texas's Attorney General.
Going deeper
While many of the compliance requirements imposed by the TIPA, OCPA, and TDPSA align with those found in other state data privacy laws like HIPAA, each law contains nuances that may require subject entities to update their current data privacy compliance programs. The TDPSA, with its broad applicability thresholds, presents a significant challenge for businesses. Businesses must carefully evaluate whether they meet the compliance thresholds for these new laws and take the necessary steps to ensure compliance by the July 1 deadline.
Why it matters
As the July 1 deadline approaches, businesses must prepare to comply with the three new state data privacy laws—TIPA, TDPSA, and OCPA. These laws try to protect the privacy rights of residents in Tennessee, Texas, and Oregon and require businesses to implement rigorous data privacy programs. By understanding the thresholds and compliance requirements of these laws, businesses can take the necessary steps to ensure they are meeting their obligations and protecting the personal information entrusted to them.
Farah Amod
